Java Update Addresses Critical Security Vulnerability - gHacks Tech News

Java Update Addresses Critical Security Vulnerability

It feels like I'm patching computer systems all day long in the last two days. First the monthly Windows Update, then Adobe with its patches and now Oracle and Java. This is madness and unfortunately a necessary evil. Oracle has just released a security advisory that details a critical security vulnerability in the JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux. Oracle has not released an update for the Java SDK or JRE but another Java based command line tool that fixes the security vulnerability.

The vulnerability is triggered when 2.2250738585072012e-308 is converted to a binary floating number. It can be exploited to allow unauthenticated network attacks which can "cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment". Oracle notes that "Java based application and web servers are especially at risk from this vulnerability".

The Java SE Floating Point Updater Tool has been created to "address the hang that occurs when parsing strings like "2.2250738585072012e-308" to a binary floating point number". The file is offered for download at this page. It is best to unpack the file directly into the /bin/ directory of the Java installation since it is necessary to run a command from the command prompt that references that file.

Windows users need to open an elevated command prompt and switch to the directory of their Java installation. The directory is located in the program files directory, in the case of a 64-bit operating system in the program files (x86) directory. The full path on my Windows 7 64-bit test system is C:\Program Files (x86)\Java\jre6\bin.

The command that needs to be entered is java -jar fpupdater.jar -u -v. The path of fpupdater.jar needs to be added if the file is not in the same directory as the java executable. The command assumes that the user is in the bin directory mentioned above. The path needs to be added to the command as well if that is not the case.

java critical vulnerability

It can take up to two minutes before the patch is fully applied to the JRE or JDK. It is necessary to run the patch against any instance of JAVA on the system, for instance if the JDK with JRE and a standalone JRE are installed on the system.

The program should display that the patch was applied successfully in the end. Another indication are two files that are placed inside the lib folder by the application.

/lib/rt.jar.fpupdater Copy of rt.jar before the fix.
/lib/.fpupdater.log Zero-length file indicating that the update has taken

Users who have Java installed should patch the vulnerability as soon as possible. (thanks Dante for the tip, via)

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. Transcontinental said on February 9, 2011 at 10:05 pm
    Reply

    I’ll be waiting for next JRE update, this patch deployment frightens me a bit, I admit.
    You are authorized to laugh ;)

  2. Berttie said on February 9, 2011 at 11:21 pm
    Reply

    Please note the following from: http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

    “The FPUpdater tool is not intended for use on systems managed through auto-update as this will disable future auto-updates. We recommend that you wait until the next Critical Patch Update (CPU) when you can update your installation by going to http://java.com/latest.”

    1. Martin said on February 9, 2011 at 11:41 pm
      Reply

      I saw that but since it means leaving the system vulnerable I’d say the majority of users prefer running the tool.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.