U radu programskih paketa Oracle Sun Java SE i Java for Business otkrivena je nova sigurnosna ranjivost. Propust je uzrokovan pogreškom do koje dolazi prilikom rukovanja određenim brojevima s decimalnom točkom (eng. floating point). Točnije, javlja se u metodi "doubleValue()" u FloatingDecimal.java prilikom rada s brojem "2.2250738585072012e-308". Udaljeni napadač može iskoristiti navedeni propust za stvaranje DoS (eng. Denial of service) stanja. Svi se korisnici upućuju na instalaciju dostupnih programskih rješenja u svrhu zaštite od navedenog problema.

Oracle Sun Java SE and Java for Business Denial of Service Vulnerability

VUPEN ID 	VUPEN/ADV-2011-0339
CVE ID 	CVE-2010-4476
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Low Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-02-09
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

A vulnerability has been identified in Oracle Sun Java SE and Java for Business, which could be exploited by attackers to cause a denial of service. This issue is caused by an error when handling certain floating-point numbers, which could be exploited to crash an affected application, creating a denial of service condition.

Affected Products

Oracle Sun JDK version 6 Update 23 and prior
Oracle Sun JDK version 5.0 Update 27 and prior
Oracle Sun JRE version 6 Update 23 and prior
Oracle Sun JRE version 5.0 Update 27 and prior
Oracle Sun JRE version 1.4.2_29 and prior
Oracle Sun SDK version 1.4.2_29 and prior

Solution 

Use the FPUpdater tool to update your Java installation :
http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

References

http://www.vupen.com/english/advisories/2011/0339
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

Changelog 

2011-02-09 : Initial release