Java Floating Point DOS Vulnerability

Oracle has just released a patch for a critical denial of service vulnerability (CVE-2010-4476) in the Java Runtime.

The vulnerability caused a severe Denial of Service resulting in a JVM crash when attempting to convert or parse

"2.2250738585072012e-308"

to a floating point number. Note that there are different forms of that number which can cause the issue besides just the one posted there.

I have confirmed that this is easily exploited on a ColdFusion server running an unpatched JVM. It's very very probable that you have code that could be exploited.

Any code that run's Java's floating point number parser is vulnerable, so ColdFusion code such as:

<cfparam name="url.x" type="numeric">

When given a malicious input it will cause the processing thread to go into an infinite loop.

Oracle released a new JVM on Feb 15th which will include this patch among others. Java 1.6.0_24 has been certified by Adobe for use on ColdFusion 8.0-9.0.1

I'd like to add a scanner for this on HackMyCF but doing so would crash your server, so I won't be doing that :)

This DOS issue is one of my favorite examples of why it is important to keep. your JVM updated with the latest security patches. Back when this issue was first discovered it was not really common to update the JVM, today Oracle updates the Java with quarterly security patches.

Update We have added a probe feature available to paid subscribers of HackMyCF which will alert you when you need to update your JVM.

Another Update: today you should not be running Java 1.6 at all. Take a look at some current info showing which java lts versions Oracle supports, and which versions of java coldfusion currently supports today.