This page reflects the latest information relating to security vulnerability CVE-2010-4476, support for IBM Software product users and the IBM Developer Kits and Runtime Environments.
On the 8th Feb 2011 Oracle published a security vulnerability CVE-2010-4476 concerning a critical class library security vulnerability.
- Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number.
- This can be used as a denial of service attack against application servers.
- What is affected
This vulnerability affects all versions and releases of IBM Developer Kits and Runtime Environments on all platforms prior to and including these releases:
Use the verification test case described below, if you are in any doubt whether your IBM SDK or runtime environment is vulnerable to this issue.
- Rational Alert for CVE-2010-4476
- Tivoli Alert for CVE-2010-4476
- Information Management Alert for CVE-2010-4476
- ECM Alert for CVE-2010-4476
- Business Analytics Alert for CVE-2010-4476
- CICS Transaction Server Alert for CVE-2010-4476
- CICS Transaction Gateway Alert for CVE-2010-4476
- z/OS - If applicable, z/OS security/integrity APAR information is available at System z Security Portal. Please follow the instructions on the System z Security Portal if you are not already registered.
- AIX Alert for CVE-2010-4476
- For other IBM Products contact your IBM Customer Support team.
If you are not using an IBM software product.
This table lists the dates that IBM SDKs and Runtime Environments were published on developerWorks, which also contain a fix to this security vulnerability.
|6||Linux||SR9||15 Feb 2011|
|6||AIX||SR9+IZ94423||24 Feb 2011|
|5.0||Linux||SR12-FP3||15 Feb 2011|
|5.0||AIX||SR12 FP3+IZ94331||24 Feb 2011|
|1.4.2||Linux||SR13-FP8||16 Feb 2011|
|1.4.2||AIX||142 SR13FP8+PM31983||24 Feb 2011|
Other platforms on developerWorks will be made available shortly.
Customers can use this test case to verify whether their systems are susceptible to this vulnerability and to verify a patch has been successfully applied.
The test case can be downloaded via anonymous ftp from the following location:
The test case is an executable JAR file, and can be run using the following command line:
java -jar ParseDoubleTest.jar
If the vulnerability has not been fixed, the test will fail:
> java -jar ParseDoubleTest.jar Test failed
If the vulnerability has been fixes, the test will succeed:
> java -jar ParseDoubleTest.jar Test succeeded
IBM have provided an update installer and patches that allow you to temporarily fix this security vulnerability.
For stand alone IBM SDKs and runtimes, or where directed by IBM Support, you can download the IBM Update Installer for Java from here:
We recommend you only use the IBM Update Installer for Java to update IBM SDKs or runtime environments. (For HP see Note 1). Note that tools from other vendors are not supported.
Important: The IBM Update Installer for Java is a temporary mechanism for addressing this critical security vulnerability. A subsequent update to your SDK may remove fixes applied by the IBM Update Installer for Java. You should always use fixes provided by your IBM Product support team where available.
|6||HP-UX||HP FPUpdater Tool Download and Documentation|
|6||all other platforms||IZ94423_FIX_1.jar|
|5.0||HP-UX||HP FPUpdater Tool Download and Documentation|
|5.0||all other platforms||IZ94331_FIX_1.jar|
|1.4.x||HP-UX||HP FPUpdater Tool Download and Documentation|
|1.4.x||all other platforms||PM31983_FIX_1.jar|
Note 1: For the HP® JDK and JRE adapted by IBM for IBM software our current recommendation is that you use the FPUpdaterTool provided by HP.
Note 2: The separate patch files for z/OS, Solaris and HP-UX due to the different file structure on those platforms.