Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) for Asset Management Products
A critical Java class library security vulnerability was blogged on the Internet and is now in the public domain. This can be used as a denial of service attack against app servers. This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and web services are particularly at risk.
This Security Alert addresses a serious security issue, CVE-2010-4476, Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.
To remediate this vulnerability, you will need to perform two distinct actions. You will need to update the Java Runtime Environment (JRE). The Java Runtime Environment provides the libraries, the Java Virtual Machine, and other components to run applets and applications, such as Maximo.
You also need to update your application server's Java Developer Kit (JDK). The JDK lets you develop and deploy Java applications on desktops and servers.
Java Runtime Environment (JRE)
The IBM supplied JRE versions are:
Maximo 6.2.0 through 6.2.8 – JRE 1.4.2_05
Maximo Base Services 18.104.22.168 through 22.214.171.124 – JRE 1.5.0
The IBM Update Installer for Java updates the IBM supplied JREs and fixes the security vulnerability. You must first download and install the IBM Update Installer for Java from the following web page:
Next, download the patch file for your platform and Java version in the Patch Availability section at the following web page:
Java Development Kit (JDK)
Outlined below are instructions on how to update your application server’s Java Developer Kit (JDK). Please review the table below carefully as different WebSphere and WebLogic versions were introduced throughout the Maximo version and fix pack revisions.
Maximo 6.2.0 through 6.2.7
|Maximo Release||IBM WebSphere||Oracle WebLogic|
Maximo Base Services 7.1.0 through 126.96.36.199
|Maximo Release||IBM WebSphere||Oracle WebLogic|
WebSphere Java Development Kit (JDK) Instructions
You will need to upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.
To Determine your WebSphere Version:
1. Access the Administrative Console for WebSphere. Sign into Console.
2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 188.8.131.52):
(in this example the version is 184.108.40.206)
(in this example the version is 220.127.116.11)
3. Once you have determined the specific version of WebSphere that you have installed please go to the following page to download the appropriate remediated JDK fix. On this page the various remediated JDK updates are separated by the specific WebSphere version (that is, 6.0.x, 6.1.x, 7.0.x). Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the remediated JDK.
WebLogic Java Development Kit (JDK) Instructions
You will need to upgrade your JDK using the Java SE Floating Point Updater Tool that Oracle has provided. Attached below are links to the Java SE Downloads page that includes the Java SE Floating Point Updater Tool and a link to the Readme for the tool.
Java SE Downloads
Additional Resources - Java SE Floating Point Updater Tool
FPUpdater Tool Readme
Related Product Information
Consult the following links for information on how to address the vulnerability for related products.
DB2® specific instructions to address this vulnerability
|Systems and Asset Management||Maximo Adapter for Microsoft Project|
|Systems and Asset Management||Maximo Asset Configuration Manager|
|Systems and Asset Management||Maximo Asset Management Essentials|
|Systems and Asset Management||Maximo Asset Management for Energy Optimization|
|Systems and Asset Management||Maximo Change and Corrective Action Manager|
|Systems and Asset Management||Maximo Enterprise Adapter|
|Systems and Asset Management||Maximo for Government|
|Systems and Asset Management||Maximo for Nuclear Power|
|Systems and Asset Management||Maximo for Transportation|
|Systems and Asset Management||Maximo Mobile Inventory Manager|
|Systems and Asset Management||Maximo Mobile Work Manager|
|Systems and Asset Management||Maximo Spatial Asset Management|
|Systems and Asset Management||Maximo Archiving with Optim Data Growth Solution|
|Systems and Asset Management||Maximo Asset Management Scheduler|
|Systems and Asset Management||Maximo Calibration|
|Systems and Asset Management||Maximo Data Center Infrastructure Management|
|Systems and Asset Management||Maximo Everyplace|
|Systems and Asset Management||Maximo for Life Sciences|
|Systems and Asset Management||Maximo for Oil and Gas|
|Systems and Asset Management||Maximo for Service Providers|
|Systems and Asset Management||Maximo for Utilities|
|Systems and Asset Management||Maximo Space Management for Facilities|
|Systems and Asset Management||Maximo Asset Navigator|
|Systems and Asset Management||Maximo SLA Manager|
More support for:
Maximo Asset Management
Software version: 6.0, 6.1, 6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.5, 6.2.6, 6.2.7, 6.2.8, 7.1, 7.1.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Reference #: 1468850
Modified date: 01 April 2011