Denial of Service Security Exposure with Java JRE/JDK hanging (CVE-2010-4476)

Versions affected

• IBM Tivoli System Automation for Multiplatforms V3.2.1
• IBM Tivoli System Automation for Multiplatforms V3.2.0
• IBM Tivoli System Automation for Multiplatforms V3.1.0
• IBM Tivoli System Automation for Multiplatforms V2.3.0

All JRE's shipped with the Tivoli System Automation for Multiplatforms (SAMP) product request a fix. The location of the JRE’s provided with Tivoli System Automation for Multiplatforms are:
JRE locations SAMP:

• SAMP on Windows

- Java installed in relative location to product directory, e.g. C:\Program Files\IBM\SA for Multiplatforms\jre

• SAMP Base Operation Console

- Windows: relative eWAS location to product directory, e.g. C:\Program Files\IBM\tsamp\eez
- Unix: absolute eWAS location, /opt/IBM/tsamp/eez
eWAS Versions required or bundled with the SAMP Base Operation Console:

• SAMP V3.2.1: eWAS 6.1.0 FP29
• SAPM V3.2.0: eWAS 6.1.0 FP29
• SAMP V3.1.0: eWAS 6.1.0 FP15
• SAMP V2.3.0: eWAS 6.1.0 FP09

Java Version bundled with SAMP:

• JRE Java 1.5 for all releases of SAMP

Note 1: The product directories specified above for the Windows operating system are the default values. The directories specified for other operating systems are absolute paths.
Note 2: The problem will be fixed in the Java class libraries, and therefore this issue affects all products that use Java in this fashion.

Description
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.


Solution
Upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.
The IBM Update Installer for Java will allow the problem to be rectified without applying a Fix Pack. The IBM Update Installer for Java can be downloaded from the IBM Update Installer page ( http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html),
and the required patch can be downloaded from the IBM Java technology IBM Critical security vulnerability alert for CVE-2010-4476 page( http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html). For the WebSphere Application Server, please refer to "Additional information" below.


Patch option - IBM Update Installer for Java
The IBM Update Installer for Java can be used to temporarily patch the version of the SDK you have installed. Refer to the Critical security vulnerability alert - Security Alert for CVE-2010-4476 ( http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html) on the IBM developerWorks site for instructions.
Important note about the IBM Update Installer for Java: Before using the IBM Update Installer for Java to resolve this issue, it is recommended that you first try to obtain a fix provided by the specific IBM Product support team. The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability by patching the JDK. If you use the IBM Update Installer for Java, any future updates to your JDK might remove this patch.


Additional documentation
For additional details and information on WebSphere Application Server product updates:
IBM WebSphere Application Server ( http://www-01.ibm.com/support/docview.wss?uid=swg21462019)
Please install the corresponding 32-bit version of the fix.

For additional details and information on the Integrated Solutions Console product updates:
Please install the WebSphere Application Server Update Installer. Instructions how to do this can be found here: http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448
Once the WebSphere Application Server Update Installer is on the system, then you need to download the corresponding WebSphere Application Server iFix, see http://www-01.ibm.com/support/docview.wss?uid=swg24029112