The Java Runtime Environment appears to hang when it converts "2.2250738585072012e-308" to a binary floating-point number and results in a denial of service exposure. This alert describes how that vulnerability affects Optim products.
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places). During the first week of February 2011, a critical class library security vulnerability was blogged on the Internet and is now in the public domain.
How Optim products are affected
You might encounter this issue if you run Java programs or Java stored procedures on your system that call the Double.parseDouble method (including parseDouble(), the Double() constructor and Double.valueOf() ) with the input value "2.2250738585072012e-308".
Optim products affected:
The JDK that is shipped with the following products on all supported operating systems:
Data Studio / IBM Data Studio Developer Versions 1.2, 2.0, 2.1, and 18.104.22.168
Data Studio / IBM Optim Development Studio Versions 2.2, 22.214.171.124, 126.96.36.199, 188.8.131.52, and 2.2.1
IBM Data Studio Database Administrator Versions 2.1, and 184.108.40.206
IBM Data Studio Health Monitor Version 2.2.1
IBM DB2 Optimization Expert for z/OS Version 2.1
IBM Infosphere Data Architect Version 7.5.1 and later
IBM Optim Database Administrator Version 2.2.2 and and later
IBM Optim Query Tuner Version 2.2 and later
IBM Optim Query Workload Tuner Version 2.2 and later
IBM Rational Data Architect Versions 7.0 and 7.5
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to hang, go into an infinite loop, or crash, resulting in a denial of service exposure. This same problem occurs if the number is written without scientific notation (324 decimal places).
|If you are at risk of being affected, update the IBM Developer Kits and Runtime Environments on your system with updates that are provided by IBM support. The Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site contains information about the vulnerability and includes the following sections:
|Information Management||InfoSphere Data Architect||7.5.1, 220.127.116.11, 7.5.2, 18.104.22.168, 22.214.171.124, 7.5.3|
|Information Management||Optim Database Administrator for DB2 for Linux- UNIX and Windows||2.2.2, 126.96.36.199, 2.2.3|
|Information Management||IBM Data Studio||2.1|
|Information Management||InfoSphere Optim Query Tuner for DB2 for Linux- UNIX and Windows||2.2.0, 188.8.131.52, 184.108.40.206, 2.2.1|
|Information Management||Optim Development Studio||2.2, 220.127.116.11, 18.104.22.168, 22.214.171.124, 2.2.1|
|Information Management||Optim Query Workload Tuner for DB2 for Linux UNIX and Windows||2.2.0, 126.96.36.199, 188.8.131.52|
|Information Management||Rational Data Architect||7.0, 7.5|
|Information Management||Data Studio Health Monitor||2.2.1|