=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN105
_____________________________________________________________________

DATE                      : 11/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Java SE, Java for Business.

======================================================================
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
______________________________________________________________________

Oracle Security Alert for CVE-2010-4476

Description

This Security Alert addresses security issue CVE-2010-4476 (Java Runtime
Environment hangs when converting "2.2250738585072012e-308" to a binary
floating-point number), which is a vulnerability in the Java Runtime
Environment component of the Oracle Java SE and Java for Business products.
This vulnerability allows unauthenticated network attacks ( i.e. it may
be exploited over a network without the need for a username and password).
Successful attack of this vulnerability can result in unauthorized ability
to cause a hang or frequently repeatable crash (complete Denial of Service)
of the Java Runtime Environment. Java based application and web servers are
especially at risk from this vulnerability.


Supported Products Affected

The security vulnerability addressed by this Security Alert affects the products
listed in the categories below.  Please click on the link in the Patch
Availability Table to access the documentation for those patches.

Affected product releases and versions:
Java SE
JDK and JRE 6 Update 23 and earlier for Windows, Solaris, and Linux
JDK 5.0 Update 27 and earlier for Solaris 9
SDK 1.4.2_29 and earlier for Solaris 8

Java for Business
JDK and JRE 6 Update 23 and earlier for Windows, Solaris and Linux
JDK and JRE 5.0 Update 27 and earlier for Windows, Solaris and Linux
SDK and JRE 1.4.2_29 and earlier for Windows, Solaris and Linux

Patch Availability Table
Product Group 	Risk Matrix 	Patch Availability and Installation Information
Oracle Java SE
and Java for Business 	     Oracle Java SE and Java
                             for Business Risk Matrix     Oracle Security Alert for
                                                          CVE-2010-4476 My Oracle
                                                          Support Note 1291950.1

Java SE Floating Point Updater Tool


References

    * Oracle Critical Patch Updates and Security Alerts main
page [ Oracle Technology Network ]
    * Oracle Critical Patch Updates and Security Alerts - Frequently
Asked Questions [ CPU FAQ ]
    * Risk Matrix definitions [ Risk Matrix Definitions ]
    * Use of Common Vulnerability Scoring System (CVSS) by Oracle
[ Oracle CVSS Scoring ]
    * English text version of risk matrix [ Oracle Technology Network ]
    * Previous Security Advisories for Java SE and Java for Business
Security Updates [ Java Sun Alerts Archive Page ]


Modification History

Date 	Comments
2011-February-08 	Rev 1. Initial Release


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================