Flashes (Alerts)
Abstract
A critical Java class library security vulnerability was blogged on the Internet and is now in the public domain. This can be used as a denial of service attack against app servers. This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and web services are particularly at risk.
Content
This Security Alert addresses a serious security issue, CVE-2010-4476, Java Runtime Environment hangs when
converting "2.2250738585072012e-308" to a binary floating-point number. All web based and non-web based
applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into
a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is
written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this
attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and
Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written
application.
To remediate this vulnerability, you will need to perform two distinct actions. You will need to update the Java Runtime
Environment (JRE). The Java Runtime Environment provides the libraries, the Java Virtual Machine, and other
components to run applets and applications, such as Maximo.
You also need to update your application server's Java Developer Kit (JDK). The JDK lets you develop and deploy Java
applications on desktops and servers.
Java Runtime Environment (JRE)
The IBM supplied JRE versions are:
Maximo 6.2.0 through 6.2.8 – JRE 1.4.2_05
Maximo Base Services 7.1.1.0 through 7.1.1.8 – JRE 1.5.0
The IBM Update Installer for Java updates the IBM supplied JREs and fixes the security vulnerability. You must first download and install the IBM Update Installer for Java from the following web page:
http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html
Next, download the patch file for your platform and Java version in the Patch Availability section at the following web page:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
Java Development Kit (JDK)
Outlined below are instructions on how to update your application server’s Java Developer Kit (JDK). Please review the table below carefully as different WebSphere and WebLogic versions were introduced throughout the Maximo, Maximo Adapter for Primavera and Oracle Primavera versions and fix pack revisions.
Maximo 6.2.0 through 6.2.7
Maximo Release | Maximo Adapter for Primavera Release | Oracle Primavera | Oracle Primavera API | IBM WebSphere | Oracle WebLogic | JDK |
6.2.1 | 6.2.2 | 5.x, SP2 | 5.0 SP7 | 6.0.0.2 and 6.0.2.1 | 8.1 | 1.4.2_07 |
6.2.2 | 6.2.2 | 5.x, SP2 | 5.0 SP7 | 6.0.0.2 and 6.0.2.1 | 8.1 | 1.4.2 |
6.2.3 | 6.2.3 | 5.x, P6 v6.x | 5.0 SP7, 6.x | 6.1 | 9.2 | 1.5 |
6.2.4 | 6.2.3 | 5.x, P6 v6.x | 5.0 SP7, 6.x | 6.1 | 9.2 | 1.5 |
6.2.5 | 6.2.3 | 5.x, P6 v6.x | 5.0 SP7, 6.x | 6.1 | 9.2 | 1.5 |
6.2.6 | 6.2.3 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
6.2.7 | 6.2.3 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
Maximo Base Services 7.1.0 through 7.1.1.8
Maximo Release | Maximo Adapter for Primavera Release | Oracle Primavera | Oracle Primavera API | IBM WebSphere | Oracle WebLogic | JDK |
7.1 | 7.1.0 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
7.1.1 | 7.1.0 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
7.1.1.4 | 7.1.0 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
7.1.1.5 | 7.1.0, 7.1.1 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
7.1.1.6 | 7.1.0, 7.1.1 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
7.1.1.7 | 7.1.1 or 7.1.2 | P6 v6.x | 6.x | 6.1 | 9.2 | 1.5 |
P6 v7.x | 7.x | 7 | 10.3 | 1.6 | ||
7.1.1.8 | Pv8.x |
WebSphere Java Development Kit (JDK) Instructions
You will need to upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.
To Determine your WebSphere Version:
1. Access the Administrative Console for WebSphere. Sign into Console.
2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 6.1.0.35):
(in this example the version is 6.0.2.43)
(in this example the version is 7.0.0.13)
3. Once you have determined the specific version of WebSphere that you have installed please go to the following page to download the appropriate remediated JDK fix. On this page the various remediated JDK updates are separated by the specific WebSphere version (that is, 6.0.x, 6.1.x, 7.0.x). Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the remediated JDK.
WebLogic Java Development Kit (JDK) Instructions
You will need to upgrade your JDK using the Java SE Floating Point Updater Tool that Oracle has provided. Attached below are links to the Java SE Downloads page that includes the Java SE Floating Point Updater Tool and a link to the Readme for the tool.
Java SE Downloads
Additional Resources - Java SE Floating Point Updater Tool
http://www.oracle.com/technetwork/java/javase/downloads/index.html
FPUpdater Tool Readme
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html
Related Product Information
Consult the following links for information on how to address the vulnerability for related products.
DB2® specific instructions to address this vulnerability
https://www-304.ibm.com/support/docview.wss?uid=swg21468291
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21469011