[SPR-7950] Workaround for Java bug in parsing specific decimal value Created: 09/Feb/11 Updated: 16/Jan/13 Resolved: 16/Jan/13
|Remaining Estimate:||Not Specified|
|Time Spent:||Not Specified|
|Original Estimate:||Not Specified|
|Days since last comment:||4 years, 1 week ago|
|Last commented by a User:||false|
Current Java versions suffer from a nasty bug that will pretty much stall the entire VM when trying to parse the value into a BigDecimal or Double. So in case somebody pipes this into a Spring MVC form for example, the CustomNumberEditor will suffer from this vulnerability.
Although Oracle seems to approach the issue now that it's publicly discussed, but users not able to upgrade to a very current version of Java will be affected.
|Comment by Oliver Gierke [ 16/Jan/13 ]|
The issue doesn't seem to be present in current JRE 1.6.0_37 and JRE 1.7.0_11 anymore. So the suggested workaround is to upgrade to a JRE that has the fix for the original issue. According to the website that described the issue the first JRE version including the fix is 1.6.0_24. Not sure if a JRE 7 has ever been affected by that bug.