Oracle has released a collection of 21 patches addressing multiple security vulnerabilities in Java SE and Java for Business. 19 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
Included in the update is a fix for CVE-2010-4476 the Java bug when converting “2.2250738585072012e-308 to a binary floating-point number. This can cause the CPU to go into a loop and a successful exploitation by a malicious attacker can result in a complete denial of service for the affected servers running Java.
This update also includes patches for 12 Java client deployment vulnerabilities which can be exploited through Untrusted Java Web Start applications and Untrusted Java Applets. Also one of the client vulnerabilities affects the Windows specific Java Update component.
Affected versions of Java SE are:
- JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
- JDK 5.0 Update 27 and earlier for Solaris 9
- SDK 1.4.2_29 and earlier for Solaris 8
And Java for Business
- JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
- JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
- SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
CVE-2010-4452, CVE-2010-4454, CVE-2010-4462, CVE-2010-4463, CVE-2010-4465, CVE-2010-4467, CVE-2010-4469, CVE-2010-4473, CVE-2010-4422, CVE-2010-4451, CVE-2010-4466, CVE-2010-4470, CVE-2010-4471, CVE-2010-4476, CVE-2010-4447, CVE-2010-4475, CVE-2010-4468, CVE-2010-4450, CVE-2010-4448, CVE-2010-4472, CVE-2010-4474.
Oracle also has more information on its blog.