It was discovered that HttpServer class did not limit the number of headers read from the HTTP request. An HTTP client could send a request with a large amount of headers and make HttpServer use an excessive amount CPU time by triggering collisions in the HashMap class (see bug #750533) used to store headers form a request. The fix addresses the problem by adding a header count limit controlled using the sun.net.httpserver.maxReqHeaders properly with the default value of 200.
External Reference: http://www.oracle.com/technetwork/topics/security/javacpufeb2012-366318.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0135 https://rhn.redhat.com/errata/RHSA-2012-0135.html
Patches were applied in following IcedTea versions: * IcedTea6 1.8.13 (based on OpenJDK6 b18) * IcedTea6 1.9.13 (based on OpenJDK6 b20) * IcedTea6 1.10.6 (based on OpenJDK6 b22) * IcedTea6 1.11.1 (based on OpenJDK6 b24) * IcedTea 2.0.1 (based on OpenJDK7 u1 + u3 security patches) http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017249.html http://mail.openjdk.java.net/pipermail/distro-pkg-dev/2012-February/017233.html Patch: http://icedtea.classpath.org/hg/release/icedtea6-1.10/file/4e7a700d4ecc/patches/security/20120214/7126960.patch
This issue has been addressed in following products: Extras for RHEL 4 Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:0139 https://rhn.redhat.com/errata/RHSA-2012-0139.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0322 https://rhn.redhat.com/errata/RHSA-2012-0322.html
This issue has been addressed in following products: Supplementary for Red Hat Enterprise Linux 5 Supplementary for Red Hat Enterprise Linux 6 Via RHSA-2012:0514 https://rhn.redhat.com/errata/RHSA-2012-0514.html
This issue has been addressed in following products: Red Hat Network Satellite Server v 5.4 Via RHSA-2013:1455 https://rhn.redhat.com/errata/RHSA-2013-1455.html