Interstage Application Server: JRE vulnerability on parsing floating-point strings (CVE-2010-4476). May 30th, 2011
1. Description
There is a problem that JRE hangs when converting a specific floating point (hereafter FP) string such as "2.2250738585072012e-308" to a binary floating-point number by java.lang.Double class. It makes the process using java.lang.Double go into an infinite loop.
This problem affects a system in the following case:
- The application gets a FP number string and converts it to a binary format, and
- The application is opened to the publc, and an attacker can send the malicious data to it.
Servlet service satisfies the case a). Therefore, a Java application which uses Servlet service is affected by this vulnerability if it receives the data. Then, such an application is vulnerable with or without the above case b).
2. Impact
If a system is opened to anyone on the Internet, an attacker is able to make the system go into an infinite loop causing in Denial of Service.
If an application server which is opened on the Internet (or as a public service) uses Servret service, the Servret service might get into a Denial of Service condition.
However, if the system is opened to the limited clients, the impact might be less.
When this problem happens, kill the Java process.
3. Affected systems and corresponding action
3-1. Affected systems:
GP7000F, PRIMEPOWER, PRIMERGY, GP5000, CELSIUS, FMV, AT compatible machine, PRIMEQUEST, SPARC Enterprise
3-2. Affected products and required patch
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Server Enterprise Edition | V6.0 | Linux32 | FJSVawjdk-j2sdk131-6.0-1.0/FJSVawjdk-j2re131-6.0-1.0/FJSVawjdk-j2sdk141-6.0-1.0/FJSVawjdk-j2re141-6.0-1.0/FJSVawjdk-j2sdk131np-6.0-1.0/FJSVawjdk-j2re131np-6.0-1.0/FJSVawjdk-j2sdk141np-6.0-1.0/FJSVawjdk-j2re141np-6.0-1.0 | * |
Interstage Application Server Enterprise Edition | V7.0 | Linux32 | FJSVawjdk-j2re131np-7.0-1.0/FJSVawjdk-j2sdk142np-7.0-1.0/FJSVawjdk-j2re142np-7.0-1.0/FJSVawjdk-j2sdk131np-7.0-1.0 | * |
Interstage Application Server Enterprise Edition | V7.0.1 | Linux32 | FJSVawjdk-j2sdk131np-7.1-1.0/FJSVawjdk-j2sdk142np-7.1-1.0/FJSVawjdk-j2re142np-7.1-1.0/FJSVawjdk-j2re131np-7.1-1.0 | * |
Interstage Application Server Enterprise Edition | 8.0.0 | Linux32 | FJSVawjdk-j2re142np4-8.0-1.0/FJSVawjdk-j2sdk142np4-8.0-1.0 | * |
Interstage Application Server Enterprise Edition | 8.0.2 | Linux32 | FJSVawjdk-j2re142np4-8.0-1.0/FJSVawjdk-j2sdk142np4-8.0-1.0 | * |
Interstage Application Server Enterprise Edition | V9.0.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.0-1.0/FJSVawjdk-j2re142np4-9.0-1.0/FJSVawjdk-j2sdk50np4-9.0-1.0/FJSVawjdk-j2re50np4-9.0-1.0/FJSVawjdk-j2sdk50np5-9.0-1.0/FJSVawjdk-j2re50np5-9.0-1.0 | * |
Interstage Application Server Enterprise Edition | V9.1.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Enterprise Edition | V9.1.0B | Linux32 | FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.2-1.0/FJSVawjdk-j2re50np4-9.2-1.0/FJSVawjdk-j2sdk6np4-9.2-1.0/FJSVawjdk-j2re6np4-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re50np5-9.2-1.0/FJSVawjdk-j2sdk6np5-9.2-1.0/FJSVawjdk-j2re6np5-9.2-1.0 | * |
Interstage Application Server Enterprise Edition | V9.3.1 | Linux32 | FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.3-1.0/FJSVawjdk-j2re50np4-9.3-1.0/FJSVawjdk-j2sdk6np4-9.3-1.0/FJSVawjdk-j2re6np4-9.3-1.0/FJSVawjdk-j2sdk50np5-9.3-1.0/FJSVawjdk-j2re50np5-9.3-1.0/FJSVawjdk-j2sdk6np5-9.3-1.0/FJSVawjdk-j2re6np5-9.3-1.0/FJSVawjdk-j2sdk50np6-9.3.1-1.0.i386/FJSVawjdk-j2re50np6-9.3.1-1.0.i386/FJSVawjdk-j2sdk6np6-9.3.1-1.0.i386/FJSVawjdk-j2re6np6-9.3.1-1.0.i386 | * |
Interstage Application Server Plus | V7.0 | Linux32 | FJSVawjdk-j2re131np-7.0-1.0/FJSVawjdk-j2sdk142np-7.0-1.0/FJSVawjdk-j2re142np-7.0-1.0/FJSVawjdk-j2sdk131np-7.0-1.0 | * |
Interstage Application Server Plus | V7.0.1 | Linux32 | FJSVawjdk-j2sdk131np-7.1-1.0/FJSVawjdk-j2sdk142np-7.1-1.0/FJSVawjdk-j2re142np-7.1-1.0/FJSVawjdk-j2re131np-7.1-1.0 | * |
