News

Oracle Squashes Old Java Runtime Security Bug

• By John K. Waters
• February 16, 2011

Oracle announced the fix in a recent Security Alert.

"This vulnerability allows unauthenticated network attacks (i.e. it may be exploited over a network without the need for a username and password)," Oracle said in the alert. "Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."  

The bug affects several JRE releases, including J2SE 1.4.2, J2SE 5.0, J2SE for Embedded 5.0, Java SE 6, Java SE for Embedded 6, Java Real-Time System 2, JRockit R27, and JRockit R28.

The fix takes the form of a stand-alone patch, dubbed the Java SE Floating Point Updater Tool, which is designed to allow developers to update installed Java Development Kit (JDK) and JRE software to address the problem. The tool modifies the JRE/JDK software instance that is used to execute the tool, Oracle warned. Consequently, those running more than one instance of the JRE, for example if you have an instance of the JRE inside a JDK bundle and another standalone JRE, you need to run the tool against each instance to update them.

The bug triggers an infinite loop in the runtime, opening the door for Denial-of-Service (DoS) attacks. A DoS prevents legitimate users from accessing information or services from a server. According to the U.S. Computer Emergency Readiness Team (CERT), the most common and type of DoS attack occurs when an attacker floods a network with information.

 The floating point bug has actually been around since 2001, but was classified as low priority in the original bug report. It was re-discovered by Konstantin Preißer and documented by computer scientist Rick Regan. Regan also documented a very similar bug, which surfaced last month in PHP versions 5.2 and 5.3. The PHP bug was reported by on Regan's Exploring Binary blog. He explained that the number -- 2.2250738585072012e-308 -- represents the largest subnormal, double-precision floating-point number. Equivalent forms of the number also caused the problem, Regan reported. The PHP version was fixed on January 6 of this year.