Critical security vulnerability alert -parseDouble vulnerability

Flash (Alert)


Abstract

A security vunerability has been identified in the Java that is being shipped in the Impact products. The steps to remediate this issue are identified in this flash.

Content

This affects all shipped versions of Impact and Security Manager at all support levels. To remediate this issue go to the following website:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

Got to the Patch availability section and Download the jar file for the appropriate SDK/JRE Level and Platform (place that file on the same temporary java_fix_tempdir).

Go to the Verification section and Download the ParseDoubleTest.jar file. It will be used to verify existence of the vulnerability. Place the file in temporary directory (ie java_fix_tempdir)

Download the IBM Update Installer (link for it, is provided within the same Patch availability section in the above URL). Unzip IBM Update Installer (to the java_fix_tempdir) and run the commands as follows (from the java_fix_tempdir):
    NOTE: Stop all services prior to applying fix!

4.0.2:
$NCHOME/platform/<arch>/jdk_1.5.0/bin/java -jar JavaUpdateInstaller.jar -install IZ94331_FIX_1.jar $NCHOME/platform/<arch>/jdk_1.5.0

5.1 and 5.1.1
$NCHOME/eWAS/java/bin/java -jar JavaUpdateInstaller.jar -install IZ94331_FIX_1.jar $NCHOME/eWAS/java


The Fix can be tested by running
$NCHOME/platform/<arch>/jdk_1.5.0/bin/java -jar ParseDoubleTest.jar

$NCHOME/eWAS/java/bin/java.exe -jar ParseDoubleTest.jar

"Test failed" indicates we have the vulnerability.
"Test succeeded" indicates the vulnerability has been patched.



Security Manager
The Security Manager uses a SUN JDK not IBM. To remediate this version go to the following website

https://cds.sun.com/is-bin/INTERSHOP.enfinity/WFS/CDS-CDS_Developer-Site/en_US/-/USD/ViewProductDetail-Start?ProductRef=fpupdater-oth-JPR@CDS-CDS_Developer

There is one .jar file which updates all affected sun/oracle jre versions. Starting the jar with the java binary from the affected JRE, patches the JRE.

$NCHOME/platform/<arch>/jre_1.4.2/bin/java -jar fpupdater.jar -u -v




Future FixPacks for Impact will test an eWAS upgrade to a level which is not affected by this security vulnerability.


Important:
If you apply an eWAS Fixpack or IF that has already been published ( as of 2/18/11) it may undo this patch and you will need to reapply.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Netcool/Impact

Software version:

4.0, 4.0.1, 4.0.2, 5.1, 5.1.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1468724

Modified date:

2011-02-21

Translate my page

Machine Translation

Content navigation