Oracle’s Java is experiencing an endless loop when attempting to convert the literal “2.2250738585072011e-308” into a floating point number, resulting in a run-away thread and a full CPU load. Servers are particularly at risk of being crippled in this way by remote attackers. The H Security reports that “including the literal as a q parameter in an HTTP request header is enough to trigger the response.”
Oracle has known about the problem for some time and has released an alert. Java SE and Java for Business in the current and all previous versions of the JDK/JRE 6, 5 and 1.4 are affected. A hotfix has been released that should be applied immediately. Exploit information regarding the Denial od Service vulnerability is publicly available. The vendor also plans to release a regular Java update on February 15th.