|« Massloading the WebSphere Commerce v7.0 data fails||IBM Lotus Quickr 8.5 for Domino Administration book is out! »|
Potential Denial of Service Attack with Java JDK/JRE hanging in IBM Lotus Notes and Domino (CVE-2010-4476)
This one can be nasty if you use servlets or java agents that do numerical conversion to binary floating point.
You can find the info in this TN 1462146.
You can find the info in this TN 1462146.
Flash (Alert) Abstract A problem in the way that Java handles a specific numerical conversion may be exploited by a malicious user and cause an affected client or server to hang. Several IBM Lotus software products rely on the Java runtime engine or development kit provided by the IBM Lotus Domino server environment. Administrators must apply the appropriate fixes to prevent this exposure. Content This advisory addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting to a binary floating-point number). This vulnerability will cause the Java Runtime Environment in Notes or Domino to go into a hang, infinite loop, and crash resulting in a denial of service. The same hang will occur if the number is written without scientific notation (324 decimal places). Vulnerable Domino servers are those that run Java applications, servlets or agents and, importantly, perform numerical conversion to binary floating point. Notes clients that run such applications are similarly vulnerable. Affected Notes/Domino versions This issue affects the JDK shipped with IBM Lotus Domino server versions 8.0 through 8.0.2.x and 8.5 through 8.5.2.x. Furthermore, it affects the Domino server running on the following operating systems: Windows (32- and 64-bit), AIX (32- and 64-bit), Linux (32- and 64-bit), Solaris, zLinux and and IBM i. (Note: Java is not shipped with Domino on IBM i.) The issue also affects the JDK shipped with Notes client versions 8.0.x through 8.5.2.x. However, Notes clients at risk would be those running Java applications or agents on workstations that are unsecured and accessible to malicious users. Fix Information This issue was reported to Quality Engineering as SPR# KLYH8DWMQU and is fixed in 8.5.3, which is targeted for release Q2 2011. You can track progress at the Notes/Domino Update Status page. To address this issue in earlier releases, customers are encouraged to patch the Domino server JDK using the instructions below. If you determine that Notes clients in your environment are at risk, you can deploy a patched JVM to those clients as well. For IBM i, do not use the IBM Update Installer for Java; instead, you should obtain and install the PTFs noted below. Refer to technote 1305543 for more details about obtaining and applying system fixes. Java Option V5R4M0 i 6.1 i 7.1 Domino release Option 11 6.0 32-bit J9 SI42688 SI42689 SI42689 8.5.0, 8.5.1, 8.5.2 (Note: 8.5.0 is not supported on i 7.1) Option 10 6.0 "classic" SI42683 SI42678 n/a 8.5.0 Option 8 5.0 32-bit J9 SI42685 SI42686 n/a 8.0.x Option 7 5.0 "classic" SI42680 SI42682 n/a 8.0.x Group PTFs SF99291 level 26 SF99562 level 15 SF99572 level 5 The individual PTFs will be incorporated into the next update of these GROUP PTFs. Instructions to apply patch Review all steps before you begin. 1. Download the Update Installer for Java tool from developerWorks: http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html 2. Using the table below for reference, download the appropriate patch file from http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html SDK / JRE level Corresponds to Notes/Domino versions 6 8.5.x 5.0 8.0.x 3. Review the Readme.html included with the Update Installer for Java tool. 4. Use the instructions described at http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html and the notes below to run the JavaUpdateInstaller.jar tool. [JAVA_HOME] for all platforms is the binary directory (Program Directory) for Notes or Domino. For Windows: * The default path is "C:\Program Files\IBM\Lotus\Notes" and "C:\Program Files\IBM\Lotus\Domino" * On Win32: If you see this error: "[sdk path name] is not a SDK home directory. Provide the valid SDK home directory," a. Run the following command (adapting the path to your environment): echo >"C:\Program Files\IBM\Lotus\Domino\jvm\lib\ibmxmlcrypto.jar" b. Rerun the patch command. For UNIX systems: * Assuming the default install, the directory to pass to the tool is: /opt/ibm/lotus/notes/latest/
* The patch command needs to be run under a super user account. Note: Subsequent updates to your JDK may remove this patch applied by the IBM Update Installer for Java. Related Information Oracle Security Alert for CVE-2010-4476 Cross Reference Information Several IBM Lotus software products rely on the IBM Lotus Domino server. These include: * Lotus Foundations * Lotus iNotes * Lotus Quickr for Domino * Lotus Sametime * Lotus Notes Traveler Security Rating using Common Vulnerability Scoring System (CVSS) v2 CVSS Base Score: < 5> ---- Impact Subscore: < 2 .9> ---- Exploitability Subscore: <10 > CVSS Temporal Score: < 4 .1> CVSS Environmental Score: < undefined *> Overall CVSS Score: < 4 .1> Base Score Metrics: o Related exploit range/Attack Vector: < network> o Access Complexity: o Authentication < none> o Confidentiality Impact: < none> o Integrity Impact: < none> o Availability Impact: < partial> Temporal Score Metrics: o Exploitability: < functional Exploit Exists> o Remediation Level: < official Fix> o Report Confidence: < confirmed> References: o CVSS v2 Complete Documentation o CVSS v2 Online Calculator *The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links. Related information Fix Available: Denial of Service Security Exposure with Protecting Lotus Quickr for Domino from issue documente confirmed> official> functional> partial> none> none> none>network> 4> undefined> 4> 2> 5>