[SPR-7950] Workaround for Java bug in parsing specific decimal value Created: 09/Feb/11  Updated: 16/Jan/13  Resolved: 16/Jan/13

Status: Resolved
Project: Spring Framework
Component/s: Web
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Critical
Reporter: Oliver Gierke Assignee: Unassigned
Resolution: Won't Fix Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Days since last comment: 5 years, 18 weeks, 4 days ago
Last commented by a User: false
Last updater: Sam Brannen


Current Java versions suffer from a nasty bug that will pretty much stall the entire VM when trying to parse the value into a BigDecimal or Double. So in case somebody pipes this into a Spring MVC form for example, the CustomNumberEditor will suffer from this vulnerability.

Although Oracle seems to approach the issue now that it's publicly discussed, but users not able to upgrade to a very current version of Java will be affected.


Comment by Oliver Gierke [ 16/Jan/13 ]

The issue doesn't seem to be present in current JRE 1.6.0_37 and JRE 1.7.0_11 anymore. So the suggested workaround is to upgrade to a JRE that has the fix for the original issue. According to the website that described the issue the first JRE version including the fix is 1.6.0_24. Not sure if a JRE 7 has ever been affected by that bug.

Generated at Sun May 20 19:33:37 UTC 2018 using JIRA 7.9.0#79000-sha1:3ca552e944c2fe83b21589bc06f155b9b428cc2b.