Security Vulnerability CVE-2010-4476 as it relates to Java Runtime Environments shipped with WebSphere Message Broker products

Flash (Alert)


Abstract

This Security Alert relates to security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability in the JRE can cause the Java Runtime Environment to go into an infinite loop which might appear to be a hang. A Denial of Service vulnerability results from external inducement of multiple such loops within a single JRE. Any Java program using the Double.parseDouble method is at risk of this vulnerability including customer written applications and 3rd party written applications running in the JRE shipped with the IBM WebSphere Message Broker products.

Note: The WebSphere Message Broker products included in this Flash are:

WebSphere Message Broker V7.0 and Fix Packs:
V7.0.0.1
V7.0.0.2

WebSphere Message Broker V6.1 and Fix Packs:
V6.1.0.1
V6.1.0.2
V6.1.0.2a
V6.1.0.3
V6.1.0.4
V6.1.0.5
V6.1.0.6
V6.1.0.7
V6.1.0.8

WebSphere Message Broker V6.0 and Fix Packs:
V6.0.0.1
V6.0.0.2
V6.0.0.3
V6.0.0.4
V6.0.0.5
V6.0.0.6
V6.0.0.7
V6.0.0.8
V6.0.0.9
V6.0.0.10

WebSphere Message Broker Toolkit V7.0.

WebSphere Message Broker Toolkit V6.1.

WebSphere Message Broker Toolkit V6.0.2.

Content






How do I know if my systems could be affected?

Any Java application program using or receiving string representations of double-precision floating-point values could be affected by this problem, and the system is vulnerable to a denial of service attack if there are multiple invocations, either directly or indirectly, of the Double.parseDouble method call with the value which induces an infinite loop.

Back to Top

What could happen if I fail to update my systems?

Systems which have multiple infinite loops induced as a result of multiple requests to parse a string representation of the double-precision floating point number 2.2250738585072012e-308 would consume significant resources and cause the JRE to become unusable.

Back to Top

What actions do I need to take?

All JRE's which are exposed to the risk of multiple invocations of the Double.parseDouble method call with the string representation of the double precision floating point number 2.2250738585072012e-308 should be corrected. The provider of the JRE should be contacted to determine whether this problem exists in the specific JRE class library for the Double.parseDouble method and if the problem does exist, request a fix.

For JRE's shipped with the WebSphere Message Broker products, these JRE's will be corrected with one or more of the following activities.

  • The IBM Update Installer for Java can be used to patch the affected class library
  • Application of WebSphere Message Broker Runtime Fix Packs 6.0.0.11 or later, 6.1.0.9 or later and 7.0.0.3 or later when they are released. The Fix Pack schedule for WebSphere Message Broker can be viewed on the WebSphere Message Broker planned maintenance release dates information page.

The IBM Update Installer for Java will allow the problem to be rectified without applying a Fix Pack. The IBM Update Installer for Java can be downloaded from the IBM Update Installer page and the required patch can be downloaded from the IBM Java technology IBM Critical security vulnerability alert for CVE-2010-4476 page.


For the z/OS platform there is no WebSphere Message Broker maintenance to be applied although JRE maintenance may still be required from the JRE supplier.

Back to Top

Information on running the IBM Update Installer for Java in a Message Broker environment

All JREs provided with WebSphere Message Broker Runtime and Toolkit are prone to the vulnerability caused by the defect in the Double.parseDouble method.


JRE's provided with WebSphere Message Broker Runtime
There is at least one installed JRE supplied with WebSphere Message Broker on the following platforms:

* Windows
* Linux for System x (32 bit)
* Linux for System x (64 bit)
* Linux for System z (64 bit)
* Linux for System p
* HP-UX Itanium
* HP-UX PA-RISC
* Solaris SPARC
* Solaris x86_64
* AIX

All JREs will be fixed in the next available fix packs, however they can also be fixed using the IBM Update Installer for Java. Full details can be found in the actions section above.

