Environment
Novell Identity Manager 3.6.1
Novell Identity Manager 3.6.1 Remote Loader
Novell Identity Manager Roles Based Provisioning Module 3.7
Novell Identity Manager Roles Based Provisioning Module 3.6.1
Novell Identity Manager Designer 3.5.1
Novell Identity Manager Designer 4.0
Novell Identity Manager Analyzer 1.2
Novell Identity Manager 3.6.1 Remote Loader
Novell Identity Manager Roles Based Provisioning Module 3.7
Novell Identity Manager Roles Based Provisioning Module 3.6.1
Novell Identity Manager Designer 3.5.1
Novell Identity Manager Designer 4.0
Novell Identity Manager Analyzer 1.2
Situation
CVE-2010-4476 defined at the following URLs:
https://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Identity Manager 3.6.1, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308
Identity Manager 3.6.1 and Identity Manager 3.6.1 Remote Loader ship with the following vulnerable Java version : 1.6.0_06
Identity Manager Roles Based Provisioning Module 3.7 ships with the following vulnerable Java version : 1.6.0_14
Identity Manager Roles Based Provisioning Module 3.6.1 ships with the following vulnerable Java version : 1.5.0_15
Identity Manager Designer 3.5.1 ships with the following vulnerable Java version: 1.6.0_07
Identity Manager Designer 4.0 ships with the following vulnerable Java version: 1.6.0_20
Identity Manager Analyzer 1.2 ships with the following vulnerable Java version: 1.6.0_07
https://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in Novell Identity Manager 3.6.1, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308
Identity Manager 3.6.1 and Identity Manager 3.6.1 Remote Loader ship with the following vulnerable Java version : 1.6.0_06
Identity Manager Roles Based Provisioning Module 3.7 ships with the following vulnerable Java version : 1.6.0_14
Identity Manager Roles Based Provisioning Module 3.6.1 ships with the following vulnerable Java version : 1.5.0_15
Identity Manager Designer 3.5.1 ships with the following vulnerable Java version: 1.6.0_07
Identity Manager Designer 4.0 ships with the following vulnerable Java version: 1.6.0_20
Identity Manager Analyzer 1.2 ships with the following vulnerable Java version: 1.6.0_07
Resolution
Make sure to stop the concerned Java processes before executing the fpupdater
tool and restart them afterwards. For instance, for the Identity
Manager engine stop the "ndsd" process before patching and for RBPM
stop JBoss/Websphere application server etc. Similarly, stop
Designer or Analyzer or Remote Loader before applying the above
patch.
Apply the steps mentioned at the following link from Oracle to run the FPUpdater tool that patches the concerned rt.jar and resolves the security vulnerability.
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
After the FPUpdater tool has run once, it is a good idea to run it again in order to verify that the patch has been correctly installed.
Note that this TID does not provide the exact JRE instance paths to be patched because they can vary depending on the Identity Manager component and platform. Various tools can be used to find the exact loaded instance of Java. This can be accomplished by using "pmap" or "pfiles" tools on Linux and Solaris or just checking the extracted JRE version in install paths or configuration files for components like Designer, Analyzer or Remote Loader.
Apply the steps mentioned at the following link from Oracle to run the FPUpdater tool that patches the concerned rt.jar and resolves the security vulnerability.
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
After the FPUpdater tool has run once, it is a good idea to run it again in order to verify that the patch has been correctly installed.
Note that this TID does not provide the exact JRE instance paths to be patched because they can vary depending on the Identity Manager component and platform. Various tools can be used to find the exact loaded instance of Java. This can be accomplished by using "pmap" or "pfiles" tools on Linux and Solaris or just checking the extracted JRE version in install paths or configuration files for components like Designer, Analyzer or Remote Loader.