Security Bulletin
Summary
[Simplified Chinese]这则安全警报是向您说明:Java拒绝服务(DoS)安全漏洞会导致Java运行时环境(JRE)和Java开发包(JDK)挂起。这适用于所有附带或包装Java实例的IBM Rational产品。
Vulnerability Details
这则安全警报用以处理一个安全问题 CVE-2010-4476。
此安全漏洞会导致Java运行时环境进入挂起,死循环,甚至崩溃从而引致拒绝服务的状况。如果数字没有使用科学计数法表示(324位小数),同样的挂起问题也会出现。除了应用服务器会遭受攻击外,任何使用Double.parseDouble方法的Java程序也存在危险,其中包括任何用户编写的或者第三方编写的应用。
(当转换"2.2250738585072012e-308"到一个二进制浮点数的时候Java运行时环境会挂起)。
此问题会影响所有IBM支持平台上的所有Java版本。
如果您的IBM Rational产品使用WebSphere应用服务器(比如IBM Rational ClearCase所使用的IBM Rational Change Management (CM) Server, IBM Rational Application Developer等等), 请参考WebSphere的特别指引来解决这个问题:
http://www-01.ibm.com/support/docview.wss?uid=swg21462019
如果您需要升级WebSphere应用服务器或者应用最新补丁,请参考下面的技术文档:
Technote 1390803 How to update the IBM WebSphere Application Server components in
Rational ClearCase and Rational ClearQuest 7.1
其他应用服务器可能也已修复了此问题,比如Apache Tomcat(曾被用于Rational的老产品)就特此发放了Tomcat补丁。
对于其他非IBM的Java实例或者应用服务器,请直接联络相关的厂商。
解决问题
许多应用Java技术的IBM Rational产品可能会在系统中附带或者安装一个或者多个版本的Java。
IBM提供一个更新工具用以确认系统中可能存在漏洞的IBM Java实例, 并在必要时安装补丁(您需要根据Java主版本(比如1.4.x, 1.5, 1.6)和系统平台来下载相应的补丁)。请参考补丁下载。
IBM也提供一个测试用例工具用以检查IBM提供的Java是否受到该问题的影响(或者Java是否已经打过补丁)。
测试用例是可执行JAR文件, 可以用以下命令行运行:
java -jar ParseDoubleTest.jar
如果漏洞未被修复,测试会失败:
> java -jar ParseDoubleTest.jar
Test failed
如果漏洞已被修复,测试会成功:
> java -jar ParseDoubleTest.jar
Test succeeded
示例:
- 通过更新来"发现"备选的Java实例
> java -jar JavaUpdateInstaller.jar -discover all
这将会搜索整个磁盘来获取所有IBM Java实例。
- 在软件交付平台上应用补丁
(如IBM Rational Functional Tester和IBM Rational Software Architect)
在应用补丁前检查Java版本:
C:\Progra~1\IBM\SDP\jdk\bin\java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr8-20100409_01(SR8))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA)
JCL - 20100408_01
在Microsoft Windows上面运行更新工具:
C:\UpdateInstallerforJava>java -jar JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\Progra~1\IBM\SDP\jdk
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Installing the update IZ94423_FIX_1 to the SDK: C:\Progra~1\IBM\SDP\jdk ...
IZ94423_FIX_1 has been successfully installed to SDK C:\Progra~1\IBM\SDP\jdk
确认Java的版本:
C:\Progra~1\IBM\SDP\jdk\bin\java -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr8-20100409_01(SR8) + IZ94423_FIX_1)
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA)
JCL - 20100408_01
- 如果您尝试安装错误版本的补丁,更新工具会提示您:
C:\UpdateInstallerforJava>java -jar JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\java
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Update IZ94423_FIX_1 is not applicable to SDK - C:\java. Update IZ94423_FIX_1
can be installed to JDK with version(s)
1) 1.6.0
- 更新IBM Rational ClearCase/ClearQuest客户端组件(例如ClearCase远程客户端, ClearQuest客户端和ClearQuest Designer等)使用的Java:
更新:参考技术文档1511965“在ClearCase和ClearQuest中应用IZ94423以处理安全问题CVE-2010-4476”以了解解决方案的详情。
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
J9VM - 20100509_57823_lHdSMr
JIT - 20091016_1845ifx7_r8
GC - 20091026_AA)
JCL - 20100511a
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar ParseDoubleTest.jar
Test failed
C:\UpdateInstallerforJava>java -jar JavaUpdateInstaller.jar -install c:\IZ94331_FIX_1.jar "C:\Program Files (x86)\IBM\RationalSDLC\Common\JA
VA5.0"
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Installing the update IZ94331_FIX_1 to the SDK: C:\Program Files
(x86)\IBM\RationalSDLC\Common\JAVA5.0 ...
IZ94331_FIX_1 has been successfully installed to SDK C:\Program Files
(x86)\IBM\RationalSDLC\Common\JAVA5.0
-------------------------------------------------------------------------
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
java version "1.5.0"
Java(TM) 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
J9VM - 20100509_57823_lHdSMr
JIT - 20091016_1845ifx7_r8
GC - 20091026_AA)
JCL - 20100511a
补丁安装成功,但是Java的版本并没有改变。ParseDoubleTree可以被用于检查Java实例是否存在漏洞:
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar ParseDoubleTest.jar
Test succeeded
请联络IBM Rational客户支持以获取更多信息。
最新状态
IBM Rational正在以最高优先级别调查此问题,并将会提供相应的补丁。
此安全警报会根据最新情况及时更新。
| 更新历史 | |
| 2011年9月9日 | 增添有关ClearCase和ClearQuest的修订说明 |
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
Title: Denial of Service Security Exposure with Java causes JRE/JDK hang (CVE-2010-4476) ![]()
IMPORTANT: This technote should not be modified unless the English version has been updated first. Click the doc link above and submit an update to the English technote.
The English technote equivalent to this one has been updated as noted below.
Please review the content and update the translated version as required.
When complete, send the translated technote to be published.
Added the following update to example #4,
Update: Refer to technote 1509635 Applying IZ94423 to address CVE-2010-4476 in ClearCase and ClearQuest for updated resolution details.
Also changed the doc type from "Alert" to "preventative service planning" and added a history table at the bottom of the document.
Product Synonym
Rational Team Concert;Rational Method Composer
Was this topic helpful?
Document Information
Modified date:
10 September 2020
UID
swg21469939