CICS Transaction Server Alert for Java security issue CVE-2010-4476

Technote (troubleshooting)


Problem(Abstract)

Your Java™ applications running in CICS might loop if they can accept floating point input in character format and need to convert it to binary. The CICS Dynamic Scripting Feature Pack is also affected by this exposure. If targeted, the request will loop within the JVMSERVER and never complete. The exposure exists in all supported versions of Java (1.4.2, 5.0, and 6.0).

Cause

On 8 February 2011 Oracle published security vulnerability alert CVE-2010-4476. This Security Alert addresses a serious security issue in which a Java Runtime Environment (JRE) hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This vulnerability can cause the Java Runtime Environment to go into an hang, infinite loop, and crash resulting in a denial of service exposure. This can also affect Java Runtime Environments provided by IBM which CICS Transaction Server for z/OS (CICS TS) uses.

Resolving the problem

If you use Java in CICS then IBM recommends that you upgrade to the latest service refresh (SR) level for your version of Java. You need to be on at least these levels to have the fix for this problem:

Java (SDK) release
APAR (PTF)
1.4.2 - SR 13 FP 8
5.0 - SR 12 FP 3
6.0 - SR 9

If you cannot move to the latest service refresh level then you can apply a patch that allows you to temporarily fix this security vulnerability. The patches can be found on IBM's Web page for Critical security vulnerability alert CVE-2010-4476. This web page also contains a test case that you can use to check whether your systems have been fixed and information about how this problem affects other IBM products.

Note: CICS system code used to run Java applications within CICS is unaffected. The CICS Explorer and the CICS Tools are also unaffected.

Product Alias/Synonym

CICS/TS CICS TS CICS Transaction Server

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

CICS Transaction Server
Java

Software version:

3.1, 3.2, 4.1

Operating system(s):

z/OS

Reference #:

1462384

Modified date:

2011-02-22

Translate my page

Machine Translation

Content navigation