Oracle Security Alert for CVE-2010-4476
Description
This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products and Oracle JRockit. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability.
Supported Products Affected
The security vulnerability addressed by this Security Alert affects the products listed in the categories below. Please click on the link in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions:
| Java SE |
|---|
| JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux |
| JDK 5.0 Update 27 and earlier for Solaris 9 |
| SDK 1.4.2_29 and earlier for Solaris 8 |
| Java for Business |
| JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux |
| JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux |
| SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux |
| JRockit |
| R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6) |
| R28.1.1 and earlier (JDK/JRE 5, 6) |
Patch Availability Table
| Product Group | Risk Matrix | Patch Availability and Installation Information |
|---|---|---|
| Oracle Java SE and Java for Business and Oracle JRockit | Oracle Java SE and Java for Business and Oracle JRockit Risk Matrix | Oracle Security Alert for CVE-2010-4476 My Oracle Support Note 1291950.1 Java SE Floating Point Updater Tool |
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of risk matrix [ Oracle Technology Network ]
- Previous Security Advisories for Java SE and Java for Business Security Updates [ Java Sun Alerts Archive Page ]
Modification History
| Date | Comments |
|---|---|
| 2011-March-22 | Rev 2. Included Oracle JRockit |
| 2011-February-08 | Rev 1. Initial Release |
Risk Matrix for Oracle Java SE and Java for Business and Oracle JRockit
My Oracle Support Note 360870.1 explains the impact of Java security vulnerabilities on Oracle products that include a JDK.
| CVE# | Component | Protocol | Sub-component | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2010-4476 | Java Runtime Environment | Multiple | Java Language | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 6 Update 23 and before, 5.0 Update 27 and before, 1.4.2_29 and before. R27.6.8 and before, R28.1.1 and before. | - |