Java vulnerability with a particular floating point number

4 views

Skip to first unread message

Warwick Hunter

unread,

Feb 21, 2011, 7:38:36 PM2/21/11

to gc...@googlegroups.com

I thought it best to ensure everyone knows about this particularly vulnerability.

http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html

I thought my apps were not vulnerable because none of them receive floating point values from
the outside world. I was wrong. My apps don't accept such values, but Tomcat does.

http://blog.fortify.com/blog/2011/02/08/Double-Trouble

The Tomcat Twist
----------------
Think you're not vulnerable because your program doesn'™t use any doubles?
Wrong answer. Tomcat uses parseDouble() on the value of the Accept-Language
HTTP header when an application calls request.getLocale(). If your application
takes locale into account, chances are it'€™s vulnerable.

Reply all

Reply to author

Forward

0 new messages