Potential Denial of Service Attack with Java JDK/JRE hanging in IBM Lotus Notes and Domino (CVE-2010-4476)
This advisory addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting to a binary floating-point number). This vulnerability will cause the Java Runtime Environment in Notes or Domino to go into a hang, infinite loop, and crash resulting in a denial of service. The same hang will occur if the number is written without scientific notation (324 decimal places).
Resolving the problem
Vulnerable Domino servers are those that run Java applications, servlets or agents and, importantly, perform numerical conversion to binary floating point. Notes clients that run such applications are similarly vulnerable.
|Affected Notes/Domino versions|
This issue affects the JDK shipped with IBM Lotus Domino server versions 8.0 through 8.0.2.x and 8.5 through 8.5.2.x. Furthermore, it affects the Domino server running on the following operating systems: Windows (32- and 64-bit), AIX (32- and 64-bit), Linux (32- and 64-bit), Solaris, zLinux and and IBM i. (Note: Java is not shipped with Domino on IBM i.)
The issue also affects the JDK shipped with Notes client versions 8.0.x through 8.5.2.x. However, Notes clients at risk would be those running Java applications or agents on workstations that are unsecured and accessible to malicious users.
This issue was reported to Quality Engineering as SPR# KLYH8DWMQU and is fixed in 8.5.2 Fix Pack 2 and 8.5.3.
To address this issue in earlier releases, customers are encouraged to patch the Domino server JDK using the instructions below. If you determine that Notes clients in your environment are at risk, you can deploy a patched JVM to those clients as well.
For IBM i, do not use the IBM Update Installer for Java; instead, you should obtain and install the PTFs noted below. Refer to technote 1305543 for more details about obtaining and applying system fixes.
|Java Option||V5R4M0||i 6.1||i 7.1||Domino release|
6.0 32-bit J9
|SI42688||SI42689||SI42689||8.5.0, 8.5.1, 8.5.2
(Note: 8.5.0 is not supported on i 7.1)
5.0 32-bit J9
|The individual PTFs will be incorporated into the next update of these GROUP PTFs.|
|Instructions to apply patch|
Review all steps before you begin.
1. Download the Update Installer for Java tool from developerWorks: http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html
2. Using the table below for reference, download the appropriate patch file from http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
|SDK / JRE level||Corresponds to Notes/Domino versions|
3. Review the Readme.html included with the Update Installer for Java tool.
4. Use the instructions described at http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html and the notes below to run the JavaUpdateInstaller.jar tool.
[JAVA_HOME] for all platforms is the binary directory (Program Directory) for Notes or Domino.
- The default path is "C:\Program Files\IBM\Lotus\Notes" and "C:\Program Files\IBM\Lotus\Domino"
- On Win32: If you see this error: "[sdk path name] is not a SDK home directory. Provide the valid SDK home directory,"
a. Run the following command (adapting the path to your environment):
echo >"C:\Program Files\IBM\Lotus\Domino\jvm\lib\ibmxmlcrypto.jar"
b. Rerun the patch command.
For UNIX systems:
- Assuming the default install, the directory to pass to the tool is: /opt/ibm/lotus/notes/latest/<platform>
- The patch command needs to be run under a super user account.
Note: Subsequent updates to your JDK may remove this patch applied by the IBM Update Installer for Java.
Oracle Security Alert for CVE-2010-4476
Cross Reference Information
Several IBM Lotus software products rely on the IBM Lotus Domino server. These include:
- Lotus Foundations
- Lotus iNotes
- Lotus Quickr for Domino
- Lotus Sametime
- Lotus Notes Traveler
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 5 >
---- Impact Subscore: < 2.9 >
---- Exploitability Subscore: <10 >
CVSS Temporal Score: < 4.1 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 4.1 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
|Messaging Applications||IBM Notes||Not Applicable||8.5, 8.0|
|Messaging Applications||IBM Traveler||Not Applicable||8.5, 8.0.1|
|Messaging Applications||IBM iNotes||Not Applicable||8.5, 8.0.2|