ECM Alert - Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

Flash (Alert)


Abstract

This Security Alert addresses a serious Java security issue (Oracle Security Alert CVE-2010-4476 - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment (JRE) to go into a non-responsive state, infinite loop, and/or crash resulting in a denial of service exposure. The same condition will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java application using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.

Content

ECM products that utilize JRE as their runtime environment and directly or indirectly support binary floating point operations are likely to be impacted. The following ECM products (in alphabetic order) are potentially exposed to this vulnerability:

IBM CommonStore for Exchange Server – v8.4
IBM CommonStore for Lotus Domino – v8.4
IBM CommonStore for SAP – v8.4
IBM Content Analytics - v2.1, 2.2
IBM Content Collector for Email – v2.2
IBM Content Collector for File Systems – v2.2
IBM Content Collector for Microsoft SharePoint – v2.2
IBM Content Collector for SAP Applications – v2.2
IBM Content Integrator – v8.5.1 and earlier versions
IBM Content Manager Enterprise Edition – v8.3, 8.4, 8.4.1, 8.4.2
IBM eDiscovery Manager - v2.1.1, v2.2
IBM FileNet Business Process Manager – v5.0.0 and earlier versions
IBM FileNet Content Manager – v5.0.0 and earlier versions
IBM FileNet eProcess - v5.2
IBM FileNet P8 eForms – v4.0.x
IBM InfoSphere Content Collector for Email – v2.1.1
IBM InfoSphere Content Collector for File Systems - v2.1.1
IBM InfoSphere Content Collector for Microsoft SharePoint – v2.1.1
IBM InfoSphere Enterprise Records (IBM FileNet Records Manager) – v4.0.0, 4.5.0, 4.5.1
IBM OmniFind Enterprise Edition – v8.4, 8.5, 9.1

The flash will be updated as additional products are identified.

In addition, for products that distribute JREs as part of their product deliverables, plans are being generated to update the JRE to the appropriate fixed level through the normal service delivery mechanism. This flash will also be updated as information on the products impacted and updates to those products becomes available. Updated versions of this flash will be posted at: http://www.ibm.com/support/docview.wss?rs=3286&uid=swg21472585.

With respect to products that do not distribute any JREs, no product updates are planned for this issue. It will be the customers’ responsibility to take the appropriate steps to secure their runtime environments.

If you feel that your systems are exposed to this vulnerability, please implement immediately the available solutions listed below that are applicable to your environments.


Available Solutions:

1. WebSphere Application Server:

Customers who use WebSphere Application Server in conjunction with any ECM products should follow the instructions published in the WebSphere Application Server Alert located at http://www-01.ibm.com/support/docview.wss?uid=swg21462019 to download and install the appropriate updates.


2. Interim Solution:

Non-WebSphere Customers who either (a) use IBM Java runtime environment that is bundled with any ECM products and cannot wait for the product updates, (b) use any ECM products that do not bundle with any Java runtime environment or (c) use any standalone IBM Java runtime environments and feel that they are at risk of being impacted, can download an interim solution from the IBM developerWorks site until a more permanent solution is available. Refer to Critical security vulnerability alert - Security Alert for CVE-2010-4476 for instructions that are applicable to the specific versions of JRE.


3. Others:

Customers who use non-IBM Java runtime environments are advised to contact their vendor of choice to identify and upgrade to the appropriate JRE level that contains the fix to minimize the exposure to this vulnerability.


If you have immediate concerns about this vulnerability or require more information regarding this issue, please contact IBM Support (IBM Response Center 1-800-IBM SERV).


Cross reference information
Segment Product Component Platform Version Edition
Enterprise Content Management CommonStore for Exchange Server
Enterprise Content Management CommonStore for Lotus Domino
Enterprise Content Management CommonStore for SAP
Enterprise Content Management Content Analytics with Enterprise Search
Enterprise Content Management Content Collector for Email
Enterprise Content Management Content Collector for File Systems
Enterprise Content Management Content Collector for Microsoft SharePoint
Enterprise Content Management Content Integrator
Enterprise Content Management Content Manager Enterprise Edition
Enterprise Content Management eDiscovery Manager
Enterprise Content Management FileNet Content Manager
Enterprise Content Management FileNet eForms
Enterprise Content Management InfoSphere Content Collector for Email
Enterprise Content Management InfoSphere Content Collector for File Systems
Enterprise Content Management InfoSphere Content Collector for Microsoft SharePoint
Enterprise Content Management Enterprise Records
Enterprise Content Management OmniFind Enterprise Edition
Enterprise Content Management FileNet eProcess
Enterprise Content Management FileNet eProcess

Rate this page:

(0 users)Average rating

Document information


More support for:

Case Foundation

Software version:

4.0, 4.0.3, 4.5.0, 4.5.1, 5.0

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

All Editions

Reference #:

1472585

Modified date:

2012-06-01

Translate my page

Machine Translation

Content navigation