Correction... throwing 60 of those curls at my one server (rhel5 64bit, 4gb of ram, no java tuning) causes it to crawl. It should be pretty easy to drop these at the load balancer/firewall tho, so at least we have a workaround.
Rob Marti > -----Original Message----- > From: Marti, Robert [mailto:[email protected]] > Sent: Wednesday, February 09, 2011 8:12 AM > To: [email protected] > Subject: RE: [cas-user] Important! Critical bug in all Java versions > > -> curl -vH "Accept-Language: en-us;q=2.2250738585072012e-308" > -> http://lnxauth02d.shsu.edu:8080/sghe-cas/login > * About to connect() to lnxauth02d.shsu.edu port 8080 > * Trying 158.135.5.21... connected > * Connected to lnxauth02d.shsu.edu (158.135.5.21) port 8080 > > GET /sghe-cas/login HTTP/1.1 > > User-Agent: curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5 > > OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5 > > Host: lnxauth02d.shsu.edu:8080 > > Accept: */* > > Accept-Language: en-us;q=2.2250738585072012e-308 > > > > It just hangs that curl until I ctrl-C - the JVM still works fine (I can log > in to the > box without any problems) using 1.6.0_22. > > Rob Marti > > > -----Original Message----- > > From: Robert Oschwald [mailto:[email protected]] > > Sent: Wednesday, February 09, 2011 7:45 AM > > To: [email protected] > > Cc: [email protected] > > Subject: [cas-user] Important! Critical bug in all Java versions > > > > This is off topic but important to all CAS users. > > > > There exists a remotely exploitable critical bug in Java which can > > lead to a complete crash of the JVM. > > Every admin is urged to immediately patch all Sun/Bea/Oracle Java > > Versions on their servers. > > > > Main cause of the problem is a flaw in the AMD/Intel floating point unit. > > > > JVM Patcher: > > https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer- > > Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=fpupdater-oth- > > JPR@CDS-CDS_Developer > > > > > > As noted above, every script kiddie can crash your remotely available > > java app by simply sending the magic string in the HTTP-HEADER (e.g. > > by using curl). > > > > > > Hope it helps. > > > > Robert > > -- > > You are currently subscribed to [email protected] as: > > [email protected] To unsubscribe, change settings or access archives, see > > http://www.ja- sig.org/wiki/display/JSG/cas-user > > > -- > You are currently subscribed to [email protected] as: [email protected] To > unsubscribe, change settings or access archives, see http://www.ja- > sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
