Security Vulnerability CVE-2010-4476 as it relates to Java Runtime Environments shipped with WebSphere MQ, IBM WebSphere MQ Extended Security Edition and WebSphere MQ Express V6 and V7 products (IZ94577)

Flash (Alert)


Abstract

This Security Alert relates to security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability in the JRE can cause the Java Runtime Environment to go into an infinite loop which might appear to be a hang. A Denial of Service vulnerability results from external inducement of multiple such loops within a single JRE. Any Java program using the Double.parseDouble method is at risk of this vulnerability including customer written applications and 3rd party written applications running in the JRE shipped with the IBM WebSphere MQ, IBM WebSphere MQ Extended Security Edition and WebSphere MQ Express V6 and V7 products.

Note: The WebSphere MQ server and client products included in this Flash are:

WebSphere MQ V7.0
WebSphere MQ V6.0
WebSphere MQ Extended Security Edition V6.0

Content







How do I know if my systems could be affected?

Any java application program using or receiving string representations of double-precision floating-point values could be affected by this problem, and the system is vulnerable to a denial of service attack if there are multiple invocations, either directly or indirectly, of the Double.parseDouble method call with the value which induces an infinite loop.

Back to Top

What could happen if I fail to update my systems?

Systems which have multiple infinite loops induced as a result of multiple requests to parse a string representation of the double-precision floating point number 2.2250738585072012e-308 would consume significant resources and cause the JRE to become unusable.

Back to Top

What actions do I need to take?

All JRE's which are exposed to the risk of multiple invocations of the Double.parseDouble method call with the string representation of the double precision floating point number 2.2250738585072012e-308 should be corrected. The provider of the JRE should be contacted to determine whether this problem exists in the specific JRE class library for the Double.parseDouble method and if the problem does exist, request a fix.

For JRE's shipped with the WebSphere MQ product, these JRE's will be corrected with one or more of the following activities.

  • The IBM Update Installer for Java can be used to install a patch to the affected class library
  • Application of Fix Packs 6.0.2.11 or later and 7.0.1.5 or later. The latest Fix Packs for WebSphere MQ can be viewed on the Recommended Fixes for WebSphere MQ information page.

The IBM Update Installer for Java can apply a patch which will allow the problem to be rectified without applying a Fix Pack. The patch file can be obtained from the "Patch Availability" section of the Security Alert for CVE-2010-4476 information page.

For z/OS, iSeries, NSS, and OpenVMS platforms there is no WebSphere MQ maintenance to be applied although JRE maintenance may still be required from the JRE supplier.

Back to Top

Information on running the IBM Update Installer for Java in an MQ environment

The IBM Update Installer for Java can apply a patch which will allow the problem to be rectified without applying a Fix Pack. The patch file can be obtained from the "Patch Availability" section of the Security Alert for CVE-2010-4476 information page.

Optionally installed Java 1.4.2 SR5 SDK
The optionally installed Java 1.4.2 SR5 SDKs shipped in 6.0.2.0 will not be updated to resolve the Double.parseDouble method problem but the JRE in these SDKs can be updated with the relevant patch for APAR PM31983 using the IBM Update Installer for Java.

JRE's provided for SSL functionality (GSKit)
This JRE performs no time affected functionality and is only used by the SSL keystore administrative GUI. This JRE is installed only if the user installs the Keyman component, and hence may not be present on all systems. This JRE can be corrected with the relevant patch jar file and the IBM Update Installer or will be corrected by the application of 6.0.2.11 or later, and 7.0.1.5 or later when they are released.

This JRE may be
- In the <mq install directory>\gskit\jre directory on Windows
- In the <mq install directory>/ssl/jre directory on UNIX platforms

JRE's provided for the WebSphere MQ Explorer :
The JRE supplied with WebSphere MQ to run the WebSphere MQ Explorer administration tool is not intended to run production applications and therefore should not be exposed to this security vulnerability even though they may be exposed to the Double.parseDouble method defect. This JRE will be fixed by fix pack 7.0.1.5 & above, but version 6 customers should use the IBM Update Installer to correct this. If a more immediate remedy is required then the relevant patch jar file can be applied using the IBM Update Installer for Java.

The location of the JRE for the MQ Explorer on Windows and Linux for WebSphere MQ Version 6 is
- By default in C:\Program Files\IBM\Eclipse SDK30\eclipse\jre (but user selectable during install) on Windows
- /opt/mqm/ies30/eclipse/jre on Linux platforms

and for WebSphere MQ Version 7, the locations are

- By default in C:\Program Files\IBM\WebSphere MQ\java\jre (but user selectable during install) on Windows
- /opt/mqm/java/jre on Linux platforms

Optional JRE's provided with WebSphere MQ :
There is an optionally installed JRE supplied with WebSphere MQ Version 7 on the following platforms

  • Windows
  • Linux for System x (32 bit)
  • Linux for System x (64 bit)
  • Linux for System z (64 bit)
  • Linux for System p
  • HP-UX Itanium
  • HP-UX PA-RISC
  • Solaris SPARC
  • Solaris x86_64
  • AIX

This JRE is installed to <mq install dir>/java/jre and is prone to the vulnerability caused by the defect in the Double.parseDouble method. This JRE will be fixed by fix pack 7.0.1.5 & above however these can also be fixed using the relevant patch jar file and the IBM Update Installer for Java.

The location of the JRE for WebSphere Version 7

- By default in C:\Program Files\IBM\WebSphere MQ\java\jre (but user selectable during install) on Windows
- /opt/mqm/java/jre on Linux, Solaris and HP-UX platforms
- /usr/mqm/java/jre on AIX

Back to Top
Category 3 SupportPacs
No issues have been identified with the Category 3 WebSphere MQ SupportPacs themselves.

These SupportPacs do not ship a JRE (*2) but may make use of JRE's embedded in server, client or Operating Systems. Customers should ensure that all necessary server, client and Operating System fixes are applied.
* Note 2:
JRE provided for tooling with MA0F:
If customers are running the withdrawn Application Messaging Interface (MA0F) SupportPac on Windows, it will install a 1.2.2 JRE in <Drive>:\Program Files\IBM\WebSphere MQ\amt\AMITool\jre. Although the Double.parseDouble method problem exists in this JRE, the JRE should not be used for production applications and therefore does not have this security vulnerability. The Double.parseDouble method problem described in CVE-2010-4476 will not be fixed in this 1.2.2 JRE.

WebSphere MQ Explorer MS0T:
If customers are running the WebSphere MQ Explorer (MS0T) SupportPac, it will have installed a JRE for the MQ Explorer to use. Although the Double.parseDouble method problem exists in this JRE, the MQ Explorer should not induce the infinite loop. It is recommended that if this JRE is installed, that it is corrected using the relevant patch jar file and the IBM Update Installer for Java.
Back to Top
Related Links
Oracle Security Alert for CVE-2010-4476
Websphere Application Server Flash
IBM Critical security vulnerability alert for CVE-2010-4476

Back to Top

Change History
1st April 2014 - Removed link to MA0F which has now been withdrawn.

18th February 2011 - Updated information about patch jar files for IZ94331 and PM31983

16th February 2011 - Initial release



Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere MQ
Java

Software version:

6.0, 7.0, 7.0.1

Operating system(s):

AIX, HP NonStop, HP-UX, IBM i, Linux, OpenVMS, Solaris, Windows, z/OS

Software edition:

All Editions

Reference #:

1462404

Modified date:

2011-02-18

Translate my page

Machine Translation

Content navigation