USA: (978) 496-9990
Germany: +49 7031 221461
UK: +44 207 193 1212

Join us at the SOTR ColdFusion Conference

We look forward to meeting you at Scotch on the Rocks (SOTR) this Thursday and Friday – 3/4 March in Edinburgh, Scotland!

SOTR ColdFusion conference brings you current informative content and sessions to enhance, enrich and excite you. The wide range of topics and presentations this year is a reflection of the rapidly progressing and growing area of ColdFusion, and includes related development and wider industry topics, so is also suitable for those in the wider development community.

David Tattersall – Managing Director and David Stockton – Technical Consultant will be there to answer any questions you might have about our products and services. In addition, David Stockton will be giving a session on how to sort out your legacy applications. You can read more about the presentation below.

The road to sanity – sorting out your legacy applications
Thursday 3.March 13:30 – 14:30

We can help make your life easier! With our unique tooling combination of FusionReactor, FusionDebug and the jewel of in the crown FusionAnalytics – we will demonstrate how you can quickly focus on and correct your legacy application stability issues and proactively improve quality, performance and reliability over time.

CVE-2010-4476 – ColdFusion / Java hangs when converting 2.2250738585072012e-308 (or 2.2250738585072011e-308)

This JVM bug seems to be getting some high-level attention in the IT press so I thought I’d lay out the issue where CF is concerned:

History

The bug is in the JVM (it has been since ~2001) and so ColdFusion running on Sun JVMs are affected.
Someone out there has obviously made the link between the same issue happening in PHP and brought this issue to light again ( http://bugs.php.net/bug.php?id=53632 ). There’s a Java related discussion happening here: http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/

How to reproduce

To have the bug show, you must call the parseDouble() method of the java.lang.Double class. There are several ways this can happen. Many people are discussing this as a vulnerability that can be executed at the HTTP header level like so:

Accept-Language: en-us;q=2.2250738585072012e-308

However, this requires a call to HttpServletRequest’s getLocale() method, something that isn’t done trivially on a JRun4, CF 9.0.1 instance (even when calling the ColdFusion function “getLocale()”). Thus, to show this problem, you must do something like…

#GetPageContext().getRequest().getLocale()#

… within your ColdFusion page.

From our experience, a more likely attack could be performed with code like this:

<cfparam name="URL.pageNum" default="1" />
<cfparam name="URL.itemsPerPage" default="10" />
<cfquery name="qProducts" datasource="mysql_dsn">
    SELECT * FROM products
    LIMIT #((URL.pageNum-1) * URL.itemsPerPage) + 1# , #URL.pageNum * URL.itemsPerPage#
</cfquery>

The problem here is “URL.pageNum-1“. This calculation causes a call to parseDouble() behind the scenes which means that if the page were called with “page_name.cfm?pageNum=2.2250738585072012e-308” then the thread would hang in an infinite loop.

What doesn’t show the issue?

Note that in this example, “URL.itemsPerPage” could also cause the issue because it is used in the multiplication calculation. If the variable were not used in any calculations but only output, it would not show the issue. This example does NOT show the problem:

<cfset x = 2.2250738585072012e-308 />
<cfoutput>#x#</cfoutput>

What can you do?

Short term

If you have FusionReactor installed and configured with CrashProtection enabled and configured, the threads can be automatically killed by FusionReactor, saving your server from almost certain failure. To do this, enable Crash Protection and configure a “Request Timeout” value and set it to use the “Abort and Notify” strategy. This will cause requests taking longer than this time to quit – even if they are stuck in the infinite loop bug as in this scenario.

For those of you who are wondering, this is NOT the same as the ColdFusion timeout mechanism and so the ColdFusion page timeout alone will not help you in this scenario.

It’s good practice to have FusionReactor installed and Crash Protection enabled because it can save you from a lot of these issues without you needing to do anything.

Long term

I’m sure Oracle/Sun will offer a new update in due course. However, you can also download the “Java SE Floating Point Updater Tool”:
Download: http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater
Read Me: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

Further Help

If you’re in need of help updating your JVM and/or patching it then we can offer assistance in this area from as little as $800. The FusionReactor product is available from as little as $249 and contains a wealth of other features – the majority of which are not covered by the ColdFusion Server Monitor – http://www.fusion-reactor.com/fr/ for more information.

Notes

This article refers to JRun4, CF9 installations. The issue is apparent on a wide variety of Java platforms (we offer consulting for most Java environments) and is more prevalent on Tomcat installations (which includes JBoss).

References

Official security alert (CVE-2010-4476): http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html