Authors:
Lian Keke; Zhang Lei; Zhao Haoran; Cao Yinzhi; Liu Yongheng; Sun Fute; Zhang Yuan; Yang Min
Publication:
This paper is included in proceedings of the 34th USENIX Security Symposium (USENIX Security 2025)
Abstract:
Denial-of-Service (DoS) attacks have long been a major threat to the availability of the World Wide Web. While prior works have extensively studied network-layer DoS and certain types of application-layer DoS, such as Regular Expression DoS (ReDoS), little attention has been paid to memory exhaustion DoS, especially in Java Web containers. Our research target is a special type of memory exhaustion DoS vulnerabilities that retain user data in web containers, which is defined as Data Retention DoS (DRDoS) in this paper. To the best of our knowledge, there are no systematic academic studies of such DRDoS vulnerabilities of Java Web Containers except for a few manually found vulnerabilities in the Common Vulnerabilities and Exposures (CVE) database. In this paper, we design and implement a novel static analysis approach, called DR. D, to detect and assess DRDoS vulnerabilities in Java web containers. Our key insight is to analyze the request handling process of web containers and detect whether client-controlled request data may be retained in the containers, thus leading to DRDoS vulnerabilities. We apply DR.D on four popular open-source Java web containers, discovering that all of them have DRDoS vulnerabilities. Specifically, DR.D finds 25 zero-day, exploitable vulnerabili ties. We have responsibly reported all of them to corresponding developers and received confirmations. So far, we have received seventeen CVE identifiers (three of them assigned with high severity). Based on scan results from search engine, e.g., Shodan, we identify that over 1.5 million public IP addresses are hosting vulnerable versions of Java web containers potentially with DRDoS found by DR.D, demonstrating the spread of DRDoS vulnerability.