Impact to DB2 for Linux, UNIX, and Windows regarding IBM Runtimes for Java Technology class file parser Denial of Service ibm-rjt-classfile-dos when converting "2.2250738585072012e-308" (CVE-2010-4476 )

Flash (Alert)


Abstract

During the first week of February 2011, a critical class library security vulnerability was blogged on the Internet and is now in the public domain. The issue is Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a binary floating-point number. This flash describes how this vulnerability affects DB2 for Linux, UNIX, and Windows.

Content

Issue:

Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a binary floating-point number.

When you might encounter this issue:
You might encounter this issue when you run Java stored procedures or Java User Defined Functions that call the Double.parseDouble method (including parseDouble(), the Double() constructor and Double.valueOf() ) with the input value of "2.2250738585072012e-308".

Note: If you are not using Double.parseDouble method which includes parseDouble(), the Double() constructor, and Double.valueOf(), with the input value of "2.2250738585072012e-308, then you are not at risk and the upgrades mentioned in this technote are optional.

Versions of DB2 for Linux, UNIX, and Windows that are affected:

The Java Development Kit (JDK) that is shipped with the following versions of the DB2 product are affected:

  • Version 9.7 (including Fix Packs 9.7.0.1 through 9.7.0.4) for Linux, UNIX, and Windows.
  • Version 9.5 (including Fix Packs 9.5.0.1 through 9.5.0.7) for Linux, UNIX, and Windows.
  • Version 9.1 (including Fix Packs 9.1.0.1 through 9.1.0.10) for all supported operating systems.

Description of the issue:
The Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). The issue causes the Java Runtime Environment to hang, go into an infinite loop, or crash, resulting in a denial of service exposure. The same problem occurs if the number is written without scientific notation (324 decimal places).


Solution for DB2 Version 9.7 through 9.7.0.4 for Linux, UNIX, and Windows:
Solution for DB2 Version 9.5 through 9.5.0.7 for Linux, UNIX, and Windows:
Solution for DB2 Version 9.1 through 9.1.0.10 for Linux, UNIX, and Windows:
References:
  • IBM APAR IZ89602: (for Java 6.0) IZ89602: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
  • IBM APAR IZ89620: (for Java 5.0) IZ89620: JVM CRASHES WHILE LOADING INVALID CLASS FILE.

Related information

Impact to Tivoli System Automation for Multiplatforms

Cross reference information
Segment Product Component Platform Version Edition
Information Management DB2 Connect AIX, HP-UX, Linux, Solaris, Windows 9.7, 9.5, 9.1 DB2 Connect Application Server Edition, DB2 Connect Enterprise Edition, DB2 Connect Unlimited Edition for System i, DB2 Connect Unlimited Edition for System z

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

DB2 for Linux, UNIX and Windows

Software version:

9.1, 9.5, 9.7, 9.8

Operating system(s):

AIX, HP-UX, Linux, Linux iSeries, Linux pSeries, Linux zSeries, Solaris, Windows

Software edition:

Advanced Enterprise Server Edition, Enterprise Server Edition, Express Edition, Express-C, Personal Edition, Workgroup Server Edition

Reference #:

1468291

Modified date:

2013-04-16

Translate my page

Machine Translation

Content navigation