Bug 674336 (CVE-2010-4476)

Summary: CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
Product: [Other] Security Response Reporter: Marc Schoenefeld <mschoene>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahughes, aph, atangrin, bgeorges, ccrouch, dbhole, dknox, dwalluck, fnasser, gbailey, gerrit.slomma, jclere, jlieskov, jscotka, jvanek, pcheung, ptisnovs, redhat, remm, ruckc, security-response-team, smilner, vdanen, wnefal+redhatbugzilla
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-06-08 14:44:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 674599, 674601, 674918, 674919, 674921, 674922, 676010, 676011, 676275, 676277, 676294, 676295, 676694, 676695, 676696, 678534, 678535, 678536, 678539, 678540, 678541, 678545, 678546, 679532, 679533, 679535, 802293    
Bug Blocks: 712887    

Description Marc Schoenefeld 2011-02-01 14:38:00 UTC 
The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial DoS 
when parsing strings into Java Double objects. However that code could likely occur in serialization routines, http header parsing and impair 
server availability. 

Runtime (java app hang):

class runhang {
public static void main(String[] args) {
  System.out.println("Test:");
  double d = Double.parseDouble("2.2250738585072012e-308");
  System.out.println("Value: " + d);
 }
}

DevTime (javac hang):

class compilehang {
public static void main(String[] args) {
  double d = 2.2250738585072012e-308;
  System.out.println("Value: " + d);
 }
}
Comment 12 Andrew John Hughes 2011-02-02 13:39:41 UTC 
There is no bug in ecj.  Running the native gcj version works fine.

$ ecj CompileHang.java 
$ gij CompileHang
Value: 2.225073858507201E-308

It's only broken when running on the broken JDK libraries.
Comment 16 Andrew Haley 2011-02-02 16:22:03 UTC 
Patch is now pubic:

http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html
Comment 17 Andrew John Hughes 2011-02-02 16:30:54 UTC 
Assuming the discussion goes well, can you make sure this gets into the IcedTea6 branches (1.7, 1.8, 1.9) prior to the SSR on the 15th of February to ensure a timely release?

Thanks.
Comment 22 Jean-frederic Clere 2011-02-04 07:23:42 UTC 
Note that the work-around I commented has a typo it should be:
+++
RewriteEngine On
RewriteCond %{HTTP:Accept-Language}  [0-9]{4,}
RewriteRule .+   -   [G]
+++
Comment 24 Marc Schoenefeld 2011-02-07 12:14:06 UTC 
The work-around is in Tomcat 6.0.32 and 7.0.8 and will be in 5.5.33, and has been worked around in the following commits:
http://svn.apache.org/viewvc?rev=1066244&amp;view=rev 7.0.x
http://svn.apache.org/viewvc?rev=1066315&amp;view=rev 6.0.x
http://svn.apache.org/viewvc?rev=1066318&amp;view=rev 5.5.x
Comment 25 Vincent Danen 2011-02-07 16:54:10 UTC 
*** Bug 675347 has been marked as a duplicate of this bug. ***
Comment 29 Jean-frederic Clere 2011-02-09 07:53:08 UTC 
Oracle have fixed it:

http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Comment 32 Gerrit Slomma 2011-02-09 11:39:29 UTC 
Would this be addressed for the java-1.6.0-sun in the supplementary-repo too?
And when does 1.6.0_23 get released?
Comment 35 errata-xmlrpc 2011-02-10 19:31:04 UTC 
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5
  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5

Via RHSA-2011:0210 https://rhn.redhat.com/errata/RHSA-2011-0210.html
Comment 36 errata-xmlrpc 2011-02-10 19:36:30 UTC 
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5

Via RHSA-2011:0211 https://rhn.redhat.com/errata/RHSA-2011-0211.html
Comment 37 errata-xmlrpc 2011-02-10 19:41:44 UTC 
This issue has been addressed in following products:

