The first time you sign into developerWorks, a profile is created for you. Select information in your profile (name, country/region, and company) is displayed to the public and will accompany any content you post. You may update your IBM account at any time.

All information submitted is secure.

The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerworks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

All information submitted is secure.

My developerWorks:

My notifications:

Sign out

Select a language:

Critical security vulnerability alert

Security Alert for CVE-2010-4476

Page navigation

Critical security vulnerability alert
Information for Websphere customers
Information for Lotus customers
Information for other IBM products
Support for Java without an IBM software product
Verification
Patch availability
Related links

This page reflects the latest information relating to security vulnerability CVE-2010-4476, support for IBM Software product users and the IBM Developer Kits and Runtime Environments.

Critical security vulnerability alert

On the 8th Feb 2011 Oracle published a security vulnerability CVE-2010-4476 concerning a critical class library security vulnerability.

Issue

Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.

Impact

This can be used as a denial of service attack against application servers.

What is affected

This vulnerability affects all versions and releases of IBM Developer Kits and Runtime Environments on all platforms prior to and including these releases:

Java SE 6 SR9
Java SE 5.0 SR12-FP3
J2SE 1.4.2 SR13-FP8

Use the verification test case described below, if you are in any doubt whether your IBM SDK or runtime environment is vulnerable to this issue.

Information for Websphere customers

Websphere Application Server - Websphere application server customers should follow the instructions in this WebSphere Application Server flash.

The prefered method for IBM Websphere Application Server is to upgrade your JDK to an Interim Fix JDK level containing a fix for this issue. The Flash explains which versions of IBM Websphere Application Server are affected and contains up to date details of available fixes for each operating system.
Websphere Application Server Community Edition
WebSphere Message Broker flash
WebSphere MQ

Information for Lotus customers

Knowledge Collection: List of technotes about Lotus products & Oracle Security Alert CVE-2010-4476

Information for other IBM products

Rational Alert for CVE-2010-4476
Tivoli Alert for CVE-2010-4476
Information Management Alert for CVE-2010-4476
ECM Alert for CVE-2010-4476
Business Analytics Alert for CVE-2010-4476
CICS Transaction Server Alert for CVE-2010-4476
CICS Transaction Gateway Alert for CVE-2010-4476
z/OS - If applicable, z/OS security/integrity APAR information is available at System z Security Portal. Please follow the instructions on the System z Security Portal if you are not already registered.
AIX Alert for CVE-2010-4476
For other IBM Products contact your IBM Customer Support team.

Support for Java without an IBM software product

If you are not using an IBM software product.

This table lists the dates that IBM SDKs and Runtime Environments were published on developerWorks, which also contain a fix to this security vulnerability.

SDK/JRE level	Platform	Download	Date
6	Linux	SR9	15 Feb 2011
6	AIX	SR9+IZ94423	24 Feb 2011
5.0	Linux	SR12-FP3	15 Feb 2011
5.0	AIX	SR12 FP3+IZ94331	24 Feb 2011
1.4.2	Linux	SR13-FP8	16 Feb 2011
1.4.2	AIX	142 SR13FP8+PM31983	24 Feb 2011

Other platforms on developerWorks will be made available shortly.

Verification

Customers can use this test case to verify whether their systems are susceptible to this vulnerability and to verify a patch has been successfully applied.

The test case can be downloaded via anonymous ftp from the following location:

ParseDoubleTest.jar

The test case is an executable JAR file, and can be run using the following command line:

java -jar ParseDoubleTest.jar

If the vulnerability has not been fixed, the test will fail:

> java -jar ParseDoubleTest.jar
    Test failed

If the vulnerability has been fixes, the test will succeed:

> java -jar ParseDoubleTest.jar
    Test succeeded

Patch availability

IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability.

For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:

IBM Update Installer for Java download and install instructions

We recommend you only use the IBM Update Installer for Java to update IBM SDKs or runtime environments. (For HP see Note 1). Note that tools from other vendors are not supported.

Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.

Patch files

SDK/JRE level	Platform	Download
6	z/OS	IZ94423_ZOS_160_FIX_1.jar
6	Solaris	IZ94423_SOL_160_FIX_1.jar
6	HP-UX	HP FPUpdater Tool Download and Documentation
6	all other platforms	IZ94423_FIX_1.jar
5.0	z/OS	IZ94331_ZOS_150_FIX_1.jar
5.0	Solaris	IZ94331_SOL_150_FIX_1.jar
5.0	HP-UX	HP FPUpdater Tool Download and Documentation
5.0	all other platforms	IZ94331_FIX_1.jar
1.4.x	z/OS	PM31983_ZOS_142_FIX_1.jar
1.4.x	Solaris	PM31983_SOL_142_FIX_1.jar
1.4.x	HP-UX	HP FPUpdater Tool Download and Documentation
1.4.x	all other platforms	PM31983_FIX_1.jar