Security Bulletin: Denial of Service Security Exposure with Java causes JRE/JDK hang (CVE-2010-4476)

Security Bulletin


Summary

This Alert is meant to inform you of an issue where a Denial of Service Security Exposure with Java can cause Java Runtime Environment (JRE) and Java Development Kit (JDK) hangs. This applies to all IBM Rational products that ship or package IBM Java instances.

Vulnerability Details

Subscribe to My Notifications to be notified of important product support alerts like this.
  • Follow this link for more information (requires login with your IBM ID)

CVE ID: CVE-2010-4476

Description: This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Servers being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.

(Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number).

Affected Products and Versions

This issue affects all versions of Java on all IBM supported platforms.

Remediation/Fixes

Upgrade to the latest fixes for WebSphere Application Server following the instructions in technote 1390803: Update the WebSphere Application Server components in Rational ClearCase and Rational ClearQuest 7.1

If your IBM Rational product uses WebSphere Application Server (examples of this could be IBM Rational Change Management (CM) Server used with IBM Rational ClearCase, IBM Rational Application Developer, or others),
consult technote 1462019: Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) (PM32387) for the WebSphere specific instructions to address this vulnerability.

Other application servers may also have corrected this condition, for example Apache TomCat (which has been used in previous Rational legacy products) have released a fix for TomCat specifically.

For other non-IBM Java instances or Application servers, contact the vendor directly.

Workarounds and Mitigations

Many IBM Rational products leverage Java technology and may ship or install a version or multiple versions of Java on a system.

  • IBM is providing an UPDATE TOOL that can be used to determine potentially vulnerable IBM Java instances on a system, and apply patches as needed (you will need to download patches based on Java Major version (for example 1.4.x, 1.5, 1.6) and the platform of your system. For these patches see PATCH DOWNLOADS.

  • IBM is also providing a TEST CASE TOOL that can be used to check to see if an IBM supplied Java is affected (and if the Java has been patched).

    The test case is an executable JAR file, and can be run using the following command line:

    java -jar ParseDoubleTest.jar


    If the vulnerability has not been fixed, the test will fail:
    > java -jar ParseDoubleTest.jar
    Test failed


    If the vulnerability has been fixes, the test will succeed:
    > java -jar ParseDoubleTest.jar
    Test succeeded


    Examples:
    1. Using the update to "discover" possible java candidates.

      >java -jar JavaUpdateInstaller.jar -discover all

      This will search the entire disk to uncover all IBM Java instances

    2. Applying the fix to Software Delivery Platform

      (Products in use, for example, IBM Rational Functional Tester and IBM Rational Software Architect)

      Version of Java before applying fix:

      C:\Progra~1\IBM\SDP\jdk\bin\java -version
      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pwi3260sr8-20100409_01(SR8))
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
      J9VM - 20100401_055940
      JIT  - r9_20100401_15339
      GC   - 20100308_AA)
      JCL  - 20100408_01


      Running the update tool on Microsoft Windows:

      C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\Progra~1\IBM\SDP\jdk

      Installs the specified update to the SDK if applicable.
      -------------------------------------------------------------------------
      Installing the update IZ94423_FIX_1 to the SDK: C:\Progra~1\IBM\SDP\jdk ...
      IZ94423_FIX_1 has been successfully installed to SDK C:\Progra~1\IBM\SDP\jdk

      Confirming Java -version

      C:\Progra~1\IBM\SDP\jdk\bin\java -version
      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pwi3260sr8-20100409_01(SR8) + IZ94423_FIX_1)
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
      J9VM - 20100401_055940
      JIT - r9_20100401_15339
      GC - 20100308_AA)
      JCL - 20100408_01

    3. If the incorrect version of a fix is attempted to be applied, the update installer will alert you:

      C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\java

      Installs the specified update to the SDK if applicable.
      -------------------------------------------------------------------------
      Update IZ94423_FIX_1 is not applicable to SDK - C:\java. Update IZ94423_FIX_1
      can be installed to JDK with version(s)

      1) 1.6.0

    4. Updating the Java used for IBM Rational ClearCase/ClearQuest client components (such as ClearCase Remote Client, ClearQuest Client, ClearQuest Designer):

      Update
      : Review technote 1509635: Applying IZ94423 to address CVE-2010-4476 in ClearCase and ClearQuest for updated resolution details.

      C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version

      java version "1.5.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
      IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
      J9VM - 20100509_57823_lHdSMr
      JIT - 20091016_1845ifx7_r8
      GC - 20091026_AA)
      JCL - 20100511a

      C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar <path>\ParseDoubleTest.jar
      Test failed

      C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94331_FIX_1.jar "C:\Program Files (x86)\IBM\RationalSDLC\Common\JA
      VA5.0"
      Installs the specified update to the SDK if applicable.
      -------------------------------------------------------------------------
      Installing the update IZ94331_FIX_1 to the SDK: C:\Program Files
      (x86)\IBM\RationalSDLC\Common\JAVA5.0 ...

      IZ94331_FIX_1 has been successfully installed to SDK C:\Program Files
      (x86)\IBM\RationalSDLC\Common\JAVA5.0
      -------------------------------------------------------------------------

      C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
      java version "1.5.0"
      Java(TM) 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
      IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
      J9VM - 20100509_57823_lHdSMr
      JIT - 20091016_1845ifx7_r8
      GC - 20091026_AA)
      JCL - 20100511a

      The version of Java did not change, yet the patch was applied. The ParseDoubleTree can be used to check if the Java instance is vulnerable:

      C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar <path>\ParseDoubleTest.jar
      Test succeeded

References

Related information

Acknowledgement

None

Change History

* 23 August 2011: Added update regarding ClearCase and ClearQuest fixes
* 15 February 2011: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Related information

A Japanese translation is available
A simplified Chinese translation is available
A Korean translation is available


Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational ClearQuest General Information
Software Development Rational Application Developer for WebSphere Software General Information
Software Development Rational Software Architect for WebSphere Software General Information
Software Development Rational Software Architect General Information
Software Development Rational Software Architect RealTime Edition General Information
Software Development Rational Team Concert General Information
Software Development Rational System Architect General Information
Software Development Rational Method Composer General Information
Software Development Rational DOORS General Information
Software Development Rational Functional Tester General Information

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Rational ClearCase
General Information

Software version:

7.1, 7.1.1, 7.1.2, 8.0, 8.0.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1468287

Modified date:

2011-10-03

Translate my page

Machine Translation

Content navigation