Critical security vulnerability alert

Security Alert for CVE-2010-4476

This page reflects the latest information relating to security vulnerability CVE-2010-4476, support for IBM Software product users and the IBM Developer Kits and Runtime Environments.

Critical security vulnerability alert

On the 8th Feb 2011 Oracle published a security vulnerability CVE-2010-4476 concerning a critical class library security vulnerability.

Issue
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.

Impact
This can be used as a denial of service attack against application servers.

What is affected
This vulnerability affects all versions and releases of IBM Developer Kits and Runtime Environments on all platforms prior to and including these releases:

Use the verification test case described below, if you are in any doubt whether your IBM SDK or runtime environment is vulnerable to this issue.

Information for Websphere customers

Information for other IBM products

Support for Java without an IBM software product

If you are not using an IBM software product.

This table lists the dates that IBM SDKs and Runtime Environments were published on developerWorks, which also contain a fix to this security vulnerability.

SDK/JRE level Platform Download Date
6 Linux SR9 15 Feb 2011
6 AIX SR9+IZ94423 24 Feb 2011
5.0 Linux SR12-FP3 15 Feb 2011
5.0 AIX SR12 FP3+IZ94331 24 Feb 2011
1.4.2 Linux SR13-FP8 16 Feb 2011
1.4.2 AIX 142 SR13FP8+PM31983 24 Feb 2011

Other platforms on developerWorks will be made available shortly.


Verification

Customers can use this test case to verify whether their systems are susceptible to this vulnerability and to verify a patch has been successfully applied.

The test case can be downloaded via anonymous ftp from the following location:

ParseDoubleTest.jar

The test case is an executable JAR file, and can be run using the following command line:

java -jar ParseDoubleTest.jar

If the vulnerability has not been fixed, the test will fail:

> java -jar ParseDoubleTest.jar
    Test failed
    

If the vulnerability has been fixes, the test will succeed:

> java -jar ParseDoubleTest.jar
    Test succeeded
    

Patch availability

IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability.

For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:

   IBM Update Installer for Java download and install instructions

We recommend you only use the IBM Update Installer for Java to update IBM SDKs or runtime environments. (For HP see Note 1). Note that tools from other vendors are not supported.

Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.

Patch files

SDK/JRE level Platform Download
6 z/OS IZ94423_ZOS_160_FIX_1.jar
6 Solaris IZ94423_SOL_160_FIX_1.jar
6 HP-UX This content is outside of IBM.com. HP FPUpdater Tool Download and Documentation
6 all other platforms IZ94423_FIX_1.jar
5.0 z/OS IZ94331_ZOS_150_FIX_1.jar
5.0 Solaris IZ94331_SOL_150_FIX_1.jar
5.0 HP-UX This content is outside of IBM.com. HP FPUpdater Tool Download and Documentation
5.0 all other platforms IZ94331_FIX_1.jar
1.4.x z/OS PM31983_ZOS_142_FIX_1.jar
1.4.x Solaris PM31983_SOL_142_FIX_1.jar
1.4.x HP-UX This content is outside of IBM.com. HP FPUpdater Tool Download and Documentation
1.4.x all other platforms PM31983_FIX_1.jar

Note 1: For the HP® JDK and JRE adapted by IBM for IBM software our current recommendation is that you use the FPUpdaterTool provided by HP.

Note 2: The separate patch files for z/OS, Solaris and HP-UX due to the different file structure on those platforms.