14 DAY TRIAL // Oracle has released a fix for a serious vulnerability in the Java Runtime Environment which could allow attackers to execute remote denial of service attacks against Java-based applications and servers.
The bug was recently documented by Konstantin Preißer and triggers an infinite loop in the runtime when trying to convert the decimal number 2.2250738585072012e-308 to a double-precision binary floating-point.
Reports of the same issue, but described a bit differently have been found going back to 2001 and according to computer expert Rick Regan, equivalent forms of the number trigger the same problem at all.
Oracle has published a Security Alert regarding this vulnerability, which has received the CVE-2010-4476 identifier and has a CVSS base score of 5.0.
According to the company, the affected products are Java SE 6 Update 23 and before, 5.0 Update 27 and before and 1.4.2_29 and before.
"Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment," the security alert reads.
An update for the affected Java versions has not yet been released, but the company issued a fix in the form of a "Java SE Floating Point Updater Tool."
The tool, which comes in .jar format, needs to be ran against every Java installation on the computer and patches the rt.jar file.
An almost identical bug was identified by Rick Regan last month in PHP and endangered the stability of numerous Web applications.
At the time, the bug was tracked down to a design flaw in the x87 subset of the x86 architecture, meaning only 32-bit operating systems were affected.
The exact same problem was patched in the GNU Compiler Collection (gcc) back in 2000, which suggests that it might pop up in other software in the future as well.