CVE-2010-44

Name of the Vulnerable Software and Affected Versions: Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 6 Update 24 Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 5.0 Update 28 Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 1.4.2 30

Description: The issue allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number. This can be demonstrated using the string 2.2250738585072012e-308. Apache Tomcat introduced workarounds to avoid being affected by this issue in versions 7.0.7, 6.0.32, and 5.5.33.

Recommendations: For Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 6 Update 24, update to version 6 Update 24 or later to resolve the issue. For Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 5.0 Update 28, update to version 5.0 Update 28 or later to resolve the issue. For Java Runtime Environment (JRE) in Oracle Java SE and Java for Business versions prior to 1.4.2 30, update to version 1.4.2 30 or later to resolve the issue. As a temporary workaround, consider avoiding the use of the Double.parseDouble method with untrusted input until a patch is available.