Bug 674336 (CVE-2010-4476) - CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
Summary: CVE-2010-4476 JDK Double.parseDouble Denial-Of-Service
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2010-4476
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 675347 (view as bug list)
Depends On: 674599 674601 674918 674919 674921 674922 676010 676011 676275 676277 676294 676295 676694 676695 676696 678534 678535 678536 678539 678540 678541 678545 678546 679532 679533 679535 802293
Blocks: 712887
TreeView+ depends on / blocked
 
Reported: 2011-02-01 14:38 UTC by Marc Schoenefeld
Modified: 2019-09-29 12:42 UTC (History)
24 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-06-08 14:44:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Issue Tracker JBPAPP-5849 Blocker Resolved CVE-2010-4476 JBossweb update fixing JDK double bug 2014-01-24 09:39:21 UTC
Red Hat Product Errata RHSA-2011:0210 normal SHIPPED_LIVE Important: jbossweb security update 2011-02-10 19:30:57 UTC
Red Hat Product Errata RHSA-2011:0211 normal SHIPPED_LIVE Important: jbossweb security update 2011-02-10 19:36:25 UTC
Red Hat Product Errata RHSA-2011:0212 normal SHIPPED_LIVE Important: jbossweb security update 2011-02-10 19:41:39 UTC
Red Hat Product Errata RHSA-2011:0213 normal SHIPPED_LIVE Important: jbossweb security update 2011-02-10 19:46:51 UTC
Red Hat Product Errata RHSA-2011:0214 normal SHIPPED_LIVE Moderate: java-1.6.0-openjdk security update 2011-02-11 00:48:10 UTC
Red Hat Product Errata RHSA-2011:0282 normal SHIPPED_LIVE Critical: java-1.6.0-sun security update 2011-02-17 18:13:17 UTC
Red Hat Product Errata RHSA-2011:0290 normal SHIPPED_LIVE Moderate: java-1.6.0-ibm security update 2011-02-22 17:27:57 UTC
Red Hat Product Errata RHSA-2011:0291 normal SHIPPED_LIVE Moderate: java-1.5.0-ibm security update 2011-02-22 17:22:35 UTC
Red Hat Product Errata RHSA-2011:0292 normal SHIPPED_LIVE Moderate: java-1.4.2-ibm security update 2011-02-22 17:22:11 UTC
Red Hat Product Errata RHSA-2011:0299 normal SHIPPED_LIVE Moderate: java-1.4.2-ibm-sap security update 2011-02-23 18:41:00 UTC
Red Hat Product Errata RHSA-2011:0333 normal SHIPPED_LIVE Important: JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2 security update 2011-03-09 18:40:56 UTC
Red Hat Product Errata RHSA-2011:0334 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0 security update 2011-03-09 18:46:18 UTC
Red Hat Product Errata RHSA-2011:0335 normal SHIPPED_LIVE Important: tomcat6 security and bug fix update 2011-03-09 20:52:26 UTC
Red Hat Product Errata RHSA-2011:0336 normal SHIPPED_LIVE Important: tomcat5 security update 2011-03-09 21:07:59 UTC
Red Hat Product Errata RHSA-2011:0348 normal SHIPPED_LIVE Important: tomcat6 security update 2011-03-11 00:38:28 UTC
Red Hat Product Errata RHSA-2011:0349 normal SHIPPED_LIVE Important: tomcat5 security update 2011-03-11 00:58:54 UTC
Red Hat Product Errata RHSA-2011:0350 normal SHIPPED_LIVE Important: tomcat5 and tomcat6 security update 2011-03-11 01:09:22 UTC
Red Hat Product Errata RHSA-2011:0880 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2011-06-16 19:21:49 UTC

Description Marc Schoenefeld 2011-02-01 14:38:00 UTC
The post on http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/ describes a (on first sight) trivial DoS 
when parsing strings into Java Double objects. However that code could likely occur in serialization routines, http header parsing and impair 
server availability. 

Runtime (java app hang):

class runhang {
public static void main(String[] args) {
  System.out.println("Test:");
  double d = Double.parseDouble("2.2250738585072012e-308");
  System.out.println("Value: " + d);
 }
}

DevTime (javac hang):

class compilehang {
public static void main(String[] args) {
  double d = 2.2250738585072012e-308;
  System.out.println("Value: " + d);
 }
}

Comment 12 Andrew John Hughes 2011-02-02 13:39:41 UTC
There is no bug in ecj.  Running the native gcj version works fine.

$ ecj CompileHang.java 
$ gij CompileHang
Value: 2.225073858507201E-308

It's only broken when running on the broken JDK libraries.

Comment 16 Andrew Haley 2011-02-02 16:22:03 UTC
Patch is now pubic:

http://mail.openjdk.java.net/pipermail/core-libs-dev/2011-February/005795.html

Comment 17 Andrew John Hughes 2011-02-02 16:30:54 UTC
Assuming the discussion goes well, can you make sure this gets into the IcedTea6 branches (1.7, 1.8, 1.9) prior to the SSR on the 15th of February to ensure a timely release?

Thanks.

Comment 22 Jean-frederic Clere 2011-02-04 07:23:42 UTC
Note that the work-around I commented has a typo it should be:
+++
RewriteEngine On
RewriteCond %{HTTP:Accept-Language}  [0-9]{4,}
RewriteRule .+   -   [G]
+++

Comment 24 Marc Schoenefeld 2011-02-07 12:14:06 UTC
The work-around is in Tomcat 6.0.32 and 7.0.8 and will be in 5.5.33, and has been worked around in the following commits:
http://svn.apache.org/viewvc?rev=1066244&view=rev 7.0.x
http://svn.apache.org/viewvc?rev=1066315&view=rev 6.0.x
http://svn.apache.org/viewvc?rev=1066318&view=rev 5.5.x

Comment 25 Vincent Danen 2011-02-07 16:54:10 UTC
*** Bug 675347 has been marked as a duplicate of this bug. ***

Comment 29 Jean-frederic Clere 2011-02-09 07:53:08 UTC
Oracle have fixed it:

http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

Comment 32 Gerrit Slomma 2011-02-09 11:39:29 UTC
Would this be addressed for the java-1.6.0-sun in the supplementary-repo too?
And when does 1.6.0_23 get released?

