tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: CVE-2010-4476 - is it fixed or not?
Date Fri, 11 Feb 2011 16:27:46 GMT
Hash: SHA1


On 2/10/2011 6:03 PM, Leon Rosenberg wrote:
> short question, I read in the
> that a possible DoS attack vulnerability has been fixed in Request
> class.
> Does that mean that CVE-2010-4476 is
> a) not an issue with 6.0.32++
> b) not an issue unless the app uses Double.parseDouble
> c) probably not in issue in tomcat, at least until someone finds out it is.

Tomcat uses Double.parseDouble in a few places that have not been
addressed, but they are used for parsing values supplied by the
administrator or webapp developer (like parsing the <web-app> version
string, for instance). This appears to be the only use of
Double.parseDouble in Tomcat that could really be considered vulnerable.

If you want to protect yourself entirely, consider upgrading or using
the "fpupdate" program which patches your installation's rt.jar file. I
have done this on all my servers.

If you want to protect yourself on all Tomcat versions but still be
vulnerable to application use of Double.parseDouble, see my followups to
Mark's announcement this week: I show you how to protect Tomcat using
two different techniques with Apache httpd... these could easily be
adapted to use UrlRewrite if you aren't using a web server in front of

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message