{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright © Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "A patch for JBoss Enterprise Application Platform 4.2.0.CP09, 4.3.0.CP09,\nand 5.1 that fixes one security issue is now available from the Red Hat\nCustomer Portal.\n\nThe Red Hat Security Response Team has rated this update as having\nimportant security impact. A Common Vulnerability Scoring System (CVSS)\nbase score, which gives a detailed severity rating, is available from the\nCVE link in the References section.", "title": "Topic" }, { "category": "general", "text": "JBoss Web Server is the web container, based on Apache Tomcat, in JBoss\nEnterprise Application Platform. It provides a single deployment platform\nfor the JavaServer Pages (JSP) and Java Servlet technologies.\n\nA denial of service flaw was found in the way certain strings were\nconverted to Double objects. A remote attacker could use this flaw to cause\nJBoss Web Server to hang via a specially-crafted HTTP request.\n(CVE-2010-4476)\n\nAll users of Enterprise Application Platform 4.2, 4.3, and 5.1 as provided\nfrom the Red Hat Customer Portal are advised to apply this patch. Refer to\nthe Solution section of this erratum for patch download instructions. The\nJBoss server process must be restarted for this update to take effect.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2011:0212", "url": "https://access.redhat.com/errata/RHSA-2011:0212" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "674336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=674336" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_0212.json" } ], "title": "Red Hat Security Advisory: jbossweb security update", "tracking": { "current_release_date": "2025-11-21T17:37:36+00:00", "generator": { "date": "2025-11-21T17:37:36+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.6.12" } }, "id": "RHSA-2011:0212", "initial_release_date": "2011-02-10T19:41:00+00:00", "revision_history": [ { "date": "2011-02-10T19:41:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2019-02-20T12:41:49+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2025-11-21T17:37:36+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 4.2", "product": { "name": "Red Hat JBoss Enterprise Application Platform 4.2", "product_id": "Red Hat JBoss Enterprise Application Platform 4.2", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.2" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 4.3", "product": { "name": "Red Hat JBoss Enterprise Application Platform 4.3", "product_id": "Red Hat JBoss Enterprise Application Platform 4.3", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:4.3" } } }, { "category": "product_name", "name": "Red Hat JBoss Enterprise Application Platform 5.1", "product": { "name": "Red Hat JBoss Enterprise Application Platform 5.1", "product_id": "Red Hat JBoss Enterprise Application Platform 5.1", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:5.1" } } } ], "category": "product_family", "name": "Red Hat JBoss Enterprise Application Platform" } ], "category": "vendor", "name": "Red Hat" } ] }, "vulnerabilities": [ { "cve": "CVE-2010-4476", "discovery_date": "2011-02-01T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "674336" } ], "notes": [ { "category": "description", "text": "The Double.parseDouble method in Java Runtime Environment (JRE) in Oracle Java SE and Java for Business 6 Update 23 and earlier, 5.0 Update 27 and earlier, and 1.4.2_29 and earlier, as used in OpenJDK, Apache, JBossweb, and other products, allows remote attackers to cause a denial of service via a crafted string that triggers an infinite loop of estimations during conversion to a double-precision binary floating-point number, as demonstrated using 2.2250738585072012e-308.", "title": "Vulnerability description" }, { "category": "summary", "text": "JDK Double.parseDouble Denial-Of-Service", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "Red Hat JBoss Enterprise Application Platform 4.2", "Red Hat JBoss Enterprise Application Platform 4.3", "Red Hat JBoss Enterprise Application Platform 5.1" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2010-4476" }, { "category": "external", "summary": "RHBZ#674336", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=674336" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2010-4476", "url": "https://www.cve.org/CVERecord?id=CVE-2010-4476" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2010-4476", "url": "https://nvd.nist.gov/vuln/detail/CVE-2010-4476" } ], "release_date": "2011-02-01T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-02-10T19:41:00+00:00", "details": "A patch to correct CVE-2010-4476 for JBoss Enterprise Application Platform\n4.2.0.CP09, 4.3.0.CP09, and 5.1 is available from the Red Hat Customer\nPortal. To download this patch:\n\n1) Backup your existing JBoss Enterprise Application Platform installation\n(including all applications and configuration files).\n\n2) Log into the Customer Portal: https://access.redhat.com/login\n\n3) Navigate to\nhttps://access.redhat.com/jbossnetwork/restricted/listSoftware.html\n\n4) On the left-hand side menu, under \"JBoss Enterprise Platforms\" click\n\"Application Platform\". Then, use the \"Version:\" drop down menu to select\n\"4.2.0.GA_CP09\", \"4.3.0.GA_CP09\", or \"5.1.0\".\n\n5) The patch is available from the \"Security Advisories\" link. After\napplying the patch, the JBoss server process must be restarted for the\nupdate to take effect.", "product_ids": [ "Red Hat JBoss Enterprise Application Platform 4.2", "Red Hat JBoss Enterprise Application Platform 4.3", "Red Hat JBoss Enterprise Application Platform 5.1" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:0212" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "Red Hat JBoss Enterprise Application Platform 4.2", "Red Hat JBoss Enterprise Application Platform 4.3", "Red Hat JBoss Enterprise Application Platform 5.1" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "JDK Double.parseDouble Denial-Of-Service" } ] }