Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) (PM32387)

Flash (Alert)


Abstract

Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. PM32387 will be the umbrella APAR which will contain the information for all related APARs for the WebSphere Application Server product.

Content





Versions affected

  • JDK shipped with IBM WebSphere Application Server Versions 7.0 through 7.0.0.13, 6.1 through 6.1.0.35, and 6.0 through 6.0.2.43, for Distributed, i5/OS and z/OS operating systems.
  • This does not occur on JDK versions shipped after WebSphere Application Server Versions 7.0.0.13, 6.1.0.35, and 6.0.2.43.
    • JDK packages shipped with WebSphere Application Server are separate installs.
  • IBM HTTP Server is not affected by this issue.
Note: The problem will be fixed in the Java class libraries, and therefore this issue affects all products that use Java in this fashion.



Description

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.




Solution

Upgrade your JDK to an interim fix JDK level containing the fix for this issue.

For IBM WebSphere Application Server on distributed operating systems:

Download and apply one (1) of the two (2) interim fix APARs below, for your appropriate release:

Note: Applying any of these interim fix APARs below, will apply both the interim fix for this problem and will ALSO update your JDK level, if you are not already at the stated level.

For Versions 7.0 through 7.0.0.13:

  • PM32175: Will upgrade you to JDK 6 SR8-FP1 (shipped with v7.0.0.13) modified with interim fix IZ94423
    • Available for download from Fix Central and FTP at link above.
  • PM32173: Will upgrade to JDK 6 SR7 (shipped with v7.0.0.11 and v7.0.0.9) modified with interim fix IZ94423 (Same JDK was used for both of these WebSphere Application Server releases.)
    • Available for download from Fix Central and FTP at link above.
For Versions 6.1 through 6.1.0.35:
  • PM32177: Will upgrade you to JDK 5 SR12-FP2 (shipped with v6.1.0.35) modified with interim fix IZ94331
    • Available for download from Fix Central and FTP at link above.
  • PM32184: Will upgrade you to JDK 5 SR12 (shipped with v6.1.0.33) modified with interim fix IZ94331
    • Available for download from Fix Central and FTP at link above.
For Version 6.0.2 through 6.0.2.43:
  • PM32192: Will upgrade you to JDK 142 SR13-FP5 (shipped with v6.0.2.43) modified with interim fix PM31983
    • Available for download from Fix Central and FTP at link above.
  • PM32194: Will upgrade you to JDK 142 SR13-FP4 (shipped with v6.0.2.41) modified with interim fix PM31983
    • Available for download from Fix Central and FTP at link above.

For IBM WebSphere Application Server for z/OS operating systems:

Move up in maintenance to one of the service levels listed below and then apply the corresponding ++APAR.

Notes:
  • A PMR (Problem Management Record) with IBM WebSphere Application Server support should be opened requesting the ++APAR that is needed.
  • ++APARS can ONLY be given to customers with systems that do NOT have any other ++APARs applied, and are running one of the service levels listed below.

For Versions 7.0 through 7.0.0.13:
  1. Move up in maintenance to one of the service levels listed below and then,
  2. Open a PMR to request the corresponding ++APAR from the following:
    • PM32238: ++APAR applies to JDK 6 SR8-FP1 (shipped with 7.0.0.13) modified with IZ94423
    • PM32241: ++APAR applies to JDK 6 SR7 (shipped with 7.0.0.12) modified with IZ94423
    • PM32248: ++APAR applies to JDK 6 SR7 (shipped with 7.0.0.11) modified with IZ94423
    • PM32250: ++APAR applies to JDK 6 SR7 (shipped with 7.0.0.9) modified with IZ94423
For Versions 6.1 through 6.1.0.35:
  1. Move up in maintenance to one of the service levels listed below and then,
  2. Open a PMR to request the corresponding ++APAR from the following:
    • PM32254: ++APAR applies to JDK 5 SR12-FP2 (shipped with 6.1.0.35) modified with IZ94331
    • PM32271: ++APAR applies to JDK 5 SR12-FP1 (shipped with 6.1.0.33) modified with IZ94331
For Version 6.0 through 6.0.2.43:
  1. Move up in maintenance to the service levels listed below and then,
  2. Open a PMR to request the corresponding ++APAR:
    • PM32272: ++APAR applies to JDK 142 SR13-FP5 (shipped with 6.0.2.43) modified with PM31983
Note: Customers that require a fix at a different WebSphere service level not mentioned above, OR those who are running with a service level mentioned above, but also have an existing ++APAR, will need to open a PMR to work with IBM Technical Support personnel to determine the best method for providing a fix for their system.

Be prepared to provide to IBM your current service level , and any existing ++APARs that are already received/applied to your system.


For IBM WebSphere Application Server for IBM i operating systems:

The IBM Developer Kit for Java is prerequisite software for WebSphere Application Server for IBM i.

For Versions 7.0 through 7.0.0.13:
Depending on the version of IBM i that is installed on your system, options 10, 11 and 12 of the IBM Developer Kit for Java are required or optional.
  • Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system.

For Versions 6.1 through 6.1.0.35:
Depending on the version of IBM i that is installed on your system, options 7, 8 and 9 of the IBM Developer Kit for Java are required or optional.
  • Apply all of the PTFs matching one of these Developer Kit for Java options and the version of IBM i installed on your system.

