Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. IZ94423 and IZ94331 are the IBM JDK APARs to address this security vulnerability.
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
All IBM SDK installer packages bundled with IBM WebSphere Application Server Community Edition Version 2.1.X.X through 18.104.22.168
Current version of IBM WebSphere Application Server Community Edition 22.214.171.124 bundled with the following IBM SDK installer packages
IBM SDK 5 SR12-FP2 for AIX
IBM SDK 5 SR12-FP2 for 64-bit AIX
IBM SDK 6 SR9 for 64-bit AIX
IBM SDK 5 SR12-FP2 for Linux/Intel
IBM SDK 5 SR12-FP2 for 64-bit Linux/Intel
IBM SDK 6 SR9 for Linux/Intel
IBM SDK 6 SR9 for 64-bit Linux/Intel
IBM SDK 5 SR12-FP2 for Linux/PPC
IBM SDK 5 SR12-FP2 for 64-bit Linux/PPC
IBM SDK 6 SR9 for 64-bit Linux/PPC
IBM SDK 5 SR12-FP2 for Solaris/SPARC
IBM SDK 5 SR12-FP2 for 64-bit Solaris/SPARC
IBM SDK 6 SR9 for 64-bit Solaris/SPARC
IBM SDK 5 SR12-SP2 for Windows
IBM SDK 6 SR9 for Windows
IBM SDK 5 SR12-FP2 for 64-bit Windows
IBM SDK 6 SR9 for 64-bit Windows
Note: The problem is fixed in the Java class libraries, and therefore this issue affects all products that use Java in this fashion.
The following JDK APARs fix security vulnerability CVE-2010-4476
IZ94423 interim fix for IBM JDK 6.0
IZ94331 interim fix for IBM JDK 5.0
The available options to fix security vulnerability CVE-2010-4476
- Upgrade your SDK to an Interim Fix JDK level containing the fix for this issue.
The IBM SDK installer packages containing the fix for this issue are re-bundled with IBM WebSphere Application Server Community Edition v126.96.36.199 downloads.
The new bundles are available for download from download site
- Patch option - IBM Update Installer for Java:
IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability
For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:
Refer to the Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site for instructions.
Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.
- The recommended way to fix the issue is to upgrade your SDK as specified in option # 1. This also keeps your SDK level to the latest version.
- The option # 2 provides steps to apply only the interim fix for this security vulnerability. This option is to temporarily fix the security vulnerability.
Critical security vulnerability alert from IBM Java developerWorks site
WebSphere Apllication Server Flash This is only applicable for WebSphere Application Server and not meant for WebSphere Application Server Community Edition
More support for:
WebSphere Application Server Community Edition
Software version: 2.1, 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168, 22.214.171.124
Operating system(s): AIX, Linux, Solaris, Windows
Software edition: Elite, Enhanced, Entry
Reference #: 1468267
Modified date: 07 April 2013