You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Romain Manni-Bucau (JIRA)" <ji...@apache.org> on 2016/11/15 07:50:58 UTC

[jira] [Commented] (TOMEE-1970) Configuration error can cause infinite loop

    [ https://issues.apache.org/jira/browse/TOMEE-1970?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15666427#comment-15666427 ] 

Romain Manni-Bucau commented on TOMEE-1970:
-------------------------------------------

Has been solved for 7.0.3. This code is only used for local configuration file parsing so no real risk to exploit it with bad intentions.

> Configuration error can cause infinite loop
> -------------------------------------------
>
>                 Key: TOMEE-1970
>                 URL: https://issues.apache.org/jira/browse/TOMEE-1970
>             Project: TomEE
>          Issue Type: Bug
>          Components: TomEE Core Server
>    Affects Versions: 7.0.2
>         Environment: All system applicable.
>            Reporter: Zhuo Chen
>            Assignee: Romain Manni-Bucau
>              Labels: easyfix
>             Fix For: 7.0.3
>
>   Original Estimate: 1h
>  Remaining Estimate: 1h
>
> Dear Apache TomEE team,
> we implemented a static analysis tool that helps enforce CERT rule FIO08-J:
> https://www.securecoding.cert.org/confluence/display/java/FIO08-J.+Distinguish+between+characters+or+bytes+read+from+a+stream+and+-1
> As a case study we ran the tool on Apache TomEE and found violations of
> the rule.
> A badly written configuration file can cause an infinite loop in the Json parser in `container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java`
> This is because in `SimpleJSonParser.java `, it has several places that violate the CERT rule FIO08-J:
> https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L50
> https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L67
> https://github.com/apache/tomee/blob/master/container/openejb-core/src/main/java/org/apache/openejb/util/SimpleJSonParser.java#L88
> We're not sure if this could be used for a remote denial-of-service
> attack, but it definitely can result in a non-functional server. 
> We have written up how to reproduce the results here:
> https://github.com/CharlesZ-Chen/ReadChecker/tree/master/case-study/apache-tomee
> This should be an easy fix as the only work is to correct the improper casts in `SimpleJSonParser.java`.
> Thanks,
> Charles



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)