Oracle Security Alert for CVE-2010-4476


Description

This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products and Oracle JRockit. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability.  

Supported Products Affected

The security vulnerability addressed by this Security Alert affects the products listed in the categories below.  Please click on the link in the Patch Availability Table to access the documentation for those patches.

Affected product releases and versions:

Java SE
JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
JDK 5.0 Update 27 and earlier for Solaris 9
SDK 1.4.2_29 and earlier for Solaris 8
Java for Business
JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
JRockit
R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6)
R28.1.1 and earlier (JDK/JRE 5, 6)

Patch Availability Table

Product GroupRisk MatrixPatch Availability and Installation Information
Oracle Java SE and Java for Business and Oracle JRockitOracle Java SE and Java for Business and Oracle JRockit Risk MatrixOracle Security Alert for CVE-2010-4476 My Oracle Support Note 1291950.1

Java SE Floating Point Updater Tool

 

References


Modification History


DateComments
2011-March-22Rev 2. Included Oracle JRockit
2011-February-08Rev 1. Initial Release



Risk Matrix for Oracle Java SE and Java for Business and Oracle JRockit


My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include a JDK. 
 

CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2010-4476Java Runtime EnvironmentMultipleJava LanguageYes5.0NetworkLowNoneNoneNonePartial+6 Update 23 and before, 5.0 Update 27 and before, 1.4.2_29 and before.       R27.6.8 and before, R28.1.1 and before.-