Netcool Reporter Java Security Vulnerability Alert (parseDouble vulnerability)
A security vulnerability alert is identified in a java class “Double.parseDouble” which might lead to an infinite loop.
Tivoli Netcool/Reporter uses parseDouble call to display data in double format and generate chart in a number of functional modules, such as Report Designer and Easy Reporter. This vulnerability might affect server access if value “2.2250738585072012e-308” is used when calling “Double.parseDouble” class.
In the near future, a permanent fix for this vulnerability will be included in a new fix pack and/or release. The update mentioned in this document is a temporary fix. A subsequent update may remove fixes applied by the Update Installer for Java.
As a work around, you can manually upgrade to a JRE version that will fix the parseDouble vulnerability issue, JRE 6 Update 24. This JRE 6 Update 24 will update one JRE core lib (lib\rt.jar) and one java class. (sun.misc.FloatingDecimal)
The JRE version that fixes parseDouble vulnerability issue suggested by Oracle and IBM is located at the following web address:
Java SE 6 Update 24
Upgrade to the JRE that will include the fix for CVE-2010-4476
Upgrade to the JRE version suggested by Oracle or IBM that will fix the parseDouble vulnerability issue; JRE 6 Update 24(Solaris, Linux, and Windows) or IZ94423_FIX_1.jar (AIX). The user must have at Netcool/Reporter 184.108.40.206 installed.
Make sure all the configuration files reference the new JRE. To avoid making configuration changes, make a backup of the existing JRE, and install the JRE Update under the existing JRE directory by following instruction provided by Oracle or IBM (INFOHOME/tools/jre).
To shut down the Netcool/Reporter 220.127.116.11 application:
- Exit any Netcool/Reporter clients.
- Shut down Netcool/Reporter server.
- Shut down servlet engine (for example, Tomcat).
- Back up existing JRE files, and rename the folder to jre6_16.
- Installs the JRE update into the INFOHOME/tools/jre/directory.
After the installation is complete, restart the Netcool/Reporter server. After the upgrade to the new JRE version on server side, test the Tivoli Netcool/Reporter and make sure all the key features are working.
Client-side JRE Requirements:
In addition to the above changes, use the latest supported release of the Java plug-in on all client machines to avoid any possible problems that might be caused by the changes required for this parseDouble vulnerability. Users who use a Windows client platform to access your Tivoli Netcool/Reporter should consider using a JRE version later than JRE 6 Update 23.
If you encounter any problems while performing the above steps, report any issues related to Tivoli Netcool/Reporter to the IBM Technical Support team. IBM will arrange the necessary resources to work with you to make your application work smoothly.
Note that this parseDouble vulnerability fix is not covered under the IBM standard support program for your Tivoli Netcool/Reporter, because this change was not part of the standard releases. IBM will provide reasonable guideline and assistance to all our customers who need to apply this change. However, because IBM cannot go back to do a full quality test for our released products, we cannot anticipate all possible issues that might arise due to this change. If more extensive help or product patches are needed to resolve any issues due to this potential security vulnerability for our clients, IBM recommends to our clients to make sure that these issues are resolved quickly.
More support for:
Software version: 2.2
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, Windows 2003 server, Windows 64bit
Software edition: All Editions
Reference #: 1468912
Modified date: 31 January 2012