  JBEAP 4.2.0
  JBEAP 4.3.0
  JBEAP 5

Via RHSA-2011:0212 https://rhn.redhat.com/errata/RHSA-2011-0212.html
Comment 38 errata-xmlrpc 2011-02-10 19:46:55 UTC 
This issue has been addressed in following products:

  JBEWP 5

Via RHSA-2011:0213 https://rhn.redhat.com/errata/RHSA-2011-0213.html
Comment 40 errata-xmlrpc 2011-02-11 00:48:18 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0214 https://rhn.redhat.com/errata/RHSA-2011-0214.html
Comment 41 Schlomo Schapiro 2011-02-15 13:57:51 UTC 
(In reply to comment #32)
> Would this be addressed for the java-1.6.0-sun in the supplementary-repo too?
> And when does 1.6.0_23 get released?

I am also interested in this info, as well when will the 1.6.0_24 update be released? This update will also fix the parseDouble bug and be released shortly by Oracle.
Comment 42 Marc Schoenefeld 2011-02-15 14:11:58 UTC 
Oracle announced [1] that CVE-2010-4476 in Sun JDK will be fixed with next Critical Patch Update, scheduled for release on Feb 15th [2]. JDK 6u24 will then be made available in Red Hat Enterprise Linux 4 Extras and 5 and 6 Supplementary shortly after this release.

[1] http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
[2] http://www.oracle.com/technetwork/topics/security/alerts-086861.html
Comment 43 errata-xmlrpc 2011-02-17 18:14:43 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6
  Extras for RHEL 4

Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html
Comment 47 errata-xmlrpc 2011-02-22 17:22:22 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2011:0292 https://rhn.redhat.com/errata/RHSA-2011-0292.html
Comment 48 errata-xmlrpc 2011-02-22 17:22:47 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6
  Extras for RHEL 4

Via RHSA-2011:0291 https://rhn.redhat.com/errata/RHSA-2011-0291.html
Comment 49 errata-xmlrpc 2011-02-22 17:28:09 UTC 
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2011:0290 https://rhn.redhat.com/errata/RHSA-2011-0290.html
Comment 52 errata-xmlrpc 2011-02-23 18:41:11 UTC 
This issue has been addressed in following products:

  RHEL 4 for SAP
  RHEL 5 for SAP
  RHEL 6 for SAP

Via RHSA-2011:0299 https://rhn.redhat.com/errata/RHSA-2011-0299.html
Comment 53 errata-xmlrpc 2011-03-09 18:41:00 UTC 
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2

Via RHSA-2011:0333 https://rhn.redhat.com/errata/RHSA-2011-0333.html
Comment 54 errata-xmlrpc 2011-03-09 18:46:22 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0

Via RHSA-2011:0334 https://rhn.redhat.com/errata/RHSA-2011-0334.html
Comment 55 errata-xmlrpc 2011-03-09 20:52:35 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0335 https://rhn.redhat.com/errata/RHSA-2011-0335.html
Comment 56 errata-xmlrpc 2011-03-09 21:08:06 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0336 https://rhn.redhat.com/errata/RHSA-2011-0336.html
Comment 57 errata-xmlrpc 2011-03-11 00:38:39 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2011:0348 https://rhn.redhat.com/errata/RHSA-2011-0348.html
Comment 58 errata-xmlrpc 2011-03-11 00:59:00 UTC 
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4

Via RHSA-2011:0349 https://rhn.redhat.com/errata/RHSA-2011-0349.html
Comment 59 errata-xmlrpc 2011-03-11 01:09:30 UTC 
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0350 https://rhn.redhat.com/errata/RHSA-2011-0350.html
Comment 60 Tomas Hoger 2011-06-08 14:44:25 UTC 
https://www.redhat.com/security/data/cve/CVE-2010-4476.html
Comment 61 errata-xmlrpc 2011-06-16 19:24:31 UTC 
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:0880 https://rhn.redhat.com/errata/RHSA-2011-0880.html