Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

Flash (Alert)


Abstract

Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. IZ94423 and IZ94331 are the IBM JDK APARs to address this security vulnerability.

Content

Description:
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.

Versions affected:

All IBM SDK installer packages bundled with IBM WebSphere Application Server Community Edition Version 2.1.X.X through 2.1.1.5

Current version of IBM WebSphere Application Server Community Edition 2.1.1.5 bundled with the following IBM SDK installer packages

IBM SDK 5 SR12-FP2 for AIX
IBM SDK 5 SR12-FP2 for 64-bit AIX
IBM SDK 6 SR9 for 64-bit AIX
IBM SDK 5 SR12-FP2 for Linux/Intel
IBM SDK 5 SR12-FP2 for 64-bit Linux/Intel
IBM SDK 6 SR9 for Linux/Intel
IBM SDK 6 SR9 for 64-bit Linux/Intel
IBM SDK 5 SR12-FP2 for Linux/PPC
IBM SDK 5 SR12-FP2 for 64-bit Linux/PPC
IBM SDK 6 SR9 for 64-bit Linux/PPC
IBM SDK 5 SR12-FP2 for Solaris/SPARC
IBM SDK 5 SR12-FP2 for 64-bit Solaris/SPARC
IBM SDK 6 SR9 for 64-bit Solaris/SPARC
IBM SDK 5 SR12-SP2 for Windows
IBM SDK 6 SR9 for Windows
IBM SDK 5 SR12-FP2 for 64-bit Windows
IBM SDK 6 SR9 for 64-bit Windows

Note: The problem is fixed in the Java class libraries, and therefore this issue affects all products that use Java in this fashion.

Solution:

The following JDK APARs fix security vulnerability CVE-2010-4476

IZ94423 interim fix for IBM JDK 6.0
IZ94331 interim fix for IBM JDK 5.0

The available options to fix security vulnerability CVE-2010-4476

  1. Upgrade your SDK to an Interim Fix JDK level containing the fix for this issue.

    The IBM SDK installer packages containing the fix for this issue are re-bundled with IBM WebSphere Application Server Community Edition v2.1.1.5 downloads.

    The new bundles are available for download from download site

  2. Patch option - IBM Update Installer for Java:

    IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability

    For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:

    Refer to the Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site for instructions.

    Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.


IMPORTANT NOTE :
  • The recommended way to fix the issue is to upgrade your SDK as specified in option # 1. This also keeps your SDK level to the latest version.
  • The option # 2 provides steps to apply only the interim fix for this security vulnerability. This option is to temporarily fix the security vulnerability.

Addition Information:
Critical security vulnerability alert from IBM Java developerWorks site
WebSphere Apllication Server Flash This is only applicable for WebSphere Application Server and not meant for WebSphere Application Server Community Edition

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

WebSphere Application Server Community Edition
Security

Software version:

2.1, 2.1.1.1, 2.1.1.2, 2.1.1.3, 2.1.1.4, 2.1.1.5

Operating system(s):

AIX, Linux, Solaris, Windows

Software edition:

Elite, Enhanced, Entry

Reference #:

1468267

Modified date:

2013-04-07

Translate my page

Machine Translation

Content navigation