Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
PSI
PSI API
CSI
OSI
xSI
Vulnerabilities
Programs
Open Discussions
My Threads
Create Thread
Statistics
About

Forum Thread: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulner...

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
Vulnerabilities

See the original Secunia advisory:
Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability

Secunia Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
Secunia Official 9th Feb, 2011 18:08
Ranking: 0
Posts: 0
User Since: -
System Score: -
Location: Copenhagen, DK
Konstantin Preiber has reported a vulnerability in Sun Java, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is caused due to an error in the "doubleValue()" method in FloatingDecimal.java when converting "2.2250738585072012e-308" from a string type to a double precision binary floating point and can be exploited to cause an infinite loop.

The vulnerability is reported in the following products:
* Sun JDK and JRE 6 Update 23 and prior.
* Sun JDK 5.0 Update 27 and prior.
* Sun SDK 1.4.2_29 and prior.

bjm__

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

mogs

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
Anthony Wells RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
Expert Contributor 10th Feb, 2011 12:16
Score: 2445
Posts: 3,336
User Since: 19th Dec 2007
System Score: N/A
Location: N/A

Hello bjm ,

This is a "vulnerabilities" forum (concerning a specific SA) and all that entails .

Your question re PSI and workaround detection is not relevant to the SA itself and would be better dealt with if you create a new thread in another forum .

Take care

Anthony

--


It always seems impossible until its done.
Nelson Mandela
Was this reply relevant?
+5
-1
ddmarshall RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
Dedicated Contributor 10th Feb, 2011 13:03
Score: 1212
Posts: 965
User Since: 8th Nov 2008
System Score: 98%
Location: UK
Last edited on 10th Feb, 2011 13:17
Is the Vendor Workaround offered solely for information....Yes
or does Secunia PSI 2 Auto Update using Vendor Workarounds as well as Vendor Patches. /No
Does Secunia recommended vendor workarounds as a rule / for this event or does Secunia recommend waiting for release of an official vendor patch. Secunia don't recommend anything

I have never used the FPUpdater tool ? & I seldom use Java JRE Oracle recommend waiting for the next scheduled Java update. Using the tool causes complications. This problem has apparently been known about for around 10 years. It's not really a concern for home users.

As I am using PSI v 1.5.0.2....does PSI 2 auto update vendor workarounds. No


A patch is scheduled for 15th Febrary 2011
http://blogs.oracle.com/security/2011/02/security_...

--
This answer is provided “as-is.” You bear the risk of using it.
Was this reply relevant?
+8
-8

bjm__

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.
omniplex RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
Member 11th Feb, 2011 17:58
Score: -1
Posts: 9
User Since: 21st Jan 2011
System Score: N/A
Location: DE
Waiting for the planned update in four days might be a better plan than the hot fix (oracle claims that the hot fix would confuse a later auto-update). http://www.h-online.com/open/news/item/Oracle-warn...
Was this reply relevant?
+7
-8
tom_1st RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
Member 16th Feb, 2011 10:52
Score: 12
Posts: 24
User Since: 23rd Jun 2010
System Score: N/A
Location: DE
Last edited on 16th Feb, 2011 10:56
Oracle released a new JDK/JRE 1.6.0_24
http://www.oracle.com/technetwork/java/javase/down...

which fixed the floating point bug and others. A complete list is available here:
http://www.oracle.com/technetwork/topics/security/...

-> Please Update to PSI to reflect that change
Was this reply relevant?
+7
-1

Leendert Kip

Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

bjm__

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

Leendert Kip

Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

mogs

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been minimised due to a negative Relevancy Score.

jannypan

RE: Sun Java JDK / JRE / SDK "doubleValue()" Denial of Service Vulnerability
[+]
This reply has been deleted


 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability - Disclaimer