Flash (Alert)
Abstract
The Java Runtime Environment appears to hang when it converts "2.2250738585072012e-308" to a binary floating-point number and results in a denial of service exposure. This alert describes how that vulnerability affects Optim products.
Content
Issue
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places). During the first week of February 2011, a critical class library security vulnerability was blogged on the Internet and is now in the public domain.
How Optim products are affected
You might encounter this issue if you run Java programs or Java stored procedures on your system that call the Double.parseDouble method (including parseDouble(), the Double() constructor and Double.valueOf() ) with the input value "2.2250738585072012e-308".
Optim products affected:
The JDK that is shipped with the following products on all supported operating systems:
-
Data Studio / IBM Data Studio Developer Versions 1.2, 2.0, 2.1, and 2.1.0.1
Data Studio / IBM Optim Development Studio Versions 2.2, 2.2.0.1, 2.2.0.2, 2.2.0.3, and 2.2.1
IBM Data Studio Database Administrator Versions 2.1, and 2.1.0.1
IBM Data Studio Health Monitor Version 2.2.1
IBM DB2 Optimization Expert for z/OS Version 2.1
IBM Infosphere Data Architect Version 7.5.1 and later
IBM Optim Database Administrator Version 2.2.2 and and later
IBM Optim Query Tuner Version 2.2 and later
IBM Optim Query Workload Tuner Version 2.2 and later
IBM Rational Data Architect Versions 7.0 and 7.5
Description:
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to hang, go into an infinite loop, or crash, resulting in a denial of service exposure. This same problem occurs if the number is written without scientific notation (324 decimal places).
Interim Solution:
If you are at risk of being affected, update the IBM Developer Kits and Runtime Environments on your system with updates that are provided by IBM support. The Critical security vulnerability alert - Security Alert for CVE-2010-4476 on the IBM developerWorks site contains information about the vulnerability and includes the following sections:
|
References:
- IBM APAR IZ89602: (for Java 6.0) IZ89602: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
- IBM APAR IZ89620: (for Java 5.0) IZ89620: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Information Management | InfoSphere Data Architect | 7.5.1, 7.5.1.1, 7.5.2, 7.5.2.1, 7.5.2.2, 7.5.3 | |||
| Information Management | Optim Database Administrator for DB2 for Linux- UNIX and Windows | 2.2.2, 2.2.2.1, 2.2.3 | |||
| Information Management | IBM Data Studio Developer | 2.1, 2.1.0.1 | |||
| Information Management | InfoSphere Optim Query Tuner for DB2 for Linux- UNIX and Windows | 2.2.0, 2.2.0.1, 2.2.0.2, 2.2.1 | |||
| Information Management | Optim Development Studio | 2.2, 2.2.0.1, 2.2.0.2, 2.2.0.3, 2.2.1 | |||
| Information Management | Optim Query Workload Tuner for DB2 for Linux UNIX and Windows | 2.2.0, 2.2.0.1, 2.2.0.2 | |||
| Information Management | Rational Data Architect | 7.0, 7.5 | |||
| Information Management | Data Studio Health Monitor | 2.2.1 |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.