CICS Transaction Server Alert for Java security issue CVE-2010-4476

On 8 February 2011 Oracle published security vulnerability alert CVE-2010-4476. This Security Alert addresses a serious security issue in which a Java Runtime Environment (JRE) hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This vulnerability can cause the Java Runtime Environment to go into an hang, infinite loop, and crash resulting in a denial of service exposure. This can also affect Java Runtime Environments provided by IBM which CICS Transaction Server for z/OS (CICS TS) uses.

If you use Java in CICS then IBM recommends that you upgrade to the latest service refresh (SR) level for your version of Java. You need to be on at least these levels to have the fix for this problem:

Java (SDK) release	APAR (PTF)
1.4.2 - SR 13 FP 8	PM32438 (UK64882)
5.0 - SR 12 FP 3	PM32441 (UK64679)
6.0 - SR 9	PM32448 (UK64721)

If you cannot move to the latest service refresh level then you can apply a patch that allows you to temporarily fix this security vulnerability. The patches can be found on IBM's Web page for Critical security vulnerability alert CVE-2010-4476. This web page also contains a test case that you can use to check whether your systems have been fixed and information about how this problem affects other IBM products.

Note: CICS system code used to run Java applications within CICS is unaffected. The CICS Explorer and the CICS Tools are also unaffected.