IBM Support

Java parseDouble Security Vulnerability Update for Tivoli Common Reporting (TCR)

Flashes (Alerts)


Abstract

Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang can occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.

Content

To remediate this vulnerability, Tivoli Common Reporting (TCR) have released Interim Fixes for all its versions - 1.2, 1.3 and 2.1.

  • TCR 1.2 ifix10 will remediate the vulnerability for TIP 1.1.x JRE
  • TCR 1.3 ifix4 will remediate the vulnerability for TIP 1.1.x JRE and Cognos JRE bundled in TCR.
  • TCR 2.1 ifix2 will remediate the vulnerability for TIP 2.1 JRE and Cognos JRE bundled in TCR.
Note:
1. Installation instructions of the ifix will be available along with the package.
2. Only 32-bit installation is supported in all the three ifix releases.

[{"Product":{"code":"SSH2DF","label":"Tivoli Common Reporting"},"Business Unit":{"code":"BU053","label":"Cloud \u0026 Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.2.0;1.3.0;2.1","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Product Synonym

TCR;Tivoli Common Reporting

Document Information

Modified date:
25 September 2022

UID

swg21469046

Page Feedback