DS8100/DS8300/DS8700/DS8800 users may be concerned about any Java JVMs running on the DS8000 with a known security issue published by Oracle on the 8th February 2011 (http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html) concerning a critical class library security vulnerability. Specifically, the Java runtime environment will hang if it attempts to convert the string "2.2250738585072012e-308" to a binary floating-point number. This vulnerability could be used as a Denial of Service (DoS) attack against application/information servers, and potentially affects DS8000 Java programs such the DS CIM, DS CLI, DS GUI, TPC, and TPC-R programs, including all JVM versions shipped on the DS CLI installation CD up to, and including, Release 6.1.
Users should not be concerned about access to the DS8000, or the DS8000 itself, due to this vulnerability for the following reasons:
- All of these programs access the DS8000 through the same communications channel (ESSNI), and the code for this channel does not convert character strings to floating point numbers.
- The DS GUI does use an internal application server, so to remove any concerns due to this potential vulnerability, the Java JVM for the DS GUI has been patched to close this vulnerability. Concerned users should upgrade their DS8000 to the following bundle levels or later:
- 184.108.40.206 (R4.3 DS8100/DS8300)
- 220.127.116.11 (R5.1.5 DS8700)
- 18.104.22.168 (R6.1 DS8700)
- 22.214.171.124 (R6.1 DS8800)
- The DS CLI installation program does not install, either automatically or optionally, any JVM package during the installation of the DS CLI. However, the JVM packages included on the DS CLI installation CD have not been patched for this vulnerability. Users who choose to use one of these JVM packages for their DS CLI, should not be concerned because of the reasons cited above. However, even if the DS CLI hangs, either from this vulnerability or any other problem, then the problem will only affect the DS CLI program itself, and will not affect the DS8000 or any other program’s access to the DS8000.
Users who choose to utilize one of the Java JVM packages included as a convenience on the DS CLI installation CD and are still concerned about this potential vulnerability, should refer to http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html, and either apply a patch to their current IBM Java JVM or download a later version JVM where the patch is already included.
No further resolutions are required at this time because:
- The Java JVM for the DS GUI has been patched for this vulnerability.
- All user access programs (DS CIM, DS CLI, DS GUI, TPC, TPC-R) utilize a communications channel that is not affected by this vulnerability because it does not convert any character strings to floating-point numbers. Even if the access program hangs, the DS8000 will not be affected.
- While the Java JVM packages included on the DS CLI installation CD currently contain this vulnerability, the information to patch the JVMs installed on the user’s equipment has been provided.
17 June 2018