ASM and Oracle Security Alert CVE-2010-4476

Hello,

 

 

I am investigating the possibility of using ASM to protect our Java based application services from this vulnerability, until such time that our rather strict deployment cycle catches up and patches the affected systems.

 

 

The issue as I understand it is that the parsing of 2.2250738585072012e-308 causes the JVM to hang.

 

 

An example of where this could manifest itself would be in a java web application where you need to fill in a form which accepts doubles. A potential DOS could be started by filling the form with 2.2250738585072012e-308

 

 

Also some web servers (Tomcat in particular) will crash if you request a url with: curl -H 'Accept-Language: en-us;q=2.2250738585072012e-308' http://example.org

 

 

I give fair warning that my operational knowledge of ASM is very limited so what I'm attempting to do may not even be possible, however I have trawled through the ASM documentation (we're running 10.2.0 HF2 on 6800's and ASM Sig Set: 2010-09-08 01:40:53) to find a way to block requests to the affected applications when a user enters 2.2250738585072012e-308 into a form. As you may have guessed, I haven't found it, hence my post on DevCentral.

 

 

I would appreciate an insight into whether or not ASM could protect against this vulnerability along with any other pertinent pointers should they be relevant.

 

 

Thanks,

 

Packeteer.