February 28, 2011

Java Bug hangs the JVM

I'm not sure about publishing bugs, but I guess it's already out there and there is also a patch available. The problem is in java.lang.Double and the handling of maximum doouble value, i.e. 2.2250738585072012e-308. The following code will send the older JVM to an infinitive loop.

Ok, but is this really a problem? Yes, it is for Java server connected to Internet. Let's imagine a Bank Server written in Java and exposed/available from the Internet. And you can be quite certain there will some fields taking double as input. These html fields are all Strings, but when processing at the server they are parsed to Double. And this is a typical exploit scenario a hacker can use for hanging the server/DoS attack.

The solution is either patching your current JVM version or upgrading to the latest JVM, i.e. Java 6 Update 24.


http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html

This bug is foremost for server application, since desktop application can always be restarted, but if you want to upgrade your desktop java version, please go to http://java.com/.

No comments: