Oracle warns of Java vulnerability
First it was a PHP problem, and now Java is struggling: converting the literal "2.2250738585072011e-308" into a floating point number in Java causes an endless loop that results in a full CPU load. Server systems are particularly at risk of being crippled in this way by remote attackers. For instance, simply including the literal as a q parameter in an HTTP request header is enough to trigger the response.
Although Oracle has reportedly known about this problem for several weeks, the vendor has only now released an alert. Affected are Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4. To solve the problem, Oracle has released a hotfix that users are advised to apply immediately, as information on how to exploit the DoS vulnerability is already freely available. The vendor also plans to release a regular Java update on 15 February.