JBoss Web will enter into an infinite loop when a surrogate pair character is placed at the boundary of an internal buffer. A remote attacker could exploit this flaw to trigger a denial-of-service attack against a JBoss Web server that is hosting applications with UTF-8 character encoding enabled, or that will include user-supplied UTF-8 strings in a response.
Acknowledgements: Red Hat would like to thank NTT OSSC for reporting this issue.
This issue has been addressed in following products: JBoss Communications Platform 5.1.3 Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html
This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html
This issue has been addressed in following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html
This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html
This issue has been addressed in following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html
This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0 Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html