CVE-2010-4476
Download
Report
Transcript CVE-2010-4476
• Affected Products
– Java SE
• JDK and JRE 6 update 23 and earlier
• JDK 5.0 Update 27 and earlier
• SDK 1.4.2_29 and earlier
– JRockit
• R27.6.8 and earlier (JDK/JRE 1.4.2,5,6)
• R28.1.1 and earlier (JDK/JRE 5,6)
• class runhang { public static void main(String[]
args) { System.out.println("Test:"); double d =
Double.parseDouble("2.2250738585072012e308"); System.out.println("Value: " + d); } }
• class compilehang { public static void
main(String[] args) { double d =
2.2250738585072012e-308;
System.out.println("Value: " + d); } }
• 1. Update the Java Runtime Environment (JRE). The
JRE provides the libraries, the Java
• Virtual Machine, and other components to run applets
and applications.
• 2. Update your application server's Java Developer Kit (J
• Summary: This old bug says that
Double.parseDouble(s) hangs for decimal strings in
range (Double.MIN_NORMAL0.5*Double.MIN_VALUE,Double.MIN_NORMAL), and
returns incorrect result for decimal string
Double.MIN_NORMAL-0.5*Double.MIN_VALUE.
• This bug 4421494
• This is because current code in
FloatingDecimal.doubleValue() incorrectly defines
the condition when nextDown(dValue) - dValue == 0.5*ulp(dValue). The current code considers that
these are all numbers 2^n which are represented as
normal doubles, and nextDown(dValue) - dValue == 1.0*ulp(dValue) for other doubles (subnormal or not
2-powers). However, this is not correct for dValue ==
Double.MIN_NORMAL, because
nextDown(Double.MIN_NORMAL) Double.MIN_NORMAL == 1.0*ulp(Double.MIN_NORMAL)
Affected product releases and versions:
Java SE
JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
JDK 5.0 Update 27 and earlier for Solaris 9
SDK 1.4.2_29 and earlier for Solaris 8
Java for Business
JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux
JRockit
R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6)
R28.1.1 and earlier (JDK/JRE 5, 6)
•
•
•
•
Affected Tomcat versions:
Tomcat 7 earlier than 7.0.8
Tomcat 6 earlier than 6.0.32
Tomcat 5.5 earlier than 5.5.33
• Severity and impact
• High severity
• The vulnerability allows an adversary to trivially
execute a *denial of service attack* removing
target CAS-running Tomcat instances from
service.
• No end user data is exposed. No passwords are
compromised. No system access is illicitly
granted.
• The only impact of this vulnerability is to cause
service outages.
• Manually updating the JVM
• Oracle has released a tool for updating affected
JVMs. Note however that this tool breaks autoupdating of the JVM, so this tool should only be
used in environments that are manually
maintained (and in such environments, it may be
cleaner and simpler to simply replace the
installed ad-hoc JVM with the Update 24 release
rather than patching it in place.)
• Oracle fpupdater tool
• Introduction
• The FPUpdater tool allows you to update
installed Java Development Kit (JDK) and Java
Runtime Environment (JRE) software to address
the hang that occurs when parsing strings like
"2.2250738585072012e-308" to a binary floating
point number, as described in Security Alert for
CVE-2010-4476 Released.
•
• System Requirements
• The FPUpdater tool is recommended for the Oracle JRE releases
shown in the following table:
• JRE/JDK ReleaseCommentsJ2SE 1.4.2Required for updates prior
to, and including, 1.4.2_29J2SE 5.0Required for updates prior to,
and including, 5.0u27J2SE for Embedded 5.0Required for updates
prior to, and including, 5.0u27Java SE 6Required for updates prior
to, and including, 6u23Java SE for Embedded 6Required for
updates prior to, and including, 6u23Java Real-Time System
2Required for updates prior to, and including, 2.2u1JRockit
R27Required for updates prior to, and including, R27.6.8JRockit
R28Required for updates prior to, and including, R28.1.1
• As a result of running the tool,
the <JRE_HOME>/lib/rt.jar file is modified and the tool
leaves behind the following files:
•
<JRE_HOME>/lib/rt.jar.fpupdater Copy
of rt.jar before the fix.
<JRE_HOME>/lib/.fpupdater.log
Zero-length file
indicating that the update has taken place.
• If either of these two files are already present, the tool
will not perform the update and exits with a warning.
• Run the fpupdater tool with the following command.
• <JRE_HOME>/bin/java -jar fpupdater.jar -u -v
• C:\Program Files\Java\jre6\bin\java
要先關閉所有JAVA程式