CVE-2018-1336 - Loop with Unreachable Exit Condition ('Infinite Loop')

Severity

75%

Complexity

39%

Confidentiality

60%

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

CVSS 3.1 Base Score 7.5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).

CVSS 2.0 Base Score 5. CVSS Attack Vector: network. CVSS Attack Complexity: low. CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P).

Demo Examples

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

In the following code the method processMessagesFromServer attempts to establish a connection to a server and read and process messages from the server. The method uses a do/while loop to continue trying to establish the connection to the server when an attempt fails.


               
}

                     
...// create socket to connect to server

                           
}// establish connection to server// if connected then read and process messages from server

                                 
...// read and process messages
// keep trying to establish connection to the server// close socket and return success or failure

However, this will create an infinite loop if the server does not respond. This infinite loop will consume system resources and can be used to create a denial of service attack. To resolve this a counter should be used to limit the number of attempts to establish a connection to the server, as in the following code.


               
}

                     
...// initialize number of attempts counter

                           
}// establish connection to server// increment counter// if connected then read and process messages from server

                                 
...// read and process messages
// keep trying to establish connection to the server// up to a maximum number of attempts// close socket and return success or failure

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-835

For this example the method isReorderNeeded as part of a bookstore application that determines if a particular book needs to be reordered based on the current inventory count and the rate at which the book is being sold.


               
}

                     
return isReorder;// get inventory count for book// find number of days until inventory count reaches minimum

                           
days++;
// if number of days within reorder timeframe// set reorder return boolean to true
isReorder = true;

However, the while loop will become an infinite loop if the rateSold input parameter has a value of zero since the inventoryCount will never fall below the minimumCount. In this case the input parameter should be validated to ensure that a value of zero does not cause an infinite loop,as in the following code.


               
}

                     
...// validate rateSold variable
return isReorder;

Overview

First reported 6 years ago

2018-08-02 14:29:00

Last updated 5 years ago

2020-04-15 21:15:00

Affected Software

Apache Software Foundation Tomcat

Apache Software Foundation Tomcat 8.0.0 Release Candidate 1

8.0.0

Apache Software Foundation Tomcat 8.0.0 release candidate 10

8.0.0

Apache Software Foundation Tomcat 8.0.0 Release Candidate 2

8.0.0

Apache Software Foundation Tomcat 8.0.0 Release Candidate 3

8.0.0

Apache Software Foundation Tomcat 8.0.0 release candidate 5

8.0.0

Apache Software Foundation Tomcat 9.0.0 M10

9.0.0

Apache Software Foundation Tomcat 9.0.0 M11

9.0.0

Apache Software Foundation Tomcat 9.0.0 M12

9.0.0

Apache Software Foundation Tomcat 9.0.0 M13

9.0.0

Apache Software Foundation Tomcat 9.0.0 M14

9.0.0

Apache Software Foundation Tomcat 9.0.0 M15

9.0.0

Apache Software Foundation Tomcat 9.0.0 M16

9.0.0

Apache Software Foundation Tomcat 9.0.0 M17

9.0.0

Apache Software Foundation Tomcat 9.0.0 M18

9.0.0

Apache Software Foundation Tomcat 9.0.0 M19

9.0.0

Apache Software Foundation Tomcat 9.0.0 M20

9.0.0

Apache Software Foundation Tomcat 9.0.0 M21

9.0.0

Apache Software Foundation Tomcat 9.0.0 M22

9.0.0

Apache Software Foundation Tomcat 9.0.0 M23

9.0.0

Apache Software Foundation Tomcat 9.0.0 M24

9.0.0

Apache Software Foundation Tomcat 9.0.0 M25

9.0.0

Apache Software Foundation Tomcat 9.0.0 M26

9.0.0

Apache Software Foundation Tomcat 9.0.0 M27

9.0.0

Apache Software Foundation Tomcat 9.0.0 M9

9.0.0

Red Hat JBoss Enterprise Application Platform (EAP) 6.0.0

6.0.0

Red Hat JBoss Enterprise Application Platform (EAP) 6.4.0

6.4.0

Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)

14.04

Canonical Ubuntu Linux 16.04 LTS (Long-Term Support)

16.04

Debian Linux 8.0 (Jessie)

8.0

Debian Linux 9.0

9.0

RedHat Enterprise Linux Desktop 7.0

7.0

RedHat Enterprise Linux Server 7.0

7.0

RedHat Enterprise Linux Workstation 7.0

7.0

References

[www-announce] 20180722 [SECURITY] CVE-2018-1336 Apache Tomcat - Denial of Service

Mailing List, Vendor Advisory

104898

Third Party Advisory, VDB Entry

1041375

Third Party Advisory, VDB Entry

RHEA-2018:2188

Third Party Advisory

RHEA-2018:2189

Third Party Advisory

RHSA-2018:2700

Third Party Advisory

RHSA-2018:2701

Third Party Advisory

RHSA-2018:2740

Third Party Advisory

RHSA-2018:2741

Third Party Advisory

RHSA-2018:2742

Third Party Advisory

RHSA-2018:2743

Third Party Advisory

RHSA-2018:2921

Third Party Advisory

RHSA-2018:2930

Third Party Advisory

RHSA-2018:2939

Third Party Advisory

RHSA-2018:2945

Third Party Advisory

RHSA-2018:3768

Third Party Advisory

[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Vendor Advisory

[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/

Mailing List, Third Party Advisory

[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

Mailing List, Third Party Advisory

[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Vendor Advisory

[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

Mailing List, Third Party Advisory

[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Vendor Advisory

[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/

Vendor Advisory

[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/

Vendor Advisory

[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

Mailing List, Third Party Advisory

[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/

Vendor Advisory

[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/

Mailing List, Third Party Advisory

[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/

Vendor Advisory

[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/

Vendor Advisory

[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/

Vendor Advisory

[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/

Vendor Advisory

[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/

Vendor Advisory

[debian-lts-announce] 20180902 [SECURITY] [DLA 1491-1] tomcat8 security update

Third Party Advisory

https://security.netapp.com/advisory/ntap-20180817-0001/

Third Party Advisory

https://support.f5.com/csp/article/K73008537?utm_source=f5support&utm_medium=RSS

Third Party Advisory

USN-3723-1

Third Party Advisory

DSA-4281

Third Party Advisory

N/A

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.