Eclipse or SUNrise...

Eclipse or SUNrise...
...JAVA for sure

Friday, March 4, 2011

JDK security alert for CVE-2010-4476

Lately IBM have announced a fix for its JDK virtual machine bug which might lead to a DoS (Denial of Service) attack. It is an important security issue. You can read about it here. WAS versions 6, 6.1 and 7.0 are affected so the bug stayed in Java up from version 1.4... quite some time, nice :-).

This is a result from a similar info from Sun... oh, Oralce that is. And you can read it here. IBM JDK is modified Oracle's one.

But what made me wonder was the reason that cosed that behavior. I quote:

This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability.

Digging in the problem, that means that an instruction like this:

Double thisWillHurt = Double.parseDouble("2.2250738585072012e-308")

Will crash the app server... nice. I'm just curious how do they come up with this particular COMPLEX in fact number. I wonder if there is any other magical number...

Anyway, I advise to install the new fixpack (if possible) on your environments, or at least only an APAR for this:

WAS v7.0
WAS v6.1
WAS v6.0

No comments: