Optim products affected by the security alert for CVE-2010-4476

Flash (Alert)


Abstract

The Java Runtime Environment appears to hang when it converts "2.2250738585072012e-308" to a binary floating-point number and results in a denial of service exposure. This alert describes how that vulnerability affects Optim products.

Content

Issue
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places). During the first week of February 2011, a critical class library security vulnerability was blogged on the Internet and is now in the public domain.

How Optim products are affected
You might encounter this issue if you run Java programs or Java stored procedures on your system that call the Double.parseDouble method (including parseDouble(), the Double() constructor and Double.valueOf() ) with the input value "2.2250738585072012e-308".

Optim products affected:
The JDK that is shipped with the following products on all supported operating systems:

    Data Studio / IBM Data Studio Developer Versions 1.2, 2.0, 2.1, and 2.1.0.1
    Data Studio / IBM Optim Development Studio Versions 2.2, 2.2.0.1, 2.2.0.2, 2.2.0.3, and 2.2.1
    IBM Data Studio Database Administrator Versions 2.1, and 2.1.0.1
    IBM Data Studio Health Monitor Version 2.2.1
    IBM DB2 Optimization Expert for z/OS Version 2.1
    IBM Infosphere Data Architect Version 7.5.1 and later
    IBM Optim Database Administrator Version 2.2.2 and and later
    IBM Optim Query Tuner Version 2.2 and later
    IBM Optim Query Workload Tuner Version 2.2 and later
    IBM Rational Data Architect Versions 7.0 and 7.5

Description:
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to hang, go into an infinite loop, or crash, resulting in a denial of service exposure. This same problem occurs if the number is written without scientific notation (324 decimal places).

Interim Solution:
If you are at risk of being affected, update the IBM Developer Kits and Runtime Environments on your system with updates that are provided by IBM support. The Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site contains information about the vulnerability and includes the following sections:
  • The "Verification" section contains information about a test to verify whether your system is at risk.
  • The "Patch availability" section contains links to information about the IBM Update Installer for Java and patches that allow you to temporarily fix this security vulnerability.

References:
  • IBM APAR IZ89602: (for Java 6.0) IZ89602: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
  • IBM APAR IZ89620: (for Java 5.0) IZ89620: JVM CRASHES WHILE LOADING INVALID CLASS FILE.

Cross reference information
Segment Product Component Platform Version Edition
Information Management InfoSphere Data Architect 7.5.1, 7.5.1.1, 7.5.2, 7.5.2.1, 7.5.2.2, 7.5.3
Information Management Optim Database Administrator for DB2 for Linux- UNIX and Windows 2.2.2, 2.2.2.1, 2.2.3
Information Management IBM Data Studio 2.1
Information Management InfoSphere Optim Query Tuner for DB2 for Linux- UNIX and Windows 2.2.0, 2.2.0.1, 2.2.0.2, 2.2.1
Information Management Optim Development Studio 2.2, 2.2.0.1, 2.2.0.2, 2.2.0.3, 2.2.1
Information Management Optim Query Workload Tuner for DB2 for Linux UNIX and Windows 2.2.0, 2.2.0.1, 2.2.0.2
Information Management Rational Data Architect 7.0, 7.5
Information Management Data Studio Health Monitor 2.2.1

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Optim Development Studio

Software version:

2.2, 2.2.0.1, 2.2.0.2, 2.2.0.3, 2.2.1

Operating system(s):

Linux, Windows

Reference #:

1470041

Modified date:

2011-03-17

Translate my page

Machine Translation

Content navigation