Date: 02 September 2011
References: ASB-2011.0013 ESB-2011.1090.4 ESB-2012.0340
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2011.0902
Identity Manager 3.6.1 security vulnerability with JRE
double-precision binary floating-point number
2 September 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Novell Identity Manager
Publisher: Novell
Operating System: Netware
Windows
Linux variants
SUSE
Solaris
AIX
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-4476
Reference: ASB-2011.0013
Original Bulletin:
http://www.novell.com/support/viewContent.do?externalId=7009249
- --------------------------BEGIN INCLUDED TEXT--------------------
Identity Manager 3.6.1 security vulnerability with JRE double-precision binary
floating-point number (CVE-2010-4476)
This document (7009249) is provided subject to the disclaimer at the end of
this document.
Environment
Novell Identity Manager 3.6.1
Novell Identity Manager 3.6.1 Remote Loader
Novell Identity Manager Roles Based Provisioning Module 3.7
Novell Identity Manager Roles Based Provisioning Module 3.6.1
Novell Identity Manager Designer 3.5.1
Novell Identity Manager Designer 4.0
Novell Identity Manager Analyzer 1.2
Situation
CVE-2010-4476 defined at the following URLs:
http://support.novell.com/security/cve/CVE-2010-4476.html
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
The Double.parseDouble method in Java Runtime Environment in Oracle Java SE and
Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and
1.4.2_29 and earlier, as used in Novell Identity Manager 3.6.1, allows remote
attackers to cause a denial of service via a crafted string that triggers an
infinite loop of estimations during conversion to a double-precision binary
floating-point number, as demonstrated using 2.2250738585072012e-308
Identity Manager 3.6.1 and Identity Manager 3.6.1 Remote Loader ship with the
following vulnerable Java version : 1.6.0_06
Identity Manager Roles Based Provisioning Module 3.7 ships with the following
vulnerable Java version : 1.6.0_14
Identity Manager Roles Based Provisioning Module 3.6.1 ships with the following
vulnerable Java version : 1.5.0_15
Identity Manager Designer 3.5.1 ships with the following vulnerable Java
version: 1.6.0_07
Identity Manager Designer 4.0 ships with the following vulnerable Java
version: 1.6.0_20
Identity Manager Analyzer 1.2 ships with the following vulnerable Java
version: 1.6.0_07
Resolution
Make sure to stop the concerned Java processes before executing the fpupdater
tool and restart them afterwards. For instance, for the Identity Manager engine
stop the "ndsd" process before patching and for RBPM stop JBoss/Websphere
application server etc. Similarly, stop Designer or Analyzer or Remote Loader
before applying the above patch.
Apply the steps mentioned at the following link from Oracle to run the
FPUpdater tool that patches the concerned rt.jar and resolves the security
vulnerability.
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
After the FPUpdater tool has run once, it is a good idea to run it again in
order to verify that the patch has been correctly installed.
Note that this TID does not provide the exact JRE instance paths to be patched
because they can vary depending on the Identity Manager component and platform.
Various tools can be used to find the exact loaded instance of Java. This can
be accomplished by using "pmap" or "pfiles" tools on Linux and Solaris or just
checking the extracted JRE version in install paths or configuration files for
components like Designer, Analyzer or Remote Loader.
Document
Document ID: 7009249
Creation Date: 08-26-2011
Modified Date: 08-31-2011
Novell Product: Identity Manager
Disclaimer
The Origin of this information may be internal or external to Novell. Novell
makes all reasonable efforts to verify this information. However, the
information provided in this document is for your information only. Novell
makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their
respective owners. Consult your product manuals for complete trademark
information.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTmBKBu4yVqjM2NGpAQKXww/9ErDuFqAAhxJnwIidNqbnbJPLbxalWM6d
2mCpJlg21iieUh71x7bX66bnhKVw7l8CA6D3vBDCy/v6JB3avGFH5D0GuVcZntvV
4HHmYeiGJX4MGLymUA8lbOwQZ8xMbdr9AmHxBtRtE900LMvxnw953T2s7j8Z114m
HeSkZhBGh5GnlCjqvXou0gHz5Gd2qIVqYLvi9lPem1/+9J2Svf1Fl0Gv7oH7NIri
EDD8lrmn7O85ahhdc6v7iOekotRNxQFvqsL3tOfDAGy5Ppnx2wNuEIffK12uoNem
/eHaO/mQscOsj6B7aj9W30yqfp+DgsK6XAGkw+RKOoKBwjwHyY+DnxWpsubFpBKY
Ta/ytHBqWxfvdJihzlquqDbJH4Sjzn7sh/1xseI0MumxLfLqm4QZQHxSC5f8GOj9
/hKeQmyoHyPqcBxrSTF5bQfGUy8ceFHfVkqhWDM9HBpn+zmU/DH+0hhbINbAKtqn
MzIsrWRs4f20CvvFcfWR5deul8RXPLwbqDxGQZLPhB75kFBgIlOUJbZNICsuoWT2
+p8wGp85W+Q512m5DuoHZDwzJ4tMdoBrGV713wO0AdmEvp9hg9PcHV3Cew0qDpSz
duksLU1R48vXFb+sTbJMfcSZ7YLXm5JjDvhXEd5j92zuzNK/YTyshkrPgPSDPceU
q5htrmnl6dg=
=XKFI
-----END PGP SIGNATURE-----
|