Environment
Novell Sentinel 6.1 Support Pack 2 for Linux
Novell Sentinel 6.1 Support Pack 2 for Windows
Novell Sentinel 6.1 Support Pack 2 for Solaris
Novell Sentinel 6.1 Support Pack 2 for Windows
Novell Sentinel 6.1 Support Pack 2 for Solaris
Situation
CVE-2010-4476 defined at the following URLs:
https://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Sentinel 6.1 Support Pack 2, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308
Sentinel 6.1 Support Pack 2 and Sentinel 6.1 Support Pack 2 Hotfix 1 ship with the following vulnerable Java version : 1.6.0_12
https://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Sentinel 6.1 Support Pack 2, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308
Sentinel 6.1 Support Pack 2 and Sentinel 6.1 Support Pack 2 Hotfix 1 ship with the following vulnerable Java version : 1.6.0_12
Resolution
Apply the steps mentioned at the following link from Oracle to run the FPUpdater tool that patches the concerned rt.jar and resolves the security vulnerability.
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
The JRE instance to be patched is installed under $ESEC_HOME/jre<64> for various Sentinel platforms. This workaround is applicable for remote collector manager service as well. After the FPUpdater tool has run once, it is a good idea to run it again in order to verify that the patch has been correctly installed.
Make sure to stop all Sentinel processes before executing the fpupdater tool and restart them afterwards.
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
The JRE instance to be patched is installed under $ESEC_HOME/jre<64> for various Sentinel platforms. This workaround is applicable for remote collector manager service as well. After the FPUpdater tool has run once, it is a good idea to run it again in order to verify that the patch has been correctly installed.
Make sure to stop all Sentinel processes before executing the fpupdater tool and restart them afterwards.