CVE-2010-4476
UnknownEPSS 23.49%
Last modified
CVE-2010-4476 is a vulnerability of currently unknown severity. The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.. EPSS estimates a 23.49% chance of exploitation in the next 30 days.
Description
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
Metrics
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Sun | Jre | <= 1.6.0 | Update 23 |
| Sun | Jre | 1.6.0 | — |
| Sun | Jdk | <= 1.6.0 | Update 23 |
| Sun | Jdk | 1.6.0 | — |
| Sun | Jdk | <= 1.5.0 | Update27 |
| Sun | Jdk | 1.5.0 | — |
| Sun | Sdk | <= 1.4.2_29 | — |
| Sun | Sdk | 1.4.2 | — |
| Sun | Sdk | 1.4.2_1 | — |
| Sun | Sdk | 1.4.2_02 | — |
| Sun | Sdk | 1.4.2_3 | — |
| Sun | Sdk | 1.4.2_4 | — |
| Sun | Sdk | 1.4.2_5 | — |
| Sun | Sdk | 1.4.2_6 | — |
| Sun | Sdk | 1.4.2_7 | — |
| Sun | Sdk | 1.4.2_8 | — |
| Sun | Sdk | 1.4.2_9 | — |
| Sun | Sdk | 1.4.2_10 | — |
| Sun | Sdk | 1.4.2_11 | — |
| Sun | Sdk | 1.4.2_12 | — |
| Sun | Sdk | 1.4.2_13 | — |
| Sun | Sdk | 1.4.2_14 | — |
| Sun | Sdk | 1.4.2_15 | — |
| Sun | Sdk | 1.4.2_16 | — |
| Sun | Sdk | 1.4.2_17 | — |
| Sun | Sdk | 1.4.2_18 | — |
| Sun | Sdk | 1.4.2_19 | — |
| Sun | Sdk | 1.4.2_20 | — |
| Sun | Sdk | 1.4.2_21 | — |
| Sun | Sdk | 1.4.2_22 | — |
| Sun | Sdk | 1.4.2_23 | — |
| Sun | Sdk | 1.4.2_24 | — |
| Sun | Sdk | 1.4.2_25 | — |
| Sun | Sdk | 1.4.2_26 | — |
| Sun | Sdk | 1.4.2_27 | — |
| Sun | Sdk | 1.4.2_28 | — |
| Sun | Jre | <= 1.5.0 | Update27 |
| Sun | Jre | 1.5.0 | — |
| Sun | Jre | <= 1.4.2_29 | — |
| Sun | Jre | 1.4.2 | — |
| Sun | Jre | 1.4.2_1 | — |
| Sun | Jre | 1.4.2_2 | — |
| Sun | Jre | 1.4.2_3 | — |
| Sun | Jre | 1.4.2_4 | — |
| Sun | Jre | 1.4.2_5 | — |
| Sun | Jre | 1.4.2_6 | — |
| Sun | Jre | 1.4.2_7 | — |
| Sun | Jre | 1.4.2_8 | — |
| Sun | Jre | 1.4.2_9 | — |
| Sun | Jre | 1.4.2_10 | — |
Showing 50 of 68 affected configurations. See NVD for the full list.
References
- http://secunia.com/advisories/43048Vendor Advisory
- http://secunia.com/advisories/43280Vendor Advisory
- http://secunia.com/advisories/43295Vendor Advisory
- http://secunia.com/advisories/43304Vendor Advisory
- http://secunia.com/advisories/43333Vendor Advisory
- http://secunia.com/advisories/43378Vendor Advisory
- http://secunia.com/advisories/43400Vendor Advisory
- http://secunia.com/advisories/43659Vendor Advisory
- http://secunia.com/advisories/45555Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.htmlPatch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.htmlPatch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.htmlPatch, Vendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0210.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0211.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0212.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0213.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0214.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0282.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0333.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0334.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlVendor Advisory
- http://www.vupen.com/english/advisories/2011/0365Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0377Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0379Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0422Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0434Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0605Vendor Advisory
- http://secunia.com/advisories/43048Vendor Advisory
- http://secunia.com/advisories/43280Vendor Advisory
- http://secunia.com/advisories/43295Vendor Advisory
- http://secunia.com/advisories/43304Vendor Advisory
- http://secunia.com/advisories/43333Vendor Advisory
- http://secunia.com/advisories/43378Vendor Advisory
- http://secunia.com/advisories/43400Vendor Advisory
- http://secunia.com/advisories/43659Vendor Advisory
- http://secunia.com/advisories/45555Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.htmlPatch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.htmlPatch, Vendor Advisory
- http://www.oracle.com/technetwork/topics/security/javacpufeb2011-304611.htmlPatch, Vendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0210.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0211.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0212.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0213.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0214.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0282.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0333.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0334.htmlVendor Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlVendor Advisory
- http://www.vupen.com/english/advisories/2011/0365Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0377Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0379Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0422Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0434Vendor Advisory
- http://www.vupen.com/english/advisories/2011/0605Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2010-4476?
The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.
How severe is CVE-2010-4476?
Severity scoring for CVE-2010-4476 is pending analysis. The EPSS model estimates a 23.49% probability of exploitation in the next 30 days.
How do I fix CVE-2010-4476?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2010-4476?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST