Flash (Alert)
Abstract
Denial of Service Security Exposure with Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. (CVE-2010-4476)
Content
Versions affected
IBM Tivoli System Automation for z/OS is not affected itself. However, affected is the z/OS adapter for the IBM Tivoli System Automation Application Manager.
Note: The problem will be fixed in the Java class libraries, and therefore this issue affects all products that use Java in this fashion.
Description
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
Solution
Upgrade your JDK on your z/OS operating system to an Interim Fix JDK level containing the fix for this issue.
Patch option - IBM Update Installer for Java
The IBM Update Installer for Java can be used to temporarily patch the version of the SDK you have installed. Refer to the Critical security vulnerability alert - Security Alert for CVE-2010-4476 (http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html) on the IBM developerWorks site for instructions.
Important note about the IBM Update Installer for Java: Before using the IBM Update Installer for Java to resolve this issue, it is recommended that you first try to obtain a fix provided by the specific IBM Product support team. The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability by patching the JDK. If you use the IBM Update Installer for Java, any future updates to your JDK might remove this patch.
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.