Dennis' Domino Blog
« Massloading the WebSphere Commerce v7.0 data failsIBM Lotus Quickr 8.5 for Domino Administration book is out! »

Potential Denial of Service Attack with Java JDK/JRE hanging in IBM Lotus Notes and Domino (CVE-2010-4476)

  02/25/11 08:18, by dennisvr, Categories: IBM, Lotus, security
This one can be nasty if you use servlets or java agents that do numerical conversion to binary floating point.
You can find the info in this TN 1462146.

Flash (Alert)
A problem in the way that Java handles a specific numerical conversion may be exploited by a malicious user and cause an affected client or server to hang. Several IBM Lotus software products rely on the Java runtime engine or development kit provided by the IBM Lotus Domino server environment. Administrators must apply the appropriate fixes to prevent this exposure.

This advisory addresses security issue CVE-2010-4476 (Java Runtime Environment hangs when converting to a binary floating-point number). This vulnerability will cause the Java Runtime Environment in Notes or Domino to go into a hang, infinite loop, and crash resulting in a denial of service. The same hang will occur if the number is written without scientific notation (324 decimal places).

Vulnerable Domino servers are those that run Java applications, servlets or agents and, importantly, perform numerical conversion to binary floating point. Notes clients that run such applications are similarly vulnerable.

Affected Notes/Domino versions

This issue affects the JDK shipped with IBM Lotus Domino server versions 8.0 through 8.0.2.x and 8.5 through 8.5.2.x. Furthermore, it affects the Domino server running on the following operating systems: Windows (32- and 64-bit), AIX (32- and 64-bit), Linux (32- and 64-bit), Solaris, zLinux and and IBM i. (Note: Java is not shipped with Domino on IBM i.)

The issue also affects the JDK shipped with Notes client versions 8.0.x through 8.5.2.x. However, Notes clients at risk would be those running Java applications or agents on workstations that are unsecured and accessible to malicious users.

Fix Information

This issue was reported to Quality Engineering as SPR# KLYH8DWMQU and is fixed in 8.5.3, which is targeted for release Q2 2011. You can track progress at the Notes/Domino Update Status page.

To address this issue in earlier releases, customers are encouraged to patch the Domino server JDK using the instructions below. If you determine that Notes clients in your environment are at risk, you can deploy a patched JVM to those clients as well.

For IBM i, do not use the IBM Update Installer for Java; instead, you should obtain and install the PTFs noted below. Refer to technote 1305543 for more details about obtaining and applying system fixes.

Java Option 	V5R4M0	i 6.1 	i 7.1	Domino release
Option 11
6.0 32-bit J9 	SI42688	SI42689	SI42689	8.5.0, 8.5.1, 8.5.2
(Note: 8.5.0 is not supported on i 7.1)
Option 10
6.0 "classic"	SI42683	SI42678	n/a	8.5.0
Option 8
5.0 32-bit J9	SI42685	SI42686	n/a	8.0.x
Option 7
5.0 "classic"	SI42680	SI42682	n/a	8.0.x
Group PTFs	SF99291
level 26	SF99562
level 15	SF99572
level 5	The individual PTFs will be incorporated into the next update of these GROUP PTFs.

Instructions to apply patch

Review all steps before you begin.

1. Download the Update Installer for Java tool from developerWorks:

2. Using the table below for reference, download the appropriate patch file from

SDK / JRE level	Corresponds to Notes/Domino versions
6	8.5.x
5.0	8.0.x

3. Review the Readme.html included with the Update Installer for Java tool.

4. Use the instructions described at and the notes below to run the JavaUpdateInstaller.jar tool.

[JAVA_HOME] for all platforms is the binary directory (Program Directory) for Notes or Domino.

For Windows:

    * The default path is "C:\Program Files\IBM\Lotus\Notes" and "C:\Program Files\IBM\Lotus\Domino"

    * On Win32: If you see this error: "[sdk path name] is not a SDK home directory. Provide the valid SDK home directory,"

      a. Run the following command (adapting the path to your environment):
      echo >"C:\Program Files\IBM\Lotus\Domino\jvm\lib\ibmxmlcrypto.jar"

      b. Rerun the patch command.

For UNIX systems:

    * Assuming the default install, the directory to pass to the tool is: /opt/ibm/lotus/notes/latest/

    * The patch command needs to be run under a super user account.

Note: Subsequent updates to your JDK may remove this patch applied by the IBM Update Installer for Java.

Related Information
Oracle Security Alert for CVE-2010-4476

Cross Reference Information
Several IBM Lotus software products rely on the IBM Lotus Domino server. These include:

    * Lotus Foundations
    * Lotus iNotes
    * Lotus Quickr for Domino
    * Lotus Sametime
    * Lotus Notes Traveler

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 5>
---- Impact Subscore: < 2 .9>
---- Exploitability Subscore: <10 >
CVSS Temporal Score: < 4 .1>
CVSS Environmental Score: < undefined *>
Overall CVSS Score: < 4 .1>
Base Score Metrics:

          o Related exploit range/Attack Vector: < network>
          o Access Complexity: 
          o Authentication < none>
          o Confidentiality Impact: < none>
          o Integrity Impact: < none>
          o Availability Impact: < partial>

Temporal Score Metrics:

          o Exploitability: < functional Exploit Exists>
          o Remediation Level: < official Fix>
          o Report Confidence: < confirmed>


          o CVSS v2 Complete Documentation
          o CVSS v2 Online Calculator 

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
Related information
Fix Available: Denial of Service Security Exposure with
Protecting Lotus Quickr for Domino from issue documente

No feedback yet

Yet another Domino/Websphere Admin blog.

About me:
Lotus Notes/Domino Admin
Websphere Commerce Admin


  XML Feeds

Planet Lotus

powered by b2evolution CMS

©2015 by Dennis van Remortel

Contact | Help | Blog skin by Asevo | blog software | web hosting | monetize