IBM Support

Potential Denial of Service Attack with Java JDK/JRE hanging in IBM Lotus Notes and Domino (CVE-2010-4476)

Technote (troubleshooting)


This advisory addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting to a binary floating-point number). This vulnerability will cause the Java Runtime Environment in Notes or Domino to go into a hang, infinite loop, and crash resulting in a denial of service. The same hang will occur if the number is written without scientific notation (324 decimal places).

Resolving the problem

Vulnerable Domino servers are those that run Java applications, servlets or agents and, importantly, perform numerical conversion to binary floating point. Notes clients that run such applications are similarly vulnerable.

Affected Notes/Domino versions

This issue affects the JDK shipped with IBM Lotus Domino server versions 8.0 through 8.0.2.x and 8.5 through 8.5.2.x. Furthermore, it affects the Domino server running on the following operating systems: Windows (32- and 64-bit), AIX (32- and 64-bit), Linux (32- and 64-bit), Solaris, zLinux and and IBM i. (Note: Java is not shipped with Domino on IBM i.)

The issue also affects the JDK shipped with Notes client versions 8.0.x through 8.5.2.x. However, Notes clients at risk would be those running Java applications or agents on workstations that are unsecured and accessible to malicious users.

Fix Information

This issue was reported to Quality Engineering as SPR# KLYH8DWMQU and is fixed in 8.5.2 Fix Pack 2 and 8.5.3.

To address this issue in earlier releases, customers are encouraged to patch the Domino server JDK using the instructions below. If you determine that Notes clients in your environment are at risk, you can deploy a patched JVM to those clients as well.

For IBM i, do not use the IBM Update Installer for Java; instead, you should obtain and install the PTFs noted below. Refer to technote 1305543 for more details about obtaining and applying system fixes.

Java Option V5R4M0 i 6.1 i 7.1 Domino release
Option 11
6.0 32-bit J9
SI42688 SI42689 SI42689 8.5.0, 8.5.1, 8.5.2
(Note: 8.5.0 is not supported on i 7.1)
Option 10
6.0 "classic"
SI42683 SI42678 n/a 8.5.0
Option 8
5.0 32-bit J9
SI42685 SI42686 n/a 8.0.x
Option 7
5.0 "classic"
SI42680 SI42682 n/a 8.0.x
Group PTFs SF99291
level 26
level 15
level 5
The individual PTFs will be incorporated into the next update of these GROUP PTFs.

Instructions to apply patch

Review all steps before you begin.

1. Download the Update Installer for Java tool from developerWorks:

2. Using the table below for reference, download the appropriate patch file from

SDK / JRE level Corresponds to Notes/Domino versions
6 8.5.x
5.0 8.0.x

3. Review the Readme.html included with the Update Installer for Java tool.

4. Use the instructions described at and the notes below to run the JavaUpdateInstaller.jar tool.

[JAVA_HOME] for all platforms is the binary directory (Program Directory) for Notes or Domino.

For Windows:
  • The default path is "C:\Program Files\IBM\Lotus\Notes" and "C:\Program Files\IBM\Lotus\Domino"
  • On Win32: If you see this error: "[sdk path name] is not a SDK home directory. Provide the valid SDK home directory,"

    a. Run the following command (adapting the path to your environment):
    echo >"C:\Program Files\IBM\Lotus\Domino\jvm\lib\ibmxmlcrypto.jar"

    b. Rerun the patch command.

For UNIX systems:
  • Assuming the default install, the directory to pass to the tool is: /opt/ibm/lotus/notes/latest/<platform>
  • The patch command needs to be run under a super user account.

Note: Subsequent updates to your JDK may remove this patch applied by the IBM Update Installer for Java.

Related Information
Oracle Security Alert for CVE-2010-4476

Cross Reference Information
Several IBM Lotus software products rely on the IBM Lotus Domino server. These include:
  • Lotus Foundations
  • Lotus iNotes
  • Lotus Quickr for Domino
  • Lotus Sametime
  • Lotus Notes Traveler

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5 >
Impact Subscore: < 2.9 >
Exploitability Subscore: <10 >
CVSS Temporal Score: < 4.1 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 4.1 >
Base Score Metrics:
    • Related exploit range/Attack Vector: < Network >
    • Access Complexity: <Low >
    • Authentication < None >
    • Confidentiality Impact: < None >
    • Integrity Impact: < None >
    • Availability Impact: < Partial >
Temporal Score Metrics:
    • Exploitability: < Functional Exploit Exists >
    • Remediation Level: < Official Fix >
    • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.

Related information

Fix Available: Denial of Service Security Exposure with
Protecting Lotus Quickr for Domino from issue documente
A simplified Chinese translation is available

Cross reference information
Segment Product Component Platform Version Edition
Messaging Applications IBM Notes Not Applicable 8.5, 8.0
Messaging Applications IBM Traveler Not Applicable 8.5, 8.0.1
Messaging Applications IBM iNotes Not Applicable 8.5, 8.0.2

Document information

More support for: IBM Domino

Software version: 8.0, 8.5

Operating system(s): AIX, IBM i, Linux, Solaris, Windows

Reference #: 1462146

Modified date: 06 April 2011