Critical security vulnerability alert -parseDouble vulnerability
A security vulnerability has been identified in the Java that is being used in the ITIM products. The steps to remediate this issue are identified in this flash.
This affects all shipped versions of ITIM at all service releases.
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability may cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang may occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
The following products contain affected versions of the Java Runtime Environment:
- IBM WebSphere Application Server Versions 7.0 through 18.104.22.168 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.1 through 22.214.171.124 for Distributed, i5/OS and z/OS operating systems.
- IBM WebSphere Application Server Versions 6.0 through 126.96.36.199 for Distributed, i5/OS and z/OS operating systems.
The same iFix applies to the IBM WebSphere Application Server Standalone, Network Deployment and Embedded (eWAS) versions. It also applies to the eWAS version that is included with IBM Tivoli Federated Identity Manager. For more information regarding the vulnerability and the iFix access http://www-01.ibm.com/support/docview.wss?uid=swg21462019
The IBM WebSphere Update Installer (WUI) must be used to apply the fix. If the WUI has not previously installed, the WUI can be downloaded from http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24020448. For detailed instructions on how to install the IBM WebSphere Update Installer access here.
Apply the fix provided here to all Tivoli Identity Manager environments that use the affected versions of IBM WebSphere Application Server as soon as possible. Select the fix that applies to your IBM WebSphere Application Server environment and reference the corresponding readme file for detailed iFix installation instructions.
ITIM ISIM TIM SIM