Sentinel 6.1.2 security vulnerability with JRE double-precision binary floating-point number (CVE-2010-4476)

  • 7008485
  • 29-Apr-2011
  • 26-Apr-2012

Environment

Novell Sentinel 6.1 Support Pack 2 for Linux
Novell Sentinel 6.1 Support Pack 2 for Windows
Novell Sentinel 6.1 Support Pack 2 for Solaris

Situation

CVE-2010-4476 defined at the following URLs:

https://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Sentinel 6.1 Support Pack 2, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308

Sentinel 6.1 Support Pack 2 and Sentinel 6.1 Support Pack 2 Hotfix 1 ship with the following vulnerable Java version : 1.6.0_12

Resolution

Apply the steps mentioned at the following link from Oracle to run the FPUpdater tool that patches the concerned rt.jar and resolves the security vulnerability.

http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

The JRE instance to be patched is installed under $ESEC_HOME/jre<64> for various Sentinel platforms. This workaround is applicable for remote collector manager service as well. After the FPUpdater tool has run once, it is a good idea to run it again in order to verify that the patch has been correctly installed.

Make sure to stop all Sentinel processes before executing the fpupdater tool and restart them afterwards.