Hi,
Yesterday it was discovered that Java contains a floating point bug that
can be exploited to crash a system:
http://www.theregister.co.uk/2011/02/09/java_floating_point_bug_fixed/
The denial of service (DOS) can be triggered when the Java Virtual
Machine needs to convert a certain large number from a string
representation to a number.
It appears that Tomcat (a widely used Java web server) is vulnerable. If
a certain HTTP request is sent to Tomcat, the thread that handles the
HTTP request gets stuck in an endless loop which can lead to a denial of
service (DOS) if multiple requests are sent.
Because Djigzo uses Tomcat for the Web GUI, this Java bug effects Djigzo
as well. If your Djigzo server is externally accessible, i.e., from
outside your firewall, attackers might cause Tomcat to hang.
Ubuntu will probably release a patched JVM within a couple of days. For
those who can't wait for this, I have a Java patch available which you
can install. Please contact me directly if you need the patch.
For more information about the problem see:
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Oracle has issued an emergency patch and will release an official patch
next week. Ubuntu will probably have a patch ready next week.
To sum up:
If your Djigzo server is externally accessible, it is vulnerable to a
Java bug which might result in the Web GUI to hang. This Java bug
impacts most systems using Java.
Kind regards,
Martijn Brinkers
ยทยทยท
--
Djigzo open source email encryption