ECM Alert - Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious Java security issue (Oracle Security Alert CVE-2010-4476 - Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment (JRE) to go into a non-responsive state, infinite loop, and/or crash resulting in a denial of service exposure. The same condition will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java application using the Double.parseDouble method, including parseDouble(), the Double() constructor and Double.valueOf(), is also at risk of this exposure including any customer written application or 3rd party written application.
ECM products that utilize JRE as their runtime environment and directly or indirectly support binary floating point operations are likely to be impacted. The following ECM products (in alphabetic order) are potentially exposed to this vulnerability:
IBM CommonStore for Exchange Server – v8.4
IBM CommonStore for Lotus Domino – v8.4
IBM CommonStore for SAP – v8.4
IBM Content Analytics - v2.1, 2.2
IBM Content Collector for Email – v2.2
IBM Content Collector for File Systems – v2.2
IBM Content Collector for Microsoft SharePoint – v2.2
IBM Content Collector for SAP Applications – v2.2
IBM Content Integrator – v8.5.1 and earlier versions
IBM Content Manager Enterprise Edition – v8.3, 8.4, 8.4.1, 8.4.2
IBM eDiscovery Manager - v2.1.1, v2.2
IBM FileNet Business Process Manager – v5.0.0 and earlier versions
IBM FileNet Content Manager – v5.0.0 and earlier versions
IBM FileNet eProcess - v5.2
IBM FileNet P8 eForms – v4.0.x
IBM InfoSphere Content Collector for Email – v2.1.1
IBM InfoSphere Content Collector for File Systems - v2.1.1
IBM InfoSphere Content Collector for Microsoft SharePoint – v2.1.1
IBM InfoSphere Enterprise Records (IBM FileNet Records Manager) – v4.0.0, 4.5.0, 4.5.1
IBM OmniFind Enterprise Edition – v8.4, 8.5, 9.1
The flash will be updated as additional products are identified.
In addition, for products that distribute JREs as part of their product deliverables, plans are being generated to update the JRE to the appropriate fixed level through the normal service delivery mechanism. This flash will also be updated as information on the products impacted and updates to those products becomes available. Updated versions of this flash will be posted at: http://www.ibm.com/support/docview.wss?rs=3286&uid=swg21472585.
With respect to products that do not distribute any JREs, no product updates are planned for this issue. It will be the customers’ responsibility to take the appropriate steps to secure their runtime environments.
If you feel that your systems are exposed to this vulnerability, please implement immediately the available solutions listed below that are applicable to your environments.
1. WebSphere Application Server:
Customers who use WebSphere Application Server in conjunction with any ECM products should follow the instructions published in the WebSphere Application Server Alert located at http://www-01.ibm.com/support/docview.wss?uid=swg21462019 to download and install the appropriate updates.
2. Interim Solution:
Non-WebSphere Customers who either (a) use IBM Java runtime environment that is bundled with any ECM products and cannot wait for the product updates, (b) use any ECM products that do not bundle with any Java runtime environment or (c) use any standalone IBM Java runtime environments and feel that they are at risk of being impacted, can download an interim solution from the IBM developerWorks site until a more permanent solution is available. Refer to Critical security vulnerability alert - Security Alert for CVE-2010-4476 for instructions that are applicable to the specific versions of JRE.
Customers who use non-IBM Java runtime environments are advised to contact their vendor of choice to identify and upgrade to the appropriate JRE level that contains the fix to minimize the exposure to this vulnerability.
If you have immediate concerns about this vulnerability or require more information regarding this issue, please contact IBM Support (IBM Response Center 1-800-IBM SERV).
|Enterprise Content Management||CommonStore for Exchange Server|
|Enterprise Content Management||CommonStore for Lotus Domino|
|Enterprise Content Management||CommonStore for SAP|
|Enterprise Content Management||Content Analytics with Enterprise Search|
|Enterprise Content Management||Content Collector for Email|
|Enterprise Content Management||Content Collector for File Systems|
|Enterprise Content Management||Content Collector for Microsoft SharePoint|
|Enterprise Content Management||Content Integrator|
|Enterprise Content Management||Content Manager Enterprise Edition|
|Enterprise Content Management||eDiscovery Manager|
|Enterprise Content Management||FileNet Content Manager|
|Enterprise Content Management||FileNet eForms|
|Enterprise Content Management||InfoSphere Content Collector for Email|
|Enterprise Content Management||InfoSphere Content Collector for File Systems|
|Enterprise Content Management||InfoSphere Content Collector for Microsoft SharePoint|
|Enterprise Content Management||Enterprise Records|
|Enterprise Content Management||OmniFind Enterprise Edition|
|Enterprise Content Management||FileNet eProcess|
|Enterprise Content Management||FileNet eProcess|
More support for:
Software version: 4.0, 4.0.3, 4.5.0, 4.5.1, 5.0
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows
Software edition: All Editions
Reference #: 1472585
Modified date: 23 March 2011