Interstage Application Server Standard-J Edition | 8.0.0 | Linux32 | FJSVawjdk-j2re142np4-8.0-1.0/FJSVawjdk-j2sdk142np4-8.0-1.0 | * |
Interstage Application Server Standard-J Edition | 8.0.2 | Linux32 | FJSVawjdk-j2re142np4-8.0-1.0/FJSVawjdk-j2sdk142np4-8.0-1.0 | * |
Interstage Application Server Standard-J Edition | V9.0.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.0-1.0/FJSVawjdk-j2re142np4-9.0-1.0/FJSVawjdk-j2sdk50np4-9.0-1.0/FJSVawjdk-j2re50np4-9.0-1.0/FJSVawjdk-j2sdk50np5-9.0-1.0/FJSVawjdk-j2re50np5-9.0-1.0 | * |
Interstage Application Server Standard-J Edition | V9.1.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Standard-J Edition | V9.1.0B | Linux32 | FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Linux32 | FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.2-1.0/FJSVawjdk-j2re50np4-9.2-1.0/FJSVawjdk-j2sdk6np4-9.2-1.0/FJSVawjdk-j2re6np4-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re50np5-9.2-1.0/FJSVawjdk-j2sdk6np5-9.2-1.0/FJSVawjdk-j2re6np5-9.2-1.0 | * |
Interstage Application Server Standard-J Edition | V9.3.1 | Linux32 | FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.3-1.0/FJSVawjdk-j2re50np4-9.3-1.0/FJSVawjdk-j2sdk6np4-9.3-1.0/FJSVawjdk-j2re6np4-9.3-1.0/FJSVawjdk-j2sdk50np5-9.3-1.0/FJSVawjdk-j2re50np5-9.3-1.0/FJSVawjdk-j2sdk6np5-9.3-1.0/FJSVawjdk-j2re6np5-9.3-1.0/FJSVawjdk-j2sdk50np6-9.3.1-1.0.i386/FJSVawjdk-j2re50np6-9.3.1-1.0.i386/FJSVawjdk-j2sdk6np6-9.3.1-1.0.i386/FJSVawjdk-j2re6np6-9.3.1-1.0.i386 | * |
Interstage Application Server Enterprise Edition(64bit) | V9.2.0 | Linux64-EM64T | FJSVawjdk-j2re50np5-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re6np5-9.2-1.0/FJSVawjdk-j2sdk6np5-9.2-1.0 | * |
Interstage Application Server Enterprise Edition(64bit) | V9.3.1 | Linux64-EM64T | FJSVawjdk-j2re50np6-9.3.1-1.0.x86_64/FJSVawjdk-j2sdk50np6-9.3.1-1.0.x86_64/FJSVawjdk-j2re6np6-9.3.1-1.0.x86_64/FJSVawjdk-j2sdk6np6-9.3.1-1.0.x86_64 | * |
Interstage Application Server Standard-J Edition(64bit) | V9.2.0 | Linux64-EM64T | FJSVawjdk-j2re50np5-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re6np5-9.2-1.0/FJSVawjdk-j2sdk6np5-9.2-1.0 | * |
Interstage Application Server Standard-J Edition(64bit) | V9.3.1 | Linux64-EM64T | FJSVawjdk-j2re50np6-9.3.1-1.0.x86_64/FJSVawjdk-j2sdk50np6-9.3.1-1.0.x86_64/FJSVawjdk-j2re6np6-9.3.1-1.0.x86_64/FJSVawjdk-j2sdk6np6-9.3.1-1.0.x86_64 | * |
Interstage Application Server Enterprise Edition | V7.0 | Linux64-IPF | FJSVawjdk-j2re142np-7.0-1.0/FJSVawjdk-j2sdk142np-7.0-1.0 | * |
Interstage Application Server Enterprise Edition | 8.0.0 | Linux64-IPF | FJSVawjdk-j2sdk142np4-8.0-1.0/FJSVawjdk-j2re142np4-8.0-1.0 | * |
Interstage Application Server Enterprise Edition | 8.0.1 | Linux64-IPF | FJSVawjdk-j2sdk142np4-8.0-1.1/FJSVawjdk-j2re142np4-8.0-1.1 | * |
Interstage Application Server Enterprise Edition | 8.0.2 | Linux64-IPF | FJSVawjdk-j2re142np4-8.0-1.1/FJSVawjdk-j2sdk142np4-8.0-1.1 | * |
Interstage Application Server Enterprise Edition | V9.0.0 | Linux64-IPF | FJSVawjdk-j2sdk142np4-9.0-1.0/FJSVawjdk-j2re50np4-9.0-1.0/FJSVawjdk-j2re142np4-9.0-1.0/FJSVawjdk-j2sdk50np4-9.0-1.0/FJSVawjdk-j2re50np5-9.0-1.0/FJSVawjdk-j2sdk50np5-9.0-1.0 | * |
Interstage Application Server Enterprise Edition | V9.0.0A | Linux64-IPF | FJSVawjdk-j2sdk142np4-9.0-1.0/FJSVawjdk-j2re50np4-9.0-1.0/FJSVawjdk-j2re142np4-9.0-1.0/FJSVawjdk-j2sdk50np4-9.0-1.0/FJSVawjdk-j2re50np5-9.0-1.0/FJSVawjdk-j2sdk50np5-9.0-1.0 | * |
Interstage Application Server Enterprise Edition | V9.1.0 | Linux64-IPF | FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Linux64-IPF | FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.2-1.0/FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re50np4-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re50np5-9.2-1.0 | * |
Interstage Application Server Standard-J Edition | V9.0.0 | Linux64-IPF | FJSVawjdk-j2sdk142np4-9.0-1.0/FJSVawjdk-j2re50np4-9.0-1.0/FJSVawjdk-j2re142np4-9.0-1.0/FJSVawjdk-j2sdk50np4-9.0-1.0/FJSVawjdk-j2re50np5-9.0-1.0/FJSVawjdk-j2sdk50np5-9.0-1.0 | * |
