developerWorks

AIX and UNIX
Information Mgmt
Lotus
Rational
Tivoli
WebSphere

Architecture
Java™ technology
	New to Java™ programming
	Downloads & products
	Open source projects
	Standards
	Technical library
	Training
	Forums & community
	Special offers
	Events
Linux
Open source
SOA and Web services
Multicore acceleration
Web development
XML

About dW
Submit content
Feedback

Related links
	ISV resources
	alphaWorks (emerging technologies)
	IBM Academic Initiative
	IBM Student Portal
	IBM Virtual Innovation Center (Bus. Partners)
	IBM Redbooks
	IBM Press books
	IBM communities

Local sites
	developerWorks 中国
	developerWorks Japan
	developerWorks 한국
	developerWorks Россия
	developerWorks Brasil
	developerWorks en español
	developerWorks Việt Nam

developerWorks > Java™; technology > Documentation > Security alerts >

Critical security vulnerability alert

Security Alert for CVE-2010-4476

On the 8th Feb 2011 Oracle published a security vulnerability CVE-2010-4476 concerning a critical class library security vulnerability.

Issue

Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.

Impact

This can be used as a denial of service attack against application servers.

What is affected

This vulnerability affects all versions and releases of IBM Developer Kits and Runtime Environments on all platforms prior to and including these releases:

Java SE 6 SR9
Java SE 5.0 SR12-FP3
J2SE 1.4.2 SR13-FP8

Use the verification test case described below, if you are in any doubt whether your IBM SDK or runtime environment is vulnerable to this issue.

This page reflects the latest information relating to CVE-2010-4476, support for IBM Software product users and the IBM Developer Kits and Runtime Environments.

Information for Websphere customers

Websphere Application Server - Websphere application server customers should follow the instructions in this WebSphere Application Server flash.

The prefered method for IBM Websphere Application Server is to upgrade your JDK to an Interim Fix JDK level containing a fix for this issue. The Flash explains which versions of IBM Websphere Application Server are affected and contains up to date details of available fixes for each operating system.
Websphere Application Server Community Edition
WebSphere Message Broker flash
WebSphere MQ

Information for Lotus customers

Knowledge Collection: List of technotes about Lotus products & Oracle Security Alert CVE-2010-4476

Information for other IBM products

Rational Alert for CVE-2010-4476
Tivoli Alert for CVE-2010-4476
Information Management Alert for CVE-2010-4476
ECM Alert for CVE-2010-4476
Business Analytics Alert for CVE-2010-4476
CICS Transaction Server Alert for CVE-2010-4476
CICS Transaction Gateway Alert for CVE-2010-4476
z/OS - If applicable, z/OS security/integrity APAR information is available at System z Security Portal. Please follow the instructions on the System z Security Portal if you are not already registered.
AIX Alert for CVE-2010-4476
For other IBM Products contact your IBM Customer Support team.

Support for Java without an IBM software product

If you are not using an IBM software product.

This table lists the dates that IBM SDKs and Runtime Environments were published on developerWorks, which also contain a fix to this security vulnerability.

SDK/JRE level	Platform	Download	Date
6	Linux	SR9	15 Feb 2011
5.0	Linux	SR12-FP3	15 Feb 2011
1.4.2	Linux	SR13-FP8	16 Feb 2011
6	AIX	SR9+IZ94423	24 Feb 2011
5.0	AIX	SR12 FP3+IZ94331	24 Feb 2011
1.4.2	AIX	142 SR13FP8+PM31983	24 Feb 2011

Other platforms on developerWorks will be made available shortly.

Verification

Customers can use this test case to verify whether their systems are susceptible to this vulnerability and to verify a patch has been successfully applied.

The test case can be downloaded via anonymous ftp from the following location:

ParseDoubleTest.jar

The test case is an executable JAR file, and can be run using the following command line:

java -jar ParseDoubleTest.jar

If the vulnerability has not been fixed, the test will fail:

> java -jar ParseDoubleTest.jar
	Test failed

If the vulnerability has been fixes, the test will succeed:

> java -jar ParseDoubleTest.jar
	Test succeeded

Patch availability

IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability.

For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:

IBM Update Installer for Java download and install instructions

We recommend you only use the IBM Update Installer for Java to update IBM SDKs or runtime environments. (For HP see Note 1). Note that tools from other vendors are not supported.

Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.

Patch files

SDK/JRE level	Platform	Download
6	z/OS	IZ94423_ZOS_160_FIX_1.jar
6	Solaris	IZ94423_SOL_160_FIX_1.jar
6	HP-UX	HP FPUpdater Tool Download and Documentation
6	all other platforms	IZ94423_FIX_1.jar
5.0	z/OS	IZ94331_ZOS_150_FIX_1.jar
5.0	Solaris	IZ94331_SOL_150_FIX_1.jar
5.0	HP-UX	HP FPUpdater Tool Download and Documentation
5.0	all other platforms	IZ94331_FIX_1.jar
1.4.x	z/OS	PM31983_ZOS_142_FIX_1.jar
1.4.x	Solaris	PM31983_SOL_142_FIX_1.jar
1.4.x	HP-UX	HP FPUpdater Tool Download and Documentation
1.4.x	all other platforms	PM31983_FIX_1.jar

Note 1: For the HP® JDK and JRE adapted by IBM for IBM software our current recommendation is that you use the FPUpdaterTool provided by HP.

Note 2: The separate patch files for z/OS, Solaris and HP-UX due to the different file structure on those platforms.