Otkriven je i ispravljen jedan sigurnosni propust u programskom paketu JRE (eng. Java Runtime Environment) koji se koristi za pokretanje programa pisanih u Java programskom jeziku. Propust se očituje kao greška pri pretvorbi broja "2.2250738585072012e-308" u binarni broj s pomičnim zarezom. Ovaj propust mogu iskorištavati udaljeni napadači kako bi izveli napad uskraćivanjem usluga (DoS napad). Za više se detalja preporuča čitanje originalne preporuke. Svim korisnicima se savjetuje žurni prelazak na najnoviju inačicu.
AIX 5.2: Security advisories
• JRE hangs when converting "2.2250738585072012e-308" to a binary floating point
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
IBM SECURITY ADVISORY
First Issued: Fri Feb 18 19:03:14 CST 2011
The most recent version of this document is available here:
http://aix.software.ibm.com/aix/efixes/security/java_advisory.asc
or
ftp://aix.software.ibm.com/aix/efixes/security/java_advisory.asc
===============================================================================
VULNERABILITY SUMMARY
VULNERABILITY: Java Runtime Environment hangs when converting
"2.2250738585072012e-308" to a binary floating
point number.
PLATFORMS: See below
SOLUTION: Apply the fix as described below.
THREAT: This can be used as a denial of service attack against
application servers.
CERT VU Number: n/a
CVE Numbers: CVE-2010-4476
===============================================================================
DETAILED INFORMATION
I. DESCRIPTION
This Security Alert addresses security issue CVE-2010-4476 (Java Runtime
Environment hangs when converting "2.2250738585072012e-308" to a binary
floating-point number), which is a vulnerability in the Java Runtime
Environment component of the IBM Java SE and Java for Business products.
This vulnerability allows unauthenticated network attacks ( i.e. it may be
exploited over a network without the need for a username and password).
Successful attack of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete Denial of Service)
of the Java Runtime Environment. Java based application and web servers are
especially at risk from this vulnerability.
Please see the following for more information:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
II. PLATFORM VULNERABILITY ASSESSMENT
To determine if your system is vulnerable, execute the following
command:
java -version
This vulnerability affects all versions and releases of IBM Developer Kits
and Runtime Environments on all platforms prior to and including these
releases:
Java SE 6 SR9
Java SE 5.0 SR12-FP3
J2SE 1.4.2 SR13-FP8
III. FIXES
A fix is available, and it can be downloaded from:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
IV. WORKAROUNDS
None
V. CONTACT INFORMATION
If you would like to receive AIX Security Advisories via email,
please visit:
http://www14.software.ibm.com/webapp/set2/subscriptions/pqvcmjd
Comments regarding the content of this announcement can be
directed to:
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
To request the PGP public key that can be used to communicate
securely with the AIX Security Team you can either:
A. Send an email with "get key" in the subject line to:
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
B. Download the key from a PGP Public Key Server. The key ID is:
0x28BFAA12
Please contact your local IBM AIX support center for any
assistance.
eServer is a trademark of International Business Machines
Corporation. IBM, AIX and pSeries are registered trademarks of
International Business Machines Corporation. All other trademarks
are property of their respective holders.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (AIX)
iD8DBQFNXyHr4fmd+Ci/qhIRAkGhAJsFGHNWGewHbJZhvBpWXDDApTouQQCgmEmL
DvaRFNCApQmJZpA9cQIHD7Q=
=wRBv
-----END PGP SIGNATURE-----
Posljednje sigurnosne preporuke