Oracle has issued a security alert (CVE-2010-4476) and patch for Java (including Java SE and Java for Business). The vulnerability revolves around a bug when converting “2.2250738585072012e-308” to a binary floating-point number. This can cause the CPU to go into a loop. Since the problem is present in Java running on servers as well as standalone Java desktop applications, a successful exploitation by a malicious attacker can result in a complete denial of service for the affected servers.
It has been suggested that by simply adding a the “2.2250738585072012e-308” literal to a HTTP request can cause a server to crash.
Affected versions of Java SE are:
- JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
- JDK 5.0 Update 27 and earlier for Solaris 9
- SDK 1.4.2_29 and earlier for Solaris 8
And Java for Business
- JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
- JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
- SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
Since the vulnerability is relatively easy to exploit on servers and that there are sites on the Internet with examples on how to do this, Oracle strongly recommends that affected organizations apply this fix as soon as possible.
To expedite this Oracle has released the Java SE Floating Point Updater Tool.
On the desktop, Oracle say the impact is minimal: the affected applications or applets running in Internet browsers for example, might stop responding and may need to be restarted; however the desktop itself will not be compromised (i.e. no compromise at the desktop OS level).
Desktop users should wait until the patch becomes available via the auto-update mechanism.
For more see Oracle’s blog post.