This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products and Oracle JRockit. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability.
The security vulnerability addressed by this Security Alert affects the products listed in the categories below. Please click on the link in the Patch Availability Table to access the documentation for those patches.
|JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux|
|JDK 5.0 Update 27 and earlier for Solaris 9|
|SDK 1.4.2_29 and earlier for Solaris 8|
|Java for Business|
|JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux|
|JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux|
|SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux|
|R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6)|
|R28.1.1 and earlier (JDK/JRE 5, 6)|
|Product Group||Risk Matrix||Patch Availability and Installation Information|
|Oracle Java SE and Java for Business and Oracle JRockit||Oracle Java SE and Java for Business and Oracle JRockit Risk Matrix||Oracle Security Alert for CVE-2010-4476 My Oracle Support Note 1291950.1
Java SE Floating Point Updater Tool
|2011-March-22||Rev 2. Included Oracle JRockit|
|2011-February-08||Rev 1. Initial Release|
My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include a JDK.
|CVE#||Component||Protocol||Sub-component||Remote Exploit without Auth.?||CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Access Vector||Access Complexity||Authentication||Confidentiality||Integrity||Availability|
|CVE-2010-4476||Java Runtime Environment||Multiple||Java Language||Yes||5.0||Network||Low||None||None||None||Partial+||6 Update 23 and before, 5.0 Update 27 and before, 1.4.2_29 and before. R27.6.8 and before, R28.1.1 and before.||-|