BT

Oracle Releases Hotfix for the Double.parseDouble Bug in Record Time

by Charles Humble on Feb 10, 2011 |

Oracle has released a hotfix, FPUpdater, for a recently re-discovered decade-old bug in the Java platform which could be used for denial of service attacks on servers. The fix was issued in record time. 

The in-place patching tool allows you to manually patch a Java instance, such as a Java based server. The patch can be applied to all affected versions of Java maintained by Oracle. According to the FPUpdater release note the FPUpdater tool is recommended for the Oracle JRE releases shown in the following table:

JRE/JDK Release Comments
J2SE 1.4.2 Required for updates prior to, and including, 1.4.2_29
J2SE 5.0 Required for updates prior to, and including, 5.0u27
J2SE for Embedded 5.0 Required for updates prior to, and including, 5.0u27
Java SE 6 Required for updates prior to, and including, 6u23
Java SE for Embedded 6 Required for updates prior to, and including, 6u23
Java Real-Time System 2 Required for updates prior to, and including, 2.2u1
JRockit R27 Required for updates prior to, and including, R27.6.8
JRockit R28 Required for updates prior to, and including, R28.1.1

Oracle has also issued a source patch for the OpenJDK. We expect that Oracle will release a Critical Patch Update via Java's autoupdate in the next few days but InfoQ has been unable to confirm this at the time of writing.

The bug, which stems from the difficulty of representing some floating-point numbers in the binary format, causes both the Java runtime and compiler to enter an infinite loop when converting the decimal number 2.2250738585072012e-308 to a double-precision binary floating-point. It is similar to, though not the same as, an issue that was discovered in PHP by Rick Regan. The Java bug was re-discovered by Konstantin Preißer and documented by Regan. According to Regan's analysis

This number is supposed to convert to 0x1p-1022, which is DBL_MIN; instead, Java gets stuck, oscillating between 0x1p-1022 and 0x0.fffffffffffffp-1022, the largest subnormal double-precision floating-point number.

This issue had been known since 2001 but was classified as low priority in the original bug report. It is likely to affect other Java versions. InfoQ has been able to re-produce it on Apple's latest OS X version of Java, for example, but so far other Java vendors have been slower than Oracle to respond.

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Very important patch by Luis Eduardo Bohrer

Essential that any affected environment to perform the patch.
This failure makes the environment seriously vulnerable to a DOS.

More background on community effort to get this fixed by Mark W

There is some more background on how the community tried to get this fixed over the years:
mail.openjdk.java.net/pipermail/discuss/2011-Fe...

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

2 Discuss

Educational Content

General Feedback
Bugs
Advertising
Editorial
InfoQ.com and all content copyright © 2006-2014 C4Media Inc. InfoQ.com hosted at Contegix, the best ISP we've ever worked with.
Privacy policy
BT