Thursday, February 10, 2011

Oracle Security Alert for Java

Oracle issued a security alert for java which reads "This Security Alert addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number), which is a vulnerability in the Java Runtime Environment component of the Oracle Java SE and Java for Business products. This vulnerability allows unauthenticated network attacks ( i.e. it may be exploited over a network without the need for a username and password). Successful attack of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete Denial of Service) of the Java Runtime Environment. Java based application and web servers are especially at risk from this vulnerability."

This alert is valid for both (formerly Sun) Oracle JDK as well as jrockit versions 1.5 and 1.6.

For Oracle JDK the patch is available via an updater tool For Jrockit refer metalink note 1291950.1 for relevant patch number.

Patch is a jar file and easy to apply.Set the correct java binary in the PATH and
java -jar fpupdater.jar -u -v
FPUpdater
java.home: /usr/local/java/jdk1.6.0_17/jre
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_17
os.name: Linux
Checking for update for major: 1.6.0 minor: 17
Retrieved update jar file from tool: /usr/local/java/jdk1.6.0_17/jre/tmpUpdate264186544245683182/tmpUpdate4837341576526462084.jar
Updating files. Please note this can take several minutes to run. Allow FPUpdater tool to complete.
Jar file /usr/local/java/jdk1.6.0_17/jre/lib/rt.jar.fpupdater succesfully verified.
Done backup of rt.jar to /usr/local/java/jdk1.6.0_17/jre/lib/rt.jar.fpupdater
Made working copy of rt.jar: /usr/local/java/jdk1.6.0_17/jre/lib/tmpUpdate8923180845720805243/copyofRt.jar
Jar file /usr/local/java/jdk1.6.0_17/jre/lib/tmpUpdate8923180845720805243/copyofRt.jar succesfully verified.
Moving working copy of rt.jar back to live rt.jar.
Update applied successfully to java.home path : /usr/local/java/jdk1.6.0_17/jre
After the apply verify it with
java -jar fpupdater.jar -t -v
FPUpdater
java.home: /usr/local/java/jdk1.6.0_17/jre
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_17
os.name: Linux
Verification test available
Verification test beginning, this should take less than one minute..
Verification test passed.
Your Java Runtime is patched for java.home: /usr/local/java/jdk1.6.0_17/jre