[OpenJDK] Weak Parsing Logic in java.net.InetAddress and Related Classes

We discussed this vulnerability during Episode 157 on 10 October 2022

Multiple static functions inInetAddress like getByName and getAllByName can be used both to resolve a name string to an IP address, and to validate the format of an address. The problem is that the OpenJDK implementation does not properly validate the format of an IP address string. The problem comes from the handling of the % character, which for IPv6 is used to specify a zone index at the end of the address. The vulnerable functions use the private method checkNumericZone check this value. The problem is that the function doesn’t do much validation, simply checking for the location of the % character, and for the ] character which should indicate the end of the address, making sure there is atleast one character after that %. It does not validate that there are not characters after ].

This allows for various malformed IP addresses to be validated such as:

  • 2606:4700:4700::1111%1]foo.bar baz'"
  • [::]foo.bar baz '"]

The authors do provide an example of how this code might be used to validate a host before including it in a ping command, though it does feel rather contrived. It is a little testcase that might be worth tossing into your lists.