IBMA5AEF901D2F509DCF16F1FCC303E730040EC2C0F18312A85075609770D4841CBSecurity Bulletin: Denial of Service Security Exposure with Java causes JRE/JDK hang (CVE-2010-4476)
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
This Alert is meant to inform you of an issue where a Denial of Service Security Exposure with Java can cause Java Runtime Environment (JRE) and Java Development Kit (JDK) hangs. This applies to all IBM Rational products that ship or package IBM Java instances.
Vulnerability Details
| Subscribe to My Notifications to be notified of important product support alerts like this.
- Follow this link for more information (requires login with your IBM ID)
—|—
CVE ID: CVE-2010-4476
Description: This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Servers being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
(Java Runtime Environment hangs when converting “2.2250738585072012e-308” to a binary floating-point number).
Affected Products and Versions
This issue affects all versions of Java on all IBM supported platforms.
Remediation/Fixes
Upgrade to the latest fixes for WebSphere Application Server following the instructions in technote 1390803: Update the WebSphere Application Server components in Rational ClearCase and Rational ClearQuest 7.1
If your IBM Rational product uses WebSphere Application Server (examples of this could be IBM Rational Change Management (CM) Server used with IBM Rational ClearCase, IBM Rational Application Developer, or others),
consult technote 1462019: Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) (PM32387) for the WebSphere specific instructions to address this vulnerability.
Other application servers may also have corrected this condition, for example Apache TomCat (which has been used in previous Rational legacy products) have released a fix for TomCat specifically.
For other non-IBM Java instances or Application servers, contact the vendor directly.
Workarounds and Mitigations
Many IBM Rational products leverage Java technology and may ship or install a version or multiple versions of Java on a system.
-
IBM is providing an UPDATE TOOL that can be used to determine potentially vulnerable IBM Java instances on a system, and apply patches as needed (you will need to download patches based on Java Major version (for example 1.4.x, 1.5, 1.6) and the platform of your system. For these patches see PATCH DOWNLOADS.
-
IBM is also providing a TEST CASE TOOL that can be used to check to see if an IBM supplied Java is affected (and if the Java has been patched).
The test case is an executable JAR file, and can be run using the following command line:
java -jar ParseDoubleTest.jar
If the vulnerability has not been fixed, the test will fail:
> java -jar ParseDoubleTest.jar
Test failed
If the vulnerability has been fixes, the test will succeed:
> java -jar ParseDoubleTest.jar
Test succeeded
Examples: 1.**Using the update to “discover” possible java candidates.
**>java -jar JavaUpdateInstaller.jar -discover all
This will search the entire disk to uncover all IBM Java instances**
** 2.**Applying the fix to Software Delivery Platform
**(Products in use, for example, IBM Rational Functional Tester and IBM Rational Software Architect)_
_Version of Java before applying fix:
C:\Progra~1\IBM\SDP\jdk\bin\java -version
java version “1.6.0”
Java™ SE Runtime Environment (build pwi3260sr8-20100409_01(SR8))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA)
JCL - 20100408_01
Running the update tool on Microsoft Windows:
C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\Progra~1\IBM\SDP\jdk
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Installing the update IZ94423_FIX_1 to the SDK: C:\Progra~1\IBM\SDP\jdk …
IZ94423_FIX_1 has been successfully installed to SDK C:\Progra~1\IBM\SDP\jdk
Confirming Java -version
C:\Progra~1\IBM\SDP\jdk\bin\java -version
java version “1.6.0”
Java™ SE Runtime Environment (build pwi3260sr8-20100409_01(SR8) + IZ94423_FIX_1)
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr8-20100401_55940 (JIT enabled, AOT enabled)
J9VM - 20100401_055940
JIT - r9_20100401_15339
GC - 20100308_AA)
JCL - 20100408_01**
** 3.**If the incorrect version of a fix is attempted to be applied, the update installer will alert you:
**C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\java
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Update IZ94423_FIX_1 is not applicable to SDK - C:\java. Update IZ94423_FIX_1
can be installed to JDK with version(s)
- 1.6.0**
** 4.**Updating the Java used for IBM Rational ClearCase/ClearQuest client components (such as ClearCase Remote Client, ClearQuest Client, ClearQuest Designer):
Update**: Review technote 1509635: Applying IZ94423 to address CVE-2010-4476 in ClearCase and ClearQuest**for updated resolution details.
**C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
java version “1.5.0”
Java™ 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
J9VM - 20100509_57823_lHdSMr
JIT - 20091016_1845ifx7_r8
GC - 20091026_AA)
JCL - 20100511a
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar <path>\ParseDoubleTest.jar
Test failed
C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install c:\IZ94331_FIX_1.jar “C:\Program Files (x86)\IBM\RationalSDLC\Common\JA
VA5.0”
Installs the specified update to the SDK if applicable.