Comment 35 errata-xmlrpc 2011-02-10 19:31:04 UTC
This issue has been addressed in following products:

  JBEAP 4.3.0 for RHEL 4
  JBEAP 4.3.0 for RHEL 5
  JBEAP 4.2.0 for RHEL 4
  JBEAP 4.2.0 for RHEL 5
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5

Via RHSA-2011:0210 https://rhn.redhat.com/errata/RHSA-2011-0210.html

Comment 36 errata-xmlrpc 2011-02-10 19:36:30 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5

Via RHSA-2011:0211 https://rhn.redhat.com/errata/RHSA-2011-0211.html

Comment 37 errata-xmlrpc 2011-02-10 19:41:44 UTC
This issue has been addressed in following products:

  JBEAP 4.2.0
  JBEAP 4.3.0
  JBEAP 5

Via RHSA-2011:0212 https://rhn.redhat.com/errata/RHSA-2011-0212.html

Comment 38 errata-xmlrpc 2011-02-10 19:46:55 UTC
This issue has been addressed in following products:

  JBEWP 5

Via RHSA-2011:0213 https://rhn.redhat.com/errata/RHSA-2011-0213.html

Comment 40 errata-xmlrpc 2011-02-11 00:48:18 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2011:0214 https://rhn.redhat.com/errata/RHSA-2011-0214.html

Comment 41 Schlomo Schapiro 2011-02-15 13:57:51 UTC
(In reply to comment #32)
> Would this be addressed for the java-1.6.0-sun in the supplementary-repo too?
> And when does 1.6.0_23 get released?

I am also interested in this info, as well when will the 1.6.0_24 update be released? This update will also fix the parseDouble bug and be released shortly by Oracle.

Comment 42 Marc Schoenefeld 2011-02-15 14:11:58 UTC
Oracle announced [1] that CVE-2010-4476 in Sun JDK will be fixed with next Critical Patch Update, scheduled for release on Feb 15th [2]. JDK 6u24 will then be made available in Red Hat Enterprise Linux 4 Extras and 5 and 6 Supplementary shortly after this release.

[1] http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
[2] http://www.oracle.com/technetwork/topics/security/alerts-086861.html

Comment 43 errata-xmlrpc 2011-02-17 18:14:43 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6
  Extras for RHEL 4

Via RHSA-2011:0282 https://rhn.redhat.com/errata/RHSA-2011-0282.html

Comment 47 errata-xmlrpc 2011-02-22 17:22:22 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2011:0292 https://rhn.redhat.com/errata/RHSA-2011-0292.html

Comment 48 errata-xmlrpc 2011-02-22 17:22:47 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 5
  Supplementary for Red Hat Enterprise Linux 6
  Extras for RHEL 4

Via RHSA-2011:0291 https://rhn.redhat.com/errata/RHSA-2011-0291.html

Comment 49 errata-xmlrpc 2011-02-22 17:28:09 UTC
This issue has been addressed in following products:

  Supplementary for Red Hat Enterprise Linux 6
  Supplementary for Red Hat Enterprise Linux 5
  Extras for RHEL 4

Via RHSA-2011:0290 https://rhn.redhat.com/errata/RHSA-2011-0290.html

Comment 52 errata-xmlrpc 2011-02-23 18:41:11 UTC
This issue has been addressed in following products:

  RHEL 4 for SAP
  RHEL 5 for SAP
  RHEL 6 for SAP

Via RHSA-2011:0299 https://rhn.redhat.com/errata/RHSA-2011-0299.html

Comment 53 errata-xmlrpc 2011-03-09 18:41:00 UTC
This issue has been addressed in following products:

  JBoss Enterprise SOA Platform 4.3.CP04 and 5.0.2

Via RHSA-2011:0333 https://rhn.redhat.com/errata/RHSA-2011-0333.html

Comment 54 errata-xmlrpc 2011-03-09 18:46:22 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3.CP06 and 5.1.0

Via RHSA-2011:0334 https://rhn.redhat.com/errata/RHSA-2011-0334.html

Comment 55 errata-xmlrpc 2011-03-09 20:52:35 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:0335 https://rhn.redhat.com/errata/RHSA-2011-0335.html

Comment 56 errata-xmlrpc 2011-03-09 21:08:06 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:0336 https://rhn.redhat.com/errata/RHSA-2011-0336.html

Comment 57 errata-xmlrpc 2011-03-11 00:38:39 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 4
  JBEWS 1.0 for RHEL 5

Via RHSA-2011:0348 https://rhn.redhat.com/errata/RHSA-2011-0348.html

Comment 58 errata-xmlrpc 2011-03-11 00:59:00 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 4

Via RHSA-2011:0349 https://rhn.redhat.com/errata/RHSA-2011-0349.html

Comment 59 errata-xmlrpc 2011-03-11 01:09:30 UTC
This issue has been addressed in following products:

  JBoss Enterprise Web Server 1.0

Via RHSA-2011:0350 https://rhn.redhat.com/errata/RHSA-2011-0350.html

Comment 61 errata-xmlrpc 2011-06-16 19:24:31 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4

Via RHSA-2011:0880 https://rhn.redhat.com/errata/RHSA-2011-0880.html


Note You need to log in before you can comment on or make changes to this bug.