To use the Java Update Installer you will need the appropriate patch for your platform and Java level being used and you will need to supply the Java home directory as indicated below:


WebSphere Message Broker Version 7.0:

Java level: Java SE 6
[JAVA_HOME of target JDK] : <wmb install dir>

By default <mb install dir> is
- C:\Program Files\IBM\MQSI\7.0 on Windows 32-bit editions
- C:\Program Files(x86)\IBM\MQSI\7.0 on Windows 64-bit editions
- /opt/ibm/mqsi/7.0 on Linux for System x (32 bit)
- /opt/IBM/mqsi/7.0 on Linux for System x (64 bit), Linux for System z (64 bit), Linux for System p and all other UNIX platforms


WebSphere Message Broker Version 6.1:

Java level: Java SE 5.0
[JAVA_HOME of target JDK] : <wmb install dir>

By default <mb install dir> is
- C:\Program Files\IBM\MQSI\6.1 on Windows 32-bit editions
- C:\Program Files(x86)\IBM\MQSI\6.1 on Windows 64-bit editions
- /opt/ibm/mqsi/7.0 on Linux for System x (32 bit)
- /opt/IBM/mqsi/7.0 on Linux for System x (64 bit), Linux for System z (64 bit), Linux for System p and all other UNIX platforms


WebSphere Message Broker Version 6.0:

Java levels: J2SE 1.4.2 / Java SE 5.0:
[JAVA_HOME of target JDK]: <wmb install dir>

By default <mb install dir> is
- C:\Program Files\IBM\MQSI\6.0 on Windows
- /opt/IBM/mqsi/6.0 on UNIX platforms
- /opt/ibm/mqsi/6.0 on Linux platforms



JRE's provided for the WebSphere Message Broker Toolkit
The JRE supplied with the WebSphere Message Broker Toolkit is not intended to run production applications and therefore should not be exposed to this security vulnerability even though they may be exposed to the Double.parseDouble method defect. If immediate remedy is required then the IBM Update Installer for Java should be used.

To use the Java Update Installer you will need the appropriate patch for your platform and Java level being used and you will need to supply the Java home directory as indicated below:


WebSphere Message Broker Toolkit Version 7.0:

Java level: Java SE 6
[JAVA_HOME of target JDK] : <wmb install dir>/jdk

By default <mbtk install dir> is
- C:\Program Files\IBM\IBM\WMBT700 on Windows 32-bit editions
- C:\Program Files(x86)\IBM\IBM\WMBT700 on Windows 64-bit editions
- /opt/IBM/WMBT700 on Linux platforms


WebSphere Message Broker Toolkit Version 6.1:

Java level: Java SE 5.0
[JAVA_HOME of target JDK] : <wmb install dir>/jdk

By default <mbtk install dir> is
- C:\Program Files\IBM\IBM\WMBT610 on Windows 32-bit editions
- C:\Program Files(x86)\IBM\IBM\WMBT610 on Windows 64-bit editions
- /opt/IBM/WMBT610 on Linux platforms


WebSphere Message Broker Toolkit Version 6.0:

Java level: J2SE 1.4.2
[JAVA_HOME of target JDK] : <wmb install dir>/eclipse

By default <mbtk install dir> is
- C:\Program Files\IBM\MessageBrokersToolkit\6.0 on Windows
- /opt/ibm/MessageBrokersToolkit/6.0 on Linux platforms

Back to Top

Category 3 SupportPacs
No issues have been identified with the Category 3 WebSphere Message Broker SupportPacs themselves.

These SupportPacs do not ship a JRE (*2) but may make use of JRE's embedded in server, client or Operating Systems. Customers should ensure that all necessary server, client and Operating System fixes are applied.
* Note 2:
WebSphere Message Broker Explorer Plug-in IS02:
If customers are running the WebSphere Message Broker Explorer Plug-in (IS02) SupportPac, it will use the JRE installed for the MQ Explorer. Customers should follow the advice given in the WebSphere MQ Flash for MQ Explorer.

Back to Top

Related Links
Oracle Security Alert for CVE-2010-4476
Websphere Application Server Flash
Websphere MQ Flash
IBM Critical security vulnerability alert for CVE-2010-4476

Back to Top

Change History
17th February 2011 - Initial release



Product Alias/Synonym

WMB MB WebSphere Message Broker MQ Integrator WBIMB WBI-MB MQSI WMQI

Rate this page:

(0 users)Average rating

Document information


More support for:

WebSphere Message Broker
Security

Software version:

6.0, 6.1, 7.0

Operating system(s):

AIX, HP-UX on Itanium, HP-UX on PA-RISC, Linux, Linux SUSE - zSeries, Linux pSeries, Solaris, Windows

Reference #:

1468624

Modified date:

2011-02-21

Translate my page

Machine Translation

Content navigation