Hi, CVE-2010-4476 can cause your java server to DoS when parsing certain decimal strings for conversion to Double objects.
For those that cannot wait and need a fix right now I prepared a hot fix script [1]. It will create a jar that you can use in conjunction with an adjustment to the JVM boot classPath. Simply add -Xbootclasspath/p:prevent_double_dos.jar to the JVM startup to mitigate the DoS bug till there are full new security releases. Rest assured, this is not some voodoo poke to the JVM, the approach was also recommended as hot fix on the OpenJDK general mailing list [2]. Remember: ymmv, and don't use in production without prior testing :) Thanks Marc [1] https://code.google.com/p/javapharmacy/source/browse/trunk/scripts/harden_against_jre_dos.sh [2] http://permalink.gmane.org/gmane.comp.java.openjdk.general/1910 _______________________________________________ Dailydave mailing list [email protected] https://lists.immunityinc.com/mailman/listinfo/dailydave
