The vulnerability is triggered when 2.2250738585072012e-308 is converted to a binary floating number. It can be exploited to allow unauthenticated network attacks which can “cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment”. Oracle notes that “Java based application and web servers are especially at risk from this vulnerability”.

The Java SE Floating Point Updater Tool has been created to “address the hang that occurs when parsing strings like “2.2250738585072012e-308″ to a binary floating point number”. The file is offered for download at this page. It is best to unpack the file directly into the /bin/ directory of the Java installation since it is necessary to run a command from the command prompt that references that file.

Windows users need to open an elevated command prompt and switch to the directory of their Java installation. The directory is located in the program files directory, in the case of a 64-bit operating system in the program files (x86) directory. The full path on my Windows 7 64-bit test system is C:\Program Files (x86)\Java\jre6\bin.

The command that needs to be entered is java -jar fpupdater.jar -u -v. The path of fpupdater.jar needs to be added if the file is not in the same directory as the java executable. The command assumes that the user is in the bin directory mentioned above. The path needs to be added to the command as well if that is not the case.

It can take up to two minutes before the patch is fully applied to the JRE or JDK. It is necessary to run the patch against any instance of JAVA on the system, for instance if the JDK with JRE and a standalone JRE are installed on the system.

The program should display that the patch was applied successfully in the end. Another indication are two files that are placed inside the lib folder by the application.

/lib/rt.jar.fpupdater Copy of rt.jar before the fix.
/lib/.fpupdater.log Zero-length file indicating that the update has taken

Users who have Java installed should patch the vulnerability as soon as possible. (thanks Dante for the tip, via)

The Update release notes list the full external version as 1.6.0_22-b04, and the external version as 6u22. It lists a total of 16 different bugs that have been fixed in the update.

• 6897143 – hotspot – garbage_collector – Stress test crashes during HeapInspection using ParallelGC
• 6919638 – hotspot – garbage_collector – CMS: ExplicitGCInvokesConcurrent misinteracts with gc locker
  6837842 hotspot jni JNI_CreateJavaVM crashes under impersonation
• 6948223 – idl – orb – Corba issue, fail to reload object
• 6969236 – java build – Regression: JRE identification fails due to Oracle rebranding in java.exe
• 6893325 – java – classes_awt – JComboBox and dragging to an item outside the bounds of the containing JFrame is not selecting that
• 6974093 – java – classes_lang – Thread.clone should NOT invoke addUnstarted on started threads
• 6959911 – java – classes_security -Update Entrust.net CA (2048) root and add new Entrust Root CA-G2
• 6725789 – java – classes_util_concurrent – ScheduledExecutorService does not work as expected in jdk7/6/5
• 6547241 – java – imageio – JPEGImageReader.readImage crash
• 6557086 – java – imageio – Attempt to dispose jpeg reader form another thread may cause crash
• 6944981 – java_deployment – general – Name field missing in mix code security warning dialog for Java Webstart application
• 6869937 – java_plugin – plugin2 – New Plugin – Vista&XP Focus never returned to browser
• 6846148 – jaxb-xsd – runtime – Namespace gets lost for null scope while using RetQName
• 6946312 – jaxp – sax – XML parser omits characters callback to ContentHandler since 6u18
• 6957378 – jmx – classes – JMX memory leak

Users who have Java installed should download it as soon as possible from the official website. A script on the site will detect the installed Java version, and display a download link if the installed version is not the latest. The release notes are accessible here.

A total of 13 security vulnerabilities are fixed by the Java update. Attackers can use those vulnerabilities for various attacks on a computer system that can lead to privilege escalations.

Probably the easiest way to uninstall old versions of Java and to install the latest secure update is by using the third party software Java RA. Java RA can uninstall old versions of Java. Users should download the latest JRE directly from Sun and install it on their systems. Java Ra should be run after the installation as it will remove all old versions of Java while keeping the latest version installed.

List of vulnerabilities:

• The Java Runtime Environment Creates Temporary Files That Have “Guessable” File Names
• Java Runtime Environment (JRE) Buffer Overflow Vulnerabilities in Processing Image Files and Fonts

May

• Allow Applets or Java Web Start Applications to Elevate Their Privileges
• Multiple Security Vulnerabilities in Java Web Start and Java Plug-in May Allow Privilege Escalation
• The Java Runtime Environment (JRE) “Java Update” Mechanism Does Not Check the Digital Signature of the JRE that it Downloads
• A Buffer Overflow Vulnerability in the Java Runtime Environment (JRE) May Allow Privileges to be Escalated
• A Security Vulnerability in the Java Runtime Environment (JRE) Related to Deserializing Calendar Objects May Allow Privileges to be Escalated
• The Java Runtime Environment UTF-8 Decoder May Allow Multiple Representations of UTF-8 Input
• Security Vulnerability in Java Runtime Environment May Allow Applets to List the Contents of the Current User’s Home Directory
• Security Vulnerability in the Java Runtime Environment With Processing RSA Public Keys
• A Security Vulnerability in Java Runtime Environment (JRE) With Authenticating Users Through Kerberos May Lead to a Denial of Service (DoS)
• Security Vulnerabilities in the Java Runtime Environment (JRE) JAX-WS and JAXB Packages may Allow Privileges to be Escalated
• A Security Vulnerability in Java Runtime Environment (JRE) With Parsing of Zip Files May Allow Reading of Arbitrary Memory Locations
• A Security Vulnerability in the Java Runtime Environment may Allow Code Loaded From the Local Filesystem to Access LocalHost

Users who cannot install the Java update immediately should disable Java for the time being to protect their computer system from the exploits.