This alert describes how CICS Transaction Gateway (CICS TG) is affected by serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number).
On 8 February 2011 Oracle published a security vulnerability CVE-2010-4476 concerning a critical class library security vulnerability which affects the Java Runtime Environment (JRE). This also affects Java Runtime Environments provided by IBM, detailed in the Critical security vulnerability alert for CVE-2010-4476 issued by IBM.
This alert describes how CICS TG is affected by this vulnerability and the solutions that are available.
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places).
What is affected?
CICS TG Runtime Components
CICS Transaction Gateway runtime components provided by IBM are not affected by this security alert.
User exit code running in the CICS TG
The samples provided with CICS TG for the Security, Request Monitoring, and CICS Request exit points are not affected by this security alert.
Any exit code written in house or by a third party is at risk from this exposure. Exit code runs as part of CICS TG and if it is affected it can cause CICS TG to hang, which results in a denial of service exposure.
Other Java applications using the CICS TG provided JRE
Any Java program using the JRE provided by CICS TG is at risk of this exposure.
CICS TG Configuration Utility
The ctgcfg configuration utility provided by CICS TG is affected by this security alert.
The configuration utility does not include any network or remote access capability and can be started only by a user already logged on to the system who has sufficient permission to execute the utility launcher file. No remote or unauthorised exploitation is possible.
Please contact your IBM CICS Transaction Gateway support organization to request an update for the JRE supplied with your CICS TG. The update refreshes the JRE to the latest Java service level in addition to including a fix for this issue.
If you require an immediate patch and cannot move to the latest service refresh level, IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability. Please refer to the Critical security vulnerability alert for CVE-2010-4476 page issued by IBM for links to the appropriate patches for your JRE. If you apply a temporary patch to your JRE, you should contact your IBM CICS Transaction Gateway support organization to request a permanent fix for your specific JRE version.
Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your JRE might remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.