Which kind of webapps can realistically be affected by the floating bug?

Question

There\'s an easy way to totally lock a lot of JVM:

class runhang {
public static void main(String[] args) {
  System.out.println(\"Test:\");
  double d = Dou         


        

Answer 1

Many web servers parse part of the http headers using Double.parse, so we are dealing with infrastructure here (in addition to any problems with applications that run in the container). The comments of the Exploring Binary blog you link to have the following as an example:

GET / HTTP/1.1
Host: myhost
Connection: keep-alive
Accept-Language: en-us;q=2.2250738585072012e-308

If the servlet that the request is going against makes a call to any of the localization APIs (which would then attempt to parse the language header), the above will bring the server down.

So yes, this is a very big problem. The attack surface is quite large, and the consequences quite high.