Fix Available: Denial of Service Security Exposure with Java Runtime Environment hanging

Flash (Alert)


Abstract

A problem in the way that Java handles a specific numerical conversion could be exploited by a malicious user and cause an affected server to hang. IBM Tivoli Monitoring (ITM) software products rely on the Java Runtime Environment (JRE). We recommend administrators apply the appropriate fixes to prevent this exposure.

Content

Description:
This Flash addresses a serious critical issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the JRE to go into an hang or crash resulting in a denial of service exposure.

IBM Tivoli Monitoring Versions Affected:
The JRE's shipped with IBM Tivoli Monitoring Versions 6.1.0 through 6.2.2 Fix Pack 3, for Distributed platforms.



IBM Tivoli Monitoring Version

Operating Systems

Included JRE Version

JRE Install Path(s)

610 up to latest available maintenance release 610 Fix Pack 7 Interim Fix 6

AIX, HP-UX, Linux, Solaris, Windows

1.4.x

$CANDLEHOME (Unix/Linux)
%ProgramFiles% (Win 32)
%ProgramFiles(x86)% (Win 64)

620 up to latest available maintenance release 620 Fix Pack 3 Interim Fix 3

AIX, HP-UX, Linux, Solaris, Windows

1.5.x

$CANDLEHOME (Unix/Linux/Win)
%ProgramFiles% (Win 32)
%ProgramFiles(x86)% (Win 64)

621 to latest available maintenance release 621 Fix Pack 4

AIX, HP-UX, Linux, Solaris, Windows

1.5.x

$CANDLEHOME (Unix/Linux/Win)
%ProgramFiles% (Win 32)
%ProgramFiles(x86)% (Win 64)

622 to latest available maintenance release 622 Fix Pack 3

AIX, HP-UX, Linux, Solaris, Windows

1.5.x

$CANDLEHOME (Unix/Linux/Win)
%ProgramFiles% (Win 32)
%ProgramFiles(x86)% (Win 64)

This issue will not apply for JRE versions included in future IBM Tivoli Monitoring Fix Packs later than those listed in the table above.


Solution:
The following link provides information about the patch files for all JRE's included in the various versions of IBM Tivoli Monitoring:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html


We are working on procedures for updating existing ITM installations. Please revisit this technote frequently as we will update it when new information becomes available.

Related information

Original Security Alert f

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Composite Application Manager for Applications
ITCAM agents for Websphere Messaging

Software version:

6.2.4

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

1469054

Modified date:

2011-02-23

Translate my page

Machine Translation

Content navigation