Access Manager security vulnerability with JRE double-precision binary floating-point number (CVE-2010-4476)

Document ID:7008129
Creation Date:15-Mar-2011
Modified Date:26-Apr-2012
- Micro Focus Products:
  Access Manager (NAM)

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Access Administration
Novell Access Manager 3.1 SSLVPN Server
Novell Access Manager 3.1 Windows Novell Identity Server
Novell Access Manager 3.1 Linux Novell Identity Server
Novell Access Manager 3.1 Java Agents
CVE-2010-4476 defined at https://support.novell.com/security/cve/CVE-2010-4476.html and

Situation

The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Access Manager, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.

Novell Access Manager ships with these vulnerable JRE versions and is therefor prone to attacks.

Resolution

Download the FPUpdater tool from http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html and copy to fpupdater.jar file to all Access Manager server (Admin Console, Identity Servers, Access Gateways, SSLVPN servers, Java agents). Then run the following command on the box where JRE is installed to fix the problem - this upgrades rt.jar in the system and addresses the floating point issue.

Linux based platforms:

- cd to location where the fpupdater.jaris located

- run

"/opt/novell/java/jre/bin/java -jar ./fpupdater.jar -u -v" on Linux

"c:\program files\novell\jre\bin\java -jar ./fpupdater.jar -u -v"or "c:\program files (x86)\novell\jre\bin\java -jar ./fpupdater.jar -u -v" on Windows 2003 or 2008 respectively

After it is run once and the success status is returned on the console, re-run it again to make sure that it has been applied (following output is what is expected on an Access Manager 3.1 SP3 server)

orch-host3:~/tmp/fpupd/fpupdater # /opt/novell/java/jre/bin/java -jar ./fpupdater.jar -u -v
FPUpdater
java.home: /opt/novell/jdk1.6.0_22/jre
java.vendor: Sun Microsystems Inc.
java.version: 1.6.0_22
os.name: Linux
Backup file exists, patch already applied.

Note: After applying the above changes, tomcat and all other servers (jcc) using Java must be restarted.

Additional Information

Update: The URL to the tool download has been moved to the following link:
http://www.oracle.com/technetwork/java/javasebusiness/downloads/java-archive-downloads-misc-419423.html
- Also be sure to see the readme at the following link:
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html

During the fresh install of the patch, the output will look like (assuming that the patch copied to /opt/novell/jdk1.6.0_22/jre/tmpUpdate8782812812647176784/ directory and installer launched from there):

FPUpdater

java.home: /opt/novell/jdk1.6.0_22/jre

java.vendor: Sun Microsystems Inc.

java.version: 1.6.0_22

os.name: Linux

Checking for update for major: 1.6.0 minor: 22

Retrieved update jar file from tool: /opt/novell/jdk1.6.0_22/jre/tmpUpdate8782812812647176784/tmpUpdate2727496227457989556.jar

Updating files. Please note this can take several minutes to run. Allow FPUpdater tool to complete.

Jar file /opt/novell/jdk1.6.0_22/jre/lib/rt.jar.fpupdater succesfully verified.

Done backup of rt.jar to /opt/novell/jdk1.6.0_22/jre/lib/rt.jar.fpupdater

Made working copy of rt.jar: /opt/novell/jdk1.6.0_22/jre/lib/tmpUpdate4575111775775392024/copyofRt.jar

Jar file /opt/novell/jdk1.6.0_22/jre/lib/tmpUpdate4575111775775392024/copyofRt.jar succesfully verified.

Moving working copy of rt.jar back to live rt.jar.

Update applied successfully to java.home path : /opt/novell/jdk1.6.0_22/jre