From: SourceForge.net <no...@so...> - 2012-09-29 14:03:26
|
Bugs item #3572993, was opened at 2012-09-29 07:03 Message generated for change (Tracker Item Submitted) made by blaschke-oss You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=3572993&group_id=128809 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: Java Client (JSR48) Group: Security Status: Open Resolution: None Priority: 5 Private: No Submitted By: Dave Blaschke (blaschke-oss) Assigned to: Dave Blaschke (blaschke-oss) Summary: parseDouble("2.2250738585072012e-308") DoS vulnerability Initial Comment: Background - In early 2011 a critical Java Class Library security vulnerability was blogged on the Internet and is now in the public domain. (an IBM customer has already checked this issue with IBM Java and raised a PMR). Issue - Calling Double.parseDouble("2.2250738585072012e-308") leads to an infinite loop. Impact - This can be used as a denial of service attack against app servers. If an app server receives a HTTP request and parses the value with parseDouble() the thread doing the parsing will go into an infinite loop Who's Affected - This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and Web services are particularly at risk. ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=712784&aid=3572993&group_id=128809 |