You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Branimir Lambov (Jira)" <ji...@apache.org> on 2020/12/16 10:35:00 UTC
[jira] [Comment Edited] (CASSANDRA-14925)
DecimalSerializer.toString() can be used as OOM attack
[ https://issues.apache.org/jira/browse/CASSANDRA-14925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17250232#comment-17250232 ]
Branimir Lambov edited comment on CASSANDRA-14925 at 12/16/20, 10:34 AM:
-------------------------------------------------------------------------
To me this is a serious bug for any version of Cassandra, and should be applied to all supported versions ASAP. This is a real security risk for users and can be very easily exploited as a denial of service attack. I am raising the severity accordingly – this has been ignored too long already.
The risk of problems after the patch is not real: any of the considered formats is a valid full precision representation of the number and will be accepted correctly by transformations back to {{BigDecimal}} from {{String}}.
was (Author: blambov):
To me this is a series bug for any version of Cassandra, and should be applied to all supported versions ASAP. This is a real security risk for users and can be very easily exploited as a denial of service attack. I am raising the severity accordingly – this has been ignored too long already.
The risk of problems after the patch is not real: any of the considered formats is a valid full precision representation of the number and will be accepted correctly by transformations back to {{BigDecimal}} from {{String}}.
> DecimalSerializer.toString() can be used as OOM attack
> -------------------------------------------------------
>
> Key: CASSANDRA-14925
> URL: https://issues.apache.org/jira/browse/CASSANDRA-14925
> Project: Cassandra
> Issue Type: Bug
> Components: Legacy/Core
> Reporter: Zhao Yang
> Assignee: Zhao Yang
> Priority: Urgent
>
> Currently, in {{DecimalSerializer.toString(value)}}, it uses {{BigDecimal.toPlainString()}} which generates huge string for large scale values.
>
> {code:java}
> BigDecimal d = new BigDecimal("1e-" + (Integer.MAX_VALUE - 6));
> d.toPlainString(); // oom{code}
>
> Propose to use {{BigDecimal.toString()}} when scale is larger than 100 which is configurable via {{-Dcassandra.decimal.maxscaleforstring}}
>
> | patch | circle-ci |
> |[trunk|https://github.com/jasonstack/cassandra/commits/decimal-tostring-trunk]|[unit|https://circleci.com/gh/jasonstack/cassandra/751?utm_campaign=vcs-integration-link&utm_medium=referral&utm_source=github-build-link]|
> The code should apply cleanly to 3.0+.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org