A flaw was found in the NIO implementation of JRE on Microsoft Windows platforms. A non-blocking sockets with TCP urgent disabled could incorrectly get selected for reading.
Not vulnerable. This issue only affected Java versions running on Windows platform. It did not affect the versions of java-1.6.0-openjdk as shipped with Red Hat Enterprise Linux 5 and 6, and the java-1.6.0-sun packages as shipped with Red Hat Enterprise Linux 4 Extras and Red Hat Enterprise Linux 5 and 6 Supplementary.
Public now via Oracle CPU June 2011:
Also fixed in IcedTea6 versions 1.8.8, 1.9.8 and 1.10.2:
We have a problem with the Jetty server hanging which looks to be a result of this "fix".
The symptom is that the server accepts new connections, but never processes any input on them. On inspection, we can see that the call to the NIO selector is blocked in the discardUrgentData method.
We are not yet sure what causes the problem to occur, but suspect it is bad data on one connection. If so, then this fix is allowing a DoS attack because 1 bad connection can lock an entire selector.
Greg, we did not actually do much about this issue on our side given that this problem / fix was Windows-specific. If I correctly read the info in your Jetty bug, the issue is only reproducible on Windows platform, so may indeed be related to this fix.
This should be reported to Oracle. As was done already:
If you want to make sure this appears on the Oracle security team radar, you may drop them a mail. You can find contact information on their Reporting Security Vulnerabilities page: