CVE-2010-4476

Description

The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.

5.0

CVSS

Severity: Medium

CVSS 2.0 •

EPSS 11.00% Top 10%

Vendor Advisory redhat.com Vendor Advisory gentoo.org Vendor Advisory marc.info Vendor Advisory fedoraproject.org Vendor Advisory fedoraproject.org Vendor Advisory opensuse.org Vendor Advisory hp.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory ibm.com Vendor Advisory ibm.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory debian.org Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory opensuse.org Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory redhat.com Vendor Advisory marc.info Vendor Advisory marc.info Vendor Advisory mandriva.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory secunia.com Vendor Advisory oracle.com Vendor Advisory oracle.com Vendor Advisory oracle.com Vendor Advisory vupen.com Vendor Advisory vupen.com Vendor Advisory vupen.com Vendor Advisory vupen.com Vendor Advisory vupen.com Vendor Advisory vupen.com

Affected: n/a n/a

References

Link	Tags
http://secunia.com/advisories/43295	third party advisory vendor advisory
http://www.securitytracker.com/id?1025062	vdb entry
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS11-003/index.html
http://secunia.com/advisories/43280	third party advisory vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0210.html	vendor advisory
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html	patch vendor advisory
http://security.gentoo.org/glsa/glsa-201406-32.xml	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14328	vdb entry signature
http://marc.info/?l=bugtraq&m=134254866602253&w=2	vendor advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053926.html	vendor advisory
http://lists.fedoraproject.org/pipermail/package-announce/2011-February/053934.html	vendor advisory
http://lists.opensuse.org/opensuse-security-announce/2011-07/msg00010.html	vendor advisory
http://www13.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02720715&admit=109447627+1298159618320+28353475	vendor advisory
http://marc.info/?l=bugtraq&m=129899347607632&w=2	vendor advisory
http://marc.info/?l=bugtraq&m=136485229118404&w=2	vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0214.html	vendor advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1PM31983	vendor advisory
http://secunia.com/advisories/45555	third party advisory vendor advisory
http://www-01.ibm.com/support/docview.wss?uid=swg1IZ94423	vendor advisory
http://secunia.com/advisories/43400	third party advisory vendor advisory
http://marc.info/?l=bugtraq&m=129960314701922&w=2	vendor advisory
http://marc.info/?l=bugtraq&m=130514352726432&w=2	vendor advisory
http://secunia.com/advisories/43378	third party advisory vendor advisory
http://secunia.com/advisories/45022	third party advisory
http://www.redhat.com/support/errata/RHSA-2011-0333.html	vendor advisory
http://www.vupen.com/english/advisories/2011/0422	vdb entry vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12662	vdb entry signature
http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.html	patch vendor advisory
http://marc.info/?l=bugtraq&m=131041767210772&w=2	vendor advisory
http://www.vupen.com/english/advisories/2011/0434	vdb entry vendor advisory
http://marc.info/?l=bugtraq&m=133469267822771&w=2	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14589	vdb entry signature
http://www.redhat.com/support/errata/RHSA-2011-0213.html	vendor advisory
http://marc.info/?l=bugtraq&m=132215163318824&w=2	vendor advisory
http://www.exploringbinary.com/java-hangs-when-converting-2-2250738585072012e-308/
http://www.vupen.com/english/advisories/2011/0377	vdb entry vendor advisory
http://secunia.com/advisories/44954	third party advisory
http://marc.info/?l=bugtraq&m=130497132406206&w=2	vendor advisory
http://www.vupen.com/english/advisories/2011/0365	vdb entry vendor advisory
http://blogs.oracle.com/security/2011/02/security_alert_for_cve-2010-44.html
http://www.redhat.com/support/errata/RHSA-2011-0880.html	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A12745	vdb entry signature
http://www.redhat.com/support/errata/RHSA-2011-0334.html	vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0282.html	vendor advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21468358
http://secunia.com/advisories/43048	third party advisory vendor advisory
http://www.debian.org/security/2011/dsa-2161	vendor advisory
http://www.vupen.com/english/advisories/2011/0379	vdb entry vendor advisory
http://secunia.com/advisories/43304	third party advisory vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0211.html	vendor advisory
http://marc.info/?l=bugtraq&m=134254957702612&w=2	vendor advisory
http://secunia.com/advisories/49198	third party advisory
http://secunia.com/advisories/43659	third party advisory vendor advisory
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html	patch vendor advisory
http://www.ibm.com/support/docview.wss?uid=swg24029498
http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00004.html	vendor advisory
http://marc.info/?l=bugtraq&m=133728004526190&w=2	vendor advisory
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19493	vdb entry signature
http://secunia.com/advisories/43333	third party advisory vendor advisory
http://marc.info/?l=bugtraq&m=130168502603566&w=2	vendor advisory
http://www.redhat.com/support/errata/RHSA-2011-0212.html	vendor advisory
http://marc.info/?l=bugtraq&m=130270785502599&w=2	vendor advisory
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5098550.html
http://www.vupen.com/english/advisories/2011/0605	vdb entry vendor advisory
http://blog.fortify.com/blog/2011/02/08/Double-Trouble
http://marc.info/?l=bugtraq&m=130497185606818&w=2	vendor advisory
http://www.ibm.com/support/docview.wss?uid=swg24029497
http://www.mandriva.com/security/advisories?name=MDVSA-2011:054	vendor advisory

Frequently Asked Questions

What is the severity of CVE-2010-4476?: CVE-2010-4476 has been scored as a medium severity vulnerability.
How to fix CVE-2010-4476?: To fix CVE-2010-4476, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2010-4476 being actively exploited in the wild?: It is possible that CVE-2010-4476 is being exploited or will be exploited in a near future based on public information. According to its EPSS score, there is a ~11% probability that this vulnerability will be exploited by malicious actors in the next 30 days.