For Version 6.0 through 6.0.2.43:
Option 6 of the IBM Developer Kit for Java is required software.
  • Apply the PTF matching Developer Kit for Java option 6 and the version of IBM i that is installed on your system.
Option 6 (Java Developer Kit 1.4) Option 7 (Java Developer Kit 5.0) Option 8 (J2SE 5.0 32 bit) Option 9 (J2SE 5.0 64 bit) Option 10 (Java Developer Kit 6.0) Option 11 (Java SE 6 32 bit) Option 12 (Java SE 6 64 bit)
V5R4 SI42681 SI42680 SI42685 N/A SI42683 SI42688 N/A
IBM i 6.1 SI42677 SI42682 SI42686 SI42687 SI42678 SI42689 SI42690, SI42175
IBM i 7.1 N/A N/A SI42686 SI42687 N/A SI42689 SI42690,
SI42175





Patch option - IBM Update Installer for Java

If you have a JDK that is not listed above, and you cannot wait for it to be made available, the IBM Update Installer for Java can be used to temporarily patch the version of the SDK you have installed.

Refer to the Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site for instructions.

Important note about the IBM Update Installer for Java: Before using the IBM Update Installer for Java to resolve this issue, it is recommended that you first try to obtain a fix provided by the specific IBM Product support team. The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability by patching the JDK. If you use the IBM Update Installer for Java, any future updates to your JDK might remove this patch.



Change history

  • 23 Mar 2011:
    • Added cross reference to include the IBM WebSphere Application Server Hypervisor Editions products.
  • 11 Mar 2011:
    • Added PTF SI42175 to the table of PTFs for IBM i system for Option 12 (Java SE 6 64 bit).
  • 7 Mar 2011:
    • HP-UX fixes delivered for PM32184 (V6.1.0.33)
  • 24 Feb 2011:
    • Interim fix PM32194 (v6.0.2.41) is now available. Link for downloads added.
  • 23 Feb 2011:
    • Added "including parseDouble(), the Double() constructor and Double.valueOf()" to the Description section.
    • Added PTF/fix details for the IBM i operating system platform.
  • 22 Feb 2011:
  • 18 Feb 2011:
    • Added the following sentence to the Description section: "All web based and non-web based applications are at serious risk by a remote attack."
  • 15 Feb 2011:
    • Added description of, and link to, IBM Update Installer for Java.
  • 14 Feb 2011:
    • Removed notice of Fix Central outage and simplified Abstract.
  • 12 Feb 2011:
    • Interim fix PM32184 delivered, will upgrade you to JDK 5 SR12 (shipped with v6.1.0.33) modified with interim fix IZ94331
    • Solaris fixes delivered for PM32192
    • Solaris fixes delivered for PM32177.
  • 11 Feb 2011:
    • Original publish date.



Additional documentation

For additional details and information on WebSphere Application Server product updates:




Cross Reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Application Server for z/OS z/OS 7.0, 6.1, 6.0.2, 6.0.1, 6.0
Application Servers WebSphere Application Server - Express General AIX, HP-UX, i5/OS, IBM i, Linux, Solaris, Windows 7.0, 6.1, 6.0.2, 6.0.1, 6.0
Application Servers WebSphere Application Server Hypervisor Edition General AIX, Linux 7.0, 6.1 All Editions

Product Alias/Synonym

denial-of-service
DoS

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server
Java SDK

Software version:

6.0, 6.0.0.2, 6.0.0.3, 6.0.1, 6.0.1.1, 6.0.1.2, 6.0.2, 6.0.2.1, 6.0.2.2, 6.0.2.3, 6.0.2.4, 6.0.2.5, 6.0.2.6, 6.0.2.7, 6.0.2.8, 6.0.2.9, 6.0.2.11, 6.0.2.13, 6.0.2.15, 6.0.2.17, 6.0.2.19, 6.0.2.21, 6.0.2.23, 6.0.2.25, 6.0.2.27, 6.0.2.29, 6.0.2.31, 6.0.2.33, 6.0.2.35, 6.0.2.37, 6.0.2.39, 6.0.2.41, 6.0.2.43, 6.1, 6.1.0.1, 6.1.0.2, 6.1.0.3, 6.1.0.5, 6.1.0.7, 6.1.0.9, 6.1.0.11, 6.1.0.13, 6.1.0.14, 6.1.0.15, 6.1.0.17, 6.1.0.19, 6.1.0.21, 6.1.0.23, 6.1.0.25, 6.1.0.27, 6.1.0.29, 6.1.0.31, 6.1.0.33, 6.1.0.35, 6.1.1, 6.1.1.1, 6.1.1.2, 6.1.1.3, 6.1.1.4, 6.1.1.5, 6.1.1.6, 6.1.1.7, 6.1.1.8, 6.1.1.9, 6.1.1.10, 7.0, 7.0.0.1, 7.0.0.3, 7.0.0.5, 7.0.0.7, 7.0.0.9, 7.0.0.11, 7.0.0.13

Operating system(s):

AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

Base, Developer, Express, Network Deployment

Reference #:

1462019

Modified date:

2011-03-23

Translate my page

Machine Translation

Content navigation