Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) for IT Asset Management Products

Flash (Alert)


Abstract

A critical Java class library security vulnerability was blogged on the Internet and is now in the public domain. This can be used as a denial of service attack against app servers. This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and web services are particularly at risk.

Content

This Security Alert addresses a serious security issue, CVE-2010-4476, Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. All web based and non-web based applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.
To remediate this vulnerability, you will need to perform two distinct actions. You will need to update the Java Runtime Environment (JRE). The Java Runtime Environment provides the libraries, the Java Virtual Machine, and other components to run applets and applications, such as Maximo.

You also need to update your application server's Java Developer Kit (JDK). The JDK lets you develop and deploy Java applications on desktops and servers.

Java Runtime Environment (JRE)

The IBM supplied JRE versions are:

Maximo 6.2.0 through 6.2.8 – JRE 1.4.2_05

Maximo Base Services 7.1.1.0 through 7.1.1.8 – JRE 1.5.0

The IBM Update Installer for Java updates the IBM supplied JREs and fixes the security vulnerability. You must first download and install the IBM Update Installer for Java from the following web page:

http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html

Next, download the patch file for your platform and Java version in the Patch Availability section at the following web page:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html


Java Development Kit (JDK)

Outlined below are instructions on how to update your application server’s Java Developer Kit (JDK). Please review the table below carefully as different WebSphere and WebLogic versions were introduced throughout the Maximo version and fix pack revisions.

Maximo 6.2.0 through 6.2.7

Maximo Release IBM WebSphere Oracle WebLogic
6.0.0 6.0.0.2 8.1.4
6.1.0 6.0.0.11 8.1.4
6.2.0 6.0.0.11 8.1.4
6.2.1 6.0.0.11 8.1.4
6.2.2 6.0.0.23 8.1.6
6.2.3 6.0.0.23 8.1.6
6.2.4 6.0.0.23 8.1.6, 9.2.2
6.2.5 6.0.0.23 8.1.6, 9.2.2
6.2.6 6.0.0.39-6.1.0.29 8.1.6, 9.2.3
6.2.7 6.0.0.39-6.1.0.29 8.1.6, 9.2.3

Maximo Base Services 7.1.0 through 7.1.1.8

Maximo Release IBM WebSphere Oracle WebLogic
7.1.1.0 6.1.0.17-6.1.0.19 9.2.2
7.1.1.1 6.1.0.17-6.1.0.19 9.2.2
7.1.1.2 6.1.0.17-6.1.0.19 9.2.2
7.1.1.3 6.1.0.17-6.1.0.19 9.2.2
7.1.1.4 6.1.0.17-6.1.0.19 9.2.2
7.1.1.5 6.1.0.23 9.2.2
7.1.1.6 6.1.0.23-6.1.0.31 9.2.2
7.1.1.7 6.1.0.23-6.1.0.33 9.2.2, 10.0.2
7.1.1.8 6.1.0.23-6.1.0.33 9.2.2, 10.0.2


WebSphere Java Development Kit (JDK) Instructions

You will need to upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.

To Determine your WebSphere Version:

1. Access the Administrative Console for WebSphere. Sign into Console.

2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 6.1.0.35):



(in this example the version is 6.0.2.43)




(in this example the version is 7.0.0.13)



3. Once you have determined the specific version of WebSphere that you have installed please go to the following page to download the appropriate remediated JDK fix. On this page the various remediated JDK updates are separated by the specific WebSphere version (that is, 6.0.x, 6.1.x, 7.0.x). Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the remediated JDK.


WebLogic Java Development Kit (JDK) Instructions

You will need to upgrade your JDK using the Java SE Floating Point Updater Tool that Oracle has provided. Attached below are links to the Java SE Downloads page that includes the Java SE Floating Point Updater Tool and a link to the Readme for the tool.

Java SE Downloads
Additional Resources - Java SE Floating Point Updater Tool

http://www.oracle.com/technetwork/java/javase/downloads/index.html

FPUpdater Tool Readme

http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html


Related Product Information

Consult the following links for information on how to address the vulnerability for related products.

DB2® specific instructions to address this vulnerability
https://www-304.ibm.com/support/docview.wss?uid=swg21468291

Tivoli Common Reporting instructions:
http://www-01.ibm.com/support/docview.wss?uid=swg21469046






Cross reference information
Segment Product Component Platform Version Edition
Systems and Asset Management Tivoli Integration Composer

Rate this page:

(0 users)Average rating

Document information


More support for:

Tivoli Asset Management for IT

Software version:

6.2, 6.2.1, 6.2.2, 6.2.3, 6.2.4, 6.2.7, 6.2.8, 7.1, 7.2, 7.2.1

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Reference #:

1469010

Modified date:

2011-04-01

Translate my page

Machine Translation

Content navigation