-------------------------------------------------------------------------
Installing the update IZ94331_FIX_1 to the SDK: C:\Program Files
(x86)\IBM\RationalSDLC\Common\JAVA5.0 …
IZ94331_FIX_1 has been successfully installed to SDK C:\Program Files
(x86)\IBM\RationalSDLC\Common\JAVA5.0
-------------------------------------------------------------------------
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
java version “1.5.0”
Java™ 2 Runtime Environment, Standard Edition (build pwi32devifx-20100511b (SR11 FP2 ))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Windows Server 2003 x86-32 j9vmwi3223ifx-20100511 (JIT enabled)
J9VM - 20100509_57823_lHdSMr
JIT - 20091016_1845ifx7_r8
GC - 20091026_AA)
JCL - 20100511a
The version of Java did not change, yet the patch was applied. The ParseDoubleTree can be used to check if the Java instance is vulnerable:
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar <path>\ParseDoubleTest.jar
Test succeeded
Get Notified about Future Security Bulletins
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Off
IBM Security Alert for CVE-2010-4476
Oracle Security Alert for CVE-2010-4476
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Acknowledgement
None
Change History
- 23 August 2011: Added update regarding ClearCase and ClearQuest fixes
- 15 February 2011: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
====================================================
Translated Korean technote #1472386 
Translated Japanese technote # 1468902
Translated Chinese technote # 1469939** **
IMPORTANT: If this technote is modified, the changes need to also be applied to the translated version through an update request.
a) Makenote of the changes that were made to the English technote. All modifications need to be identified in the update request.
Copy the changed text and create a BEFORE and AFTER to identify the changes and the section that was changed (Title, Abstraction, Question, Solution,). Note: Since the update request is text only, no colors can be used to highlight the changes.
b) Click the Translated technote doc link above and submit an update as follows (Copy and Paste):
The English technote equivalent to this one has been updated as noted below. Please review the content and update the Korean version as required. When complete, send the Korean technote to be published.
========================================
As of 3/15/2011 (supplied by Rob Wehrfritz):
-–>added Rational products below to list (not sure about HOD/IM which are not Rational products???)
Teams known to be updating/patching Java
Rational Application Developer (RAD) and RSA for WS 8.0.2 - Robert Taniwa Rational Software Architect v8.0.2 Rational Software Architect for WebSphere Software v8.0.2 Rational Software Architect RealTime Software v8.0.2 include Security Fix for Java 6 SR9
Rational Team Concert (RTC) – Team is working on getting updated JRE.
System Architect (SA) – Jackie Sung - downloaded latest JRE 6 SR9 with patch to include in their upcoming release.
**??**Capilano – Install Manager (IM) – Team is having reservations about doing update for their (Q4) 1.4.2 release. Sent note to Powell asking about his concerns here. Will provide update when I know more.
ClearCase and ClearQuest (CC, CQ) - New bits were downloaded from JIM site (<http://w3.hursley.ibm.com/java/jim/ibmsdks/archive/index.html>) **For the 7.1.1.5 and 7.1.2.2 releases (March 28th release) is 5.0.12 SP 3.
** Rational Method Composer (RMC) - Teresa Stephens - will be picking up Java 6.0.9 in the 7.5.1.1 June fix pack.
DOORS Web Access (DWA) – Martin Henderson 1.4.0.2 - still to release and will use Java 6.0.9 1.4.1.0 - still to release and will use Java 6.0.9 Older releases, 1.3.0.1, 1.3.0.2, 1.4.0.0, and 1.4.0.1 - already released and using Java 6.0.7 and no intention to re-release.
**??**Host on Demand (HOD) – Lila Aravopoulos **1.4.2 Service Refresh 13-FP8 ** **PCOMM 5.9.8 - ** **1.4.2 Service Refresh 13-FP8 ** *PCOMM 6.0.3 - ** 6.0 Service Refresh 9-FP1 DCF -Update Document #1468287
Submitted by: Elizabeth M Carroll on 05/05/2011 11:21 AM
Technote Owner: Denise M McKinnon| Segment: Software Development
Product: Rational Support
Component: –
—|—
Required fields are marked with an asterisk () and must be filled in to complete the form.
| Title* | Denial of Service Security Exposure with Java causes JRE/JDK hang (CVE-2010-4476) |
|---|
Please input your comments * :
Hi Denise,
Please change the product from “Rational Support” in document 1468287 to a specific product as the main Primary Reference, and assign all affected products that you know of as Alternate References. I can help you find out at least some of what those products are (CLM/Jazz comes to mind - RTC, RQM, RRC, along with RAD, I think…)
Content for this “product” will appear on all Rational product pages so dBlue sent this document to the Support Portal for XL_C~C++_for_AIX, where a customer complained that it does not belong. Many, many products are not affected by this issue.
When the doc is republished with all the Alt Refs you can identify, please let the owners of the translated versions (1468902 Japanese ,and 1469939 S.chinese ) know that they need to adjust their documents, too, to match yours.
Thank you!
[The “Rational Support” dummy product is a new approach to Support documentation, or a stepping - - it does not even get a TC code! I request that nobody use it, except for topics that affect the whole brand. Unfortunately, anybody with KCS permission can select products that we normally would have been able to restrict by simply not including the product names on any teams.]
====================================================
* * *
* * *
Updates made to pathing in #3 & #4 above (for clarity) by Fred Bickford per the following update. May 2, 2011
=========
The customer gave me the below feedback.when testing to apply in the CQ Web. Pls update. Thanks in advance.
* **If the incorrect version of a fix is attempted to be applied, the update installer will alert you:**
**BEFORE **C:\UpdateInstallerforJava>java -jar JavaUpdateInstaller.jar -install c:\IZ94423_FIX_1.jar C:\java
**AFTER:**
** **C:\UpdateInstallerforJava>java -jar