Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Java Floating point issue (CVE-2010-4476) SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Java Floating point issue (CVE-2010-4476)

 Oracle release a security bulletin yesterday relating to the binary floating point issue when converting 2.2250738585072012e-308" to a binary floating-point number.  (

The problem affects both JRE and JDK 6 update 23 and earlier. 4.0 Update 27 and earlier, as well as,  yes people still use it, SDK & JRE 1.4.2_29.

Applications utilising these versions will be vulnerable to denial of service attacks.  Servlet managers such as tomcat and others are likely affected as these often run older versions of java.  

No patch available just yet. 

- Mark - 



392 Posts
ISC Handler
Feb 9th 2011
The Oracle security bulletin references a patch - . It's not an updated version, just a tool that patches all the various affected versions. See the Readme ( for tons of details.
Interesting commentary on Oracle's response here:

Sign Up for Free or Log In to start participating in the conversation!