IBM Support

Denial of Service Security Exposure With Java JRE/JDK Hanging
After Converting 2.2250738585072012e-308 Number (CVE-2010-
4476) for Maximo Adapter for Primavera

Flashes (Alerts)


Abstract

A critical Java class library security vulnerability was blogged on the Internet and is now in the public domain. This can be used as a denial of service attack against app servers. This vulnerability affects all versions and releases of Java (1.4.2, 5.0 and 6.0) on all platforms. Web servers and web services are particularly at risk.

Content

This Security Alert addresses a serious security issue, CVE-2010-4476, Java Runtime Environment hangs when
converting "2.2250738585072012e-308" to a binary floating-point number. All web based and non-web based
applications are at serious risk by a remote attack. This vulnerability can cause the Java Runtime Environment to go into
a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang will occur if the number is
written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this
attack, any Java program using the Double.parseDouble method, including parseDouble(), the Double() constructor and
Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written
application.
To remediate this vulnerability, you will need to perform two distinct actions. You will need to update the Java Runtime
Environment (JRE). The Java Runtime Environment provides the libraries, the Java Virtual Machine, and other
components to run applets and applications, such as Maximo.
You also need to update your application server's Java Developer Kit (JDK). The JDK lets you develop and deploy Java
applications on desktops and servers.

Java Runtime Environment (JRE)

The IBM supplied JRE versions are:

Maximo 6.2.0 through 6.2.8 – JRE 1.4.2_05

Maximo Base Services 7.1.1.0 through 7.1.1.8 – JRE 1.5.0

The IBM Update Installer for Java updates the IBM supplied JREs and fixes the security vulnerability. You must first download and install the IBM Update Installer for Java from the following web page:

http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html

Next, download the patch file for your platform and Java version in the Patch Availability section at the following web page:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html


Java Development Kit (JDK)

Outlined below are instructions on how to update your application server’s Java Developer Kit (JDK). Please review the table below carefully as different WebSphere and WebLogic versions were introduced throughout the Maximo, Maximo Adapter for Primavera and Oracle Primavera versions and fix pack revisions.

Maximo 6.2.0 through 6.2.7

Maximo Release Maximo Adapter for Primavera ReleaseOracle PrimaveraOracle Primavera APIIBM WebSphereOracle WebLogicJDK
6.2.16.2.25.x, SP25.0 SP76.0.0.2 and
6.0.2.1
8.11.4.2_07
6.2.26.2.25.x, SP25.0 SP76.0.0.2 and
6.0.2.1
8.11.4.2
6.2.36.2.35.x, P6 v6.x5.0 SP7, 6.x6.19.21.5
6.2.46.2.35.x, P6 v6.x5.0 SP7, 6.x6.19.21.5
6.2.56.2.35.x, P6 v6.x5.0 SP7, 6.x6.19.21.5
6.2.66.2.3P6 v6.x6.x6.19.21.5
6.2.76.2.3P6 v6.x6.x6.19.21.5

Maximo Base Services 7.1.0 through 7.1.1.8

Maximo Release Maximo Adapter for Primavera ReleaseOracle PrimaveraOracle Primavera APIIBM WebSphereOracle WebLogicJDK
7.17.1.0P6 v6.x6.x6.19.21.5
7.1.17.1.0P6 v6.x6.x6.19.21.5
7.1.1.47.1.0P6 v6.x6.x6.19.21.5
7.1.1.57.1.0, 7.1.1P6 v6.x6.x6.19.21.5
7.1.1.67.1.0, 7.1.1P6 v6.x6.x6.19.21.5
7.1.1.77.1.1 or 7.1.2P6 v6.x6.x6.19.21.5
P6 v7.x7.x7 10.31.6
7.1.1.8
Pv8.x




WebSphere Java Development Kit (JDK) Instructions

You will need to upgrade your JDK to an Interim Fix JDK level containing the fix for this issue.

To Determine your WebSphere Version:

1. Access the Administrative Console for WebSphere. Sign into Console.

2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 6.1.0.35):



(in this example the version is 6.0.2.43)




(in this example the version is 7.0.0.13)



3. Once you have determined the specific version of WebSphere that you have installed please go to the following page to download the appropriate remediated JDK fix. On this page the various remediated JDK updates are separated by the specific WebSphere version (that is, 6.0.x, 6.1.x, 7.0.x). Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the remediated JDK.


WebLogic Java Development Kit (JDK) Instructions

You will need to upgrade your JDK using the Java SE Floating Point Updater Tool that Oracle has provided. Attached below are links to the Java SE Downloads page that includes the Java SE Floating Point Updater Tool and a link to the Readme for the tool.

Java SE Downloads
Additional Resources - Java SE Floating Point Updater Tool

http://www.oracle.com/technetwork/java/javase/downloads/index.html

FPUpdater Tool Readme

http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html


Related Product Information

Consult the following links for information on how to address the vulnerability for related products.

DB2® specific instructions to address this vulnerability
https://www-304.ibm.com/support/docview.wss?uid=swg21468291

[{"Product":{"code":"SSLKRU","label":"Maximo Adapter for Primavera"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"6.2.2;6.2.3;7.1.0;7.1.1;7.1.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
25 September 2022

UID

swg21469011