See http://java.net/jira/browse/GRIZZLY-970 for details.
I've checked the web container code and have found similar logic which I will fix along with the grizzly integration.
How bad is its impact? (Severity)
Identify why the fix needs to occur now:
How often does it happen? (Frequency)
How much effort is required to fix it? (Cost)
What is the risk of fixing it? (Risk)
Does a work around for the issue exist? Can the workaround be reasonably employed by the end user?
If the issue is not fixed should the issue and its workaround (if applicable) be described in the Release Notes?
How long has the bug existed in the product?
Do regression tests exist for this issue?
Which tests should QA (re)run to verify the fix did not destabilize GlassFish?
When will a tested fix be ready for integration?
Oracle has issued the following sec alert on this issue:
If the customer upgrades to Java Runtime Environment 6 update 24 when it is released they will no longer be vulnerable to this issue. Information about this vulnerability along with how to mitigate it should be included in the Release Notes.
The fixed version of Grizzly should be incorporated in the first patch released for GF 3.1.
Added issue to 3.1 Release Notes.