Oracle has released a hotfix, FPUpdater, for a recently re-discovered decade-old bug in the Java platform which could be used for denial of service attacks on servers. The fix was issued in record time.

The in-place patching tool allows you to manually patch a Java instance, such as a Java based server. The patch can be applied to all affected versions of Java maintained by Oracle. According to the FPUpdater release note the FPUpdater tool is recommended for the Oracle JRE releases shown in the following table:

JRE/JDK Release Comments J2SE 1.4.2 Required for updates prior to, and including, 1.4.2_29 J2SE 5.0 Required for updates prior to, and including, 5.0u27 J2SE for Embedded 5.0 Required for updates prior to, and including, 5.0u27 Java SE 6 Required for updates prior to, and including, 6u23 Java SE for Embedded 6 Required for updates prior to, and including, 6u23 Java Real-Time System 2 Required for updates prior to, and including, 2.2u1 JRockit R27 Required for updates prior to, and including, R27.6.8 JRockit R28 Required for updates prior to, and including, R28.1.1

Oracle has also issued a source patch for the OpenJDK. We expect that Oracle will release a Critical Patch Update via Java's autoupdate in the next few days but InfoQ has been unable to confirm this at the time of writing.

The bug, which stems from the difficulty of representing some floating-point numbers in the binary format, causes both the Java runtime and compiler to enter an infinite loop when converting the decimal number 2.2250738585072012e-308 to a double-precision binary floating-point. It is similar to, though not the same as, an issue that was discovered in PHP by Rick Regan. The Java bug was re-discovered by Konstantin Preißer and documented by Regan. According to Regan's analysis

This number is supposed to convert to 0x1p-1022, which is DBL_MIN; instead, Java gets stuck, oscillating between 0x1p-1022 and 0x0.fffffffffffffp-1022, the largest subnormal double-precision floating-point number.

This issue had been known since 2001 but was classified as low priority in the original bug report. It is likely to affect other Java versions. InfoQ has been able to re-produce it on Apple's latest OS X version of Java, for example, but so far other Java vendors have been slower than Oracle to respond.