You are here

T-561: IBM and Oracle Java Binary Floating-Point Number Conversion Denial of Service Vulnerability

February 21, 2011 - 7:00am

Addthis

PROBLEM:

IBM and Oracle Java Binary Floating-Point Number Conversion Denial of Service Vulnerability.

PLATFORM:

The following Java products are affected:

Java SE:

Oracle JDK and JRE 6 Update 23 and prior for Windows, Solaris, and Linux
Oracle JDK 5.0 Update 27 and prior for Solaris 9
Oracle SDK 1.4.2_29 and prior for Solaris 8
IBM JDK 6 Update SR9 and prior
IBM JDK 5 Update SR12-FP3 and prior
IBM JDK 1.4.2 Update SR13-FP8 and prior

Java for Business:

Oracle JDK and JRE 6 Update 23 and prior for Windows, Solaris, and Linux
Oracle JDK and JRE 5.0 Update 27 and prior for Windows, Solaris, and Linux
Oracle SDK and JRE 1.4.2_29 and prior for Windows, Solaris, and Linux

ABSTRACT:

IBM and Oracle Java products contain a vulnerability that could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system.

reference  LINKS:

SecurityTracker Alert ID:1025062
IntelliShield ID:22427
CVE-2010-4476
Oracle Security Alert for CVE-2010-4476
IBM Security Alert for CVE-2010-4476

IMPACT ASSESSMENT:

Medium

Discussion:

An unauthenticated, remote attacker could exploit the vulnerability by enticing a targeted user to follow a crafted link or execute a malicious file. Processing of such malicious content could cause the affected software to stop responding to legitimate user requests, causing a DoS condition on a targeted system.

The vulnerability exists because of improper parsing of certain strings to a binary floating point number. An unauthenticated, remote attacker could exploit the vulnerability by enticing a user to follow a crafted link or execute a malicious executable file. The processing of the malicious content could cause the affected software to stop responding to legitimate user requests, causing a DoS condition.

This vulnerability affects 64-bit and 32-bit operating systems. Applications that implement the vulnerable software could also be affected by the vulnerability. An exploit could also be achieved by means of equivalent forms of several affected decimal number strings.

To exploit the vulnerability, an attacker would need to persuade a user to view a crafted web page or execute a malicious file. To achieve this objective, an attacker would likely use social engineering techniques, such as sending a link or file in e-mail messages, instant messaging, or other forms of communication.

Solution:

Administrators are advised to apply the appropriate updates.Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.Administrators are advised to monitor affected systems.

The vulnerability is in the FloatingDecimal.java source file because of improper conversion of certain strings to a binary floating point number. When converting certain decimal value strings such as 2.2250738585072012e-308 to a double-precision binary floating-point number, the affected software could enter a repetitive loop, becoming unresponsive.

Patches/Software Downloads
Patch Availability Table

IBM has released fixes at the following links:
PM32177 ; PM32175 ; PM32192

HP has released updated software at the following link:
HPUXFPUPDATER

Oracle has released an FPUpdater tool that remediates the vulnerability at the following link:
Java SE Floating Point Updater Tool

Red Hat packages can be updated using the up2date or yum command.
 

Addthis