Interstage Application Server Standard-J Edition | V9.1.0 | Linux64-IPF | FJSVawjdk-j2re50np4-9.1-1.0/FJSVawjdk-j2re142np4-9.1-1.0/FJSVawjdk-j2sdk142np4-9.1-1.0/FJSVawjdk-j2sdk50np4-9.1-1.0/FJSVawjdk-j2sdk50np5-9.1-1.0/FJSVawjdk-j2re50np5-9.1-1.0 | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Linux64-IPF | FJSVawjdk-j2re142np4-9.2-1.0/FJSVawjdk-j2sdk50np4-9.2-1.0/FJSVawjdk-j2sdk142np4-9.2-1.0/FJSVawjdk-j2re50np4-9.2-1.0/FJSVawjdk-j2sdk50np5-9.2-1.0/FJSVawjdk-j2re50np5-9.2-1.0 | * |
Interstage Application Server Enterprise Edition(with Strong Encryption) | 5.0.1 | Solaris | FJSVawjdk | * |
Interstage Application Server Enterprise Edition | 6.0 | Solaris | FJSVawjdk | * |
Interstage Application Server Enterprise Edition | 7.0 | Solaris | FJSVawjdk | * |
Interstage Application Server Enterprise Edition | 7.0.1 | Solaris | FJSVawjdk | * |
Interstage Application Server Enterprise Edition | 8.0.0 | Solaris | FJSVjdk13/FJSVjdk14 | * |
Interstage Application Server Enterprise Edition | 8.0.2 | Solaris | FJSVjdk13/FJSVjdk14 | * |
Interstage Application Server Enterprise Edition | V9.0.0 | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Enterprise Edition | V9.0.0B | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Enterprise Edition | V9.1.0 | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Enterprise Edition | V9.1.0B | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Solaris | FJSVjdk14/FJSVjdk5/FJSVjdk6 | * |
Interstage Application Server Plus | 7.0 | Solaris | FJSVawjdk | * |
Interstage Application Server Plus | 7.0.1 | Solaris | FJSVawjdk | * |
Interstage Application Server Standard-J Edition | 8.0.0 | Solaris | FJSVjdk13/FJSVjdk14 | * |
Interstage Application Server Standard-J Edition | 8.0.2 | Solaris | FJSVjdk13/FJSVjdk14 | * |
Interstage Application Server Standard-J Edition | V9.0.0 | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Standard-J Edition | V9.1.0 | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Standard-J Edition | V9.1.0B | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Solaris | FJSVjdk14/FJSVjdk5/FJSVjdk6 | * |
Interstage Application Server Enterprise Edition | V6.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V7.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V7.0.1 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | 8.0.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | 8.0.1 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | 8.0.2 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.0.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.0.0A | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.1.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.1.0B | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows32 | - | * |
Interstage Application Server Plus | V5.0.1 | Windows32 | - | * |
Interstage Application Server Plus | V6.0 | Windows32 | - | * |
Interstage Application Server Plus | V7.0 | Windows32 | - | * |
Interstage Application Server Plus | V7.0.1 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | 8.0.0 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | 8.0.1 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | 8.0.2 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.0.0 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.0.0A | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.0.0B | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.1.0 | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.1.0B | Windows32 | - | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows32 | - | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows64-EM64T | - | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows64-EM64T | - | * |
Interstage Application Server Enterprise Edition | 8.0.0 | Windows64-IPF | - | * |
Interstage Application Server Enterprise Edition | V9.0.0 | Windows64-IPF | - | * |
