A critical Java class library security vulnerability was blogged on the Internet and is now in the public domain. This can be used as a denial of service attack against app servers. This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and web services are particularly at risk.
This Security Alert addresses a serious security issue, CVE-2010-4476, Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.
To remediate this vulnerability, you will need to perform two distinct actions. You will need to update the Java Runtime Environment (JRE). The Java Runtime Environment provides the libraries, the Java Virtual Machine, and other components to run applets and applications, such as Maximo.
You also need to update your application server's Java Developer Kit (JDK). The JDK lets you develop and deploy Java applications on desktops and servers.
Java Runtime Environment (JRE)
The IBM supplied JRE versions are:
Maximo 6.2.0 through 6.2.8 – JRE 1.4.2_05
Maximo Base Services 22.214.171.124 through 126.96.36.199 – JRE 1.5.0
The IBM Update Installer for Java updates the IBM supplied JREs and fixes the security vulnerability. You must first download and install the IBM Update Installer for Java from the following web page:
Next, download the patch file for your platform and Java version in the Patch Availability section at the following web page:
Java Development Kit (JDK)
Outlined below are instructions on how to update your application server’s Java Developer Kit (JDK). Please review the table below carefully as different WebSphere and WebLogic versions were introduced throughout the Maximo version and fix pack revisions.
Maximo 6.2.0 through 6.2.7
|Maximo Release||IBM WebSphere||Oracle WebLogic|
Maximo Base Services 7.1.0 through 188.8.131.52
|Maximo Release||IBM WebSphere||Oracle WebLogic|
WebSphere Java Development Kit (JDK) Instructions
You will need to upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.
To Determine your WebSphere Version:
1. Access the Administrative Console for WebSphere. Sign into Console.
2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 184.108.40.206):
(in this example the version is 220.127.116.11)
(in this example the version is 18.104.22.168)
3. Once you have determined the specific version of WebSphere that you have installed please go to the following page to download the appropriate remediated JDK fix. On this page the various remediated JDK updates are separated by the specific WebSphere version (that is, 6.0.x, 6.1.x, 7.0.x). Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the remediated JDK.
WebLogic Java Development Kit (JDK) Instructions
You will need to upgrade your JDK using the Java SE Floating Point Updater Tool that Oracle has provided. Attached below are links to the Java SE Downloads page that includes the Java SE Floating Point Updater Tool and a link to the Readme for the tool.
Java SE Downloads
Additional Resources - Java SE Floating Point Updater Tool
FPUpdater Tool Readme
Related Product Information
Consult the following links for information on how to address the vulnerability for related products.
DB2® specific instructions to address this vulnerability
Tivoli Common Reporting instructions:
|Systems and Asset Management||IBM Maximo Adapter for Microsoft Project|
|Systems and Asset Management||IBM Maximo Asset Configuration Manager|
|Systems and Asset Management||IBM Maximo Asset Management Essentials|
|Systems and Asset Management||IBM Maximo Asset Management for Energy Optimization|
|Systems and Asset Management||IBM Maximo Change and Corrective Action Manager|
|Systems and Asset Management||IBM Maximo Enterprise Adapter|
|Systems and Asset Management||IBM Maximo for Government|
|Systems and Asset Management||IBM Maximo for Nuclear Power|
|Systems and Asset Management||IBM Maximo for Transportation|
|Systems and Asset Management||IBM Maximo Mobile Inventory Manager|
|Systems and Asset Management||IBM Maximo Mobile Work Manager|
|Systems and Asset Management||Maximo Spatial Asset Management|
|Systems and Asset Management||IBM Maximo Archiving with Optim Data Growth Solution|
|Systems and Asset Management||IBM Maximo Asset Management Scheduler|
|Systems and Asset Management||IBM Maximo Calibration|
|Systems and Asset Management||Maximo Data Center Infrastructure Management|
|Systems and Asset Management||Maximo Everyplace|
|Systems and Asset Management||IBM Maximo for Life Sciences|
|Systems and Asset Management||IBM Maximo for Oil and Gas|
|Systems and Asset Management||IBM Maximo for Service Providers|
|Systems and Asset Management||IBM Maximo for Utilities|
|Systems and Asset Management||Maximo Space Management for Facilities|
|Systems and Asset Management||IBM Maximo Asset Navigator|
|Systems and Asset Management||IBM Maximo SLA Manager|