CVE-2004-1503

Vulnerability

Integer overflow in the InitialDirContext class of Java Runtime Environment (JRE) versions 1.4.2, 1.5.0, and possibly earlier causes the xid variable to wrap after 32768 DNS requests. After the wrap, xid becomes negative, causing subsequent DNS queries to fail with a CommunicationException: DNS error: ID doesn't match [1]. The bug is in the DnsClient.query method, where the transaction ID (xid) is stored as a signed integer and incremented without bounds checking [1].

Exploitation

An attacker can trigger the overflow by tricking a Java application into performing a large number of DNS lookups (e.g., by providing crafted data that the application resolves via JNDI DNS). No authentication or special network position is required if the application accepts attacker-controlled input that leads to DNS queries. The attacker simply causes the application to issue more than 32768 DNS requests, at which point the internal counter wraps and all further lookups fail [1].

Impact

Successful exploitation causes a denial of service: the JNDI DNS context becomes unusable for subsequent DNS requests, throwing an exception for each lookup. This can disrupt any Java application relying on DNS resolution via JNDI, such as long-running server processes. The impact is limited to availability; no data is disclosed or modified [1].

Mitigation

No official patch from Sun/Oracle was identified in the available references. The advisory [1] notes that a workaround is to avoid using JNDI for DNS lookups or to limit the number of consecutive queries. Users of affected JRE versions (1.4.2, 1.5.0) should upgrade to a later version if a fix has been applied in subsequent releases (e.g., JRE 5.0 Update 1 or later). The vulnerability is not listed on the CISA KEV as of the publication date.