SPSS Java Security Vulnerability CVE-2010-4476 Exposure Response

Products Affected

The issue exists in the Java class libraries and affects server products that use Java. IBM SPSS server products that use Java include:

• Statistics products:
  □ SPSS Statistics Server versions 19, 18
• Modeling & Text Mining products:
  □ SPSS Modeler Server versions 14.1, 14, 13
  □ SPSS Text Analytics Server versions 14.1, 14, 13
  
• Collaboration and Deployment Services products:
  □ SPSS Collaboration and Deployment Services versions 4.2, 4.1, 4.0
  □ SPSS Predictive Enterprise Services versions 3.5
  
• Decision Management products:
  □ SPSS Decision Management versions 6.1, 6.0
  □ SPSS Event Builder versions 5.0
  □ SPSS Risk Control Builder versions 5.x
  □ SPSS Interaction Builder versions 5.x
  
• ShowCase products:
  □ SPSS ShowCase versions 9.0, 8.0
  □ Oracle Hyperion Enterprise Performance Management 11.1

Description
This vulnerability can cause the Java Runtime Environment (JRE) to hang, enter an infinite loop, or crash when converting "2.2250738585072012e-308" to a binary floating-point number. The result can be a denial of service exposure in server products. This same problem can occur if the number is written without scientific notation (that is, using all of the 324 decimal places). This vulnerability can affect any Java program that uses the Double.parseDouble method.

Solution
To prevent this vulnerability from affecting your server product, you must apply a patch to your existing Java version or install a Java version that includes the fix.

No action is necessary if you do not require the fix.

Customer Supplied Java

Below is a list of SPSS products that do not include a JRE runtime as part of the product. The JRE used with these SPSS products is a separately installed component that is available from the operating system, application server, or Java vendor.

• Collaboration and Deployment Services products:
  □ SPSS Collaboration and Deployment Services Server
  □ SPSS Predictive Enterprise Services
• Decision Management products:
  □ SPSS Decision Management
  □ SPSS Event Builder
  □ SPSS Risk Control Builder
  □ SPSS Interaction Builder
  
• ShowCase products:
  □ SPSS ShowCase Server
  □ Oracle Hyperion Enterprise Performance Management on IBM i

For the products above, to resolve the security vulnerability, you will need to patch or upgrade the JRE to a version that is recommended by the Operating System, Application Server or Java vendor.

The following table provides links to vendor-supplied details and solutions for this vulnerability:

IBM	http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
HP	https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXFPUPDATER
Oracle	http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html

Before you update your JRE on a production system, it is strongly recommended that you:
• Apply the patch in a test environment to verify that your product is working correctly
• Make a backup before you apply any changes

SPSS-provided Java
The products listed below do include a JRE as part of the product installation.

• Statistics products:
  □ SPSS Statistics Server
• Modeling & Text Mining products:
  □ SPSS Modeler Server
  □ SPSS Modeler Adapters for Collaboration and Deployment Services
  □ SPSS Text Analytics Server
  □ SPSS Text Mining Adapters for Collaboration and Deployment Services
• ShowCase products:
  □ ShowCase Enterprise Server
  □ Oracle Hyperion Enterprise Performance Management on Microsoft Windows

You can also manually apply the patch to your JRE using the following steps.

Determine which version of JRE you are using

1. In a command window, go to the spss_location_jre/bin directory. The spss_location_jre for your product can be found in the table below, apply the update to each of the JRE’s.

2. Type the following:
java -version

The resulting message will indicate whether you have an IBM or Sun version of JRE.

JRE Locations by Product

SPSS Statistics Server	<Statistics Install Location>/JRE
SPSS Modeler Server	<Modeler Install Location>/jre
	<Modeler Install Location>/ext/bin/spss.xd/xdexe/JRE
SPSS Modeler Adapters for Collaboration and Deployment Services	<Collaboration and Deployment Services Install Location>/components/modeler/jre
	<Collaboration and Deployment Services Install Location>/components/modeler/ext/bin/spss.xd/xdexe/JRE
SPSS Text Analytics Server	<Modeler Install Location>/ext/bin/spss.TMWBServer/jre
SPSS Text Mining Adapters for Collaboration and Deployment Services	<Collaboration and Deployment Services Install Location>/components/modeler/ext/bin/spss.TMWBServer/jre
ShowCase Enterprise Server 9.0	<ShowCase Install Location>/JRE/jre
ShowCase Enterprise Server 8.0	<ShowCase Install Location>/JRE
Oracle Hyperion Enterprise Performance Management	<EPM Install Location>/common/jre <EPM Install Location>/common/jre-64 (if 64-bit was installed)

To apply a patch to an IBM version of JRE, do the following:

Go to the following Web page, and follow the instructions provided: http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

1. Download the ParseDoubleTest.jar from the link above to verify if you need to apply the patch.

2. Copy the ParseDoubleTest.jar file to the spss_location_jre/bin directory.

3. Open a command window in the location where you downloaded the file, and type the following:

java -jar ParseDoubleTest.jar

If the result is “Test Succeeded”, you do not have to apply the patch.

4. If you have to apply the patch, download the appropriate patch file from http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html.

For example, for JRE version 6 on Windows, download IZ94423_FIX_1.jar.

5. Download the Java Update Installer from the following location: http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html

Unzip the UpdateInstallerforJava.zip.

6. Ensure that you have the patch file and the unzipped Java Update Installer in the same location.

7. In a command window, go to the location where you downloaded the patch file and the Java Update Installer, and enter the following command:

java -jar JavaUpdateInstaller.jar -install [patch JAR file] [JAVA_HOME of target JDK]

For example, for IBM SPSS products, the [JAVA_HOME of target JDK] is spss_location_ jre

If you are installing the update for JRE version 6 to a default IBM SPSS Statistics installation location, the command would look like the following:

java -jar JavaUpdateInstaller.jar -install IZ94423_FIX_1.jar "C:\Program Files\IBM\SPSS\StatisticsServer\19\JRE"

8. Rerun the ParseDoubleTest.jar to validate the patch was successfully applied.

If the result is “Test Succeeded” you have successfully applied the patch. If this does not pass, then check the following:

o Make sure the spss_location_ jre/lib/rt.jar file is not marked Read Only in your file system

o Make sure the patch file that was downloaded is for the version of the JRE being updated

o Make sure the version of Java in spss_location_ jre/bin is being used to run the commands

To apply a patch to a SUN version of JRE, do the following:

1. Download the compressed file for Java SE Floating Point Updater Tool:
http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

2. Uncompress the file, and then copy fpupdater.jar to spss_location_ jre/bin.

3. In a command window, go to the spss_location_ jre/bin directory, and enter the following command:

java -jar fpupdater.jar -u -v