Interstage Application Server Enterprise Edition | V9.1.0 | Windows64-IPF | - | * |
Interstage Application Server Enterprise Edition | V9.2.0 | Windows64-IPF | - | * |
Interstage Application Server Standard-J Edition | V9.0.0 | Windows64-IPF | - | * |
Interstage Application Server Standard-J Edition | V9.1.0 | Windows64-IPF | - | * |
Interstage Application Server Standard-J Edition | V9.2.0 | Windows64-IPF | - | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Application Development Cycle Manager Standard Edition | V10.0.0A | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Application Development Cycle Manager Standard Edition | V10.0.0 | Windows32 | - | * |
Interstage Application Development Cycle Manager Standard Edition | V10.0.0A | Windows32 | - | * |
Interstage Application Development Cycle Manager Standard Edition | V10.1.0 | Windows32 | - | * |
Interstage Application Development Cycle Manager Enterprise Edition | V10.1.0 | Windows32 | - | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Business Application Server Enterprise Edition | 8.0.0 | Linux64-IPF | FJSVawjdk-j2sdk142np4-8.0-1.0/FJSVawjdk-j2re142np4-8.0-1.0 | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Job Workload Server | 8.1.0 | Linux64-IPF | FJSVawjdk-j2sdk142np4-8.0-1.1/FJSVawjdk-j2re142np4-8.0-1.1 | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Interstage Service Integrator Enterprise Edition | V9.0.0 | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Service Integrator Enterprise Edition | V9.0.0A | Solaris | FJSVjdk14/FJSVjdk5 | * |
Interstage Service Integrator Standard Edition | V9.0.0 | Windows32 | - | * |
Interstage Service Integrator Standard Edition | V9.0.0A | Windows32 | - | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker Availability View Enterprise Edition | V13.3.0 | Windows32 | - | * |
Systemwalker Availability View Enterprise Edition | V13.3.0A | Windows32 | - | * |
Systemwalker Availability View Standard Edition | V13.3.0 | Windows32 | - | * |
Systemwalker Availability View Standard Edition | V13.3.0A | Windows32 | - | * |
Products | Version | Target OS | Package name | Patch ID. |
---|---|---|---|---|
Systemwalker IT Process Master Standard Edition | V13.3.1 | Windows32 | - | * |
* For the solution, please refer to "3-3. Workaround".
Note: Determining the affected product
To check the software version, refer to the "FUJITSU SOFTWARE RELEASE GUIDE" supplied with the product.
- In Solaris
To determine if the package is installed, the following command may be used:
pkginfo -l 'Package name'
The version of Java can be determined as follows:
/opt/FJSVawjbk/{jdk|jre}{12c|12e|13|14|5|6}/bin/java -version - In Linux
To determine if the package is installed, the following command may be used:
rpm -qa | grep 'Package name'
The version of Java can be determined as follows:
/opt/FJSVawjbk/{jdk|jre}{13|14|5|6}/bin/java -version - In Windows
The version of Java can be determined as follows:
< JDK/JRE installed folder >\bin\java -version
3-3. Workaround
Apply a tool to update the JDK/JRE which has the vulnerability.
For getting the tool, please contact a Fujitsu system engineer or your partner(s).
[Note]
If this problem has been detoured by the workaround which was described in this security bulletin of the initial release, that is, using Oracle FPUpdater Tool, it is not necessary to use this tool.
If Oracle FPUpdater Tool has never been used for this problem in your system, please only use the tool which is provided in this security bulletin of the second release. It is not necessary to use Oracle FPUpdater Tool.
4. Related information
- CVE-2010-4476
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4476 - Oracle Security Alert for CVE-2010-4476
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
5. Revision history
- May 30th, 2011: Second release
- 3-3. Workaround
- Remove the description about Oracle FPUpdater tool.
- Add the description about Fujitsu tool.
- 3-3. Workaround
- April 20th, 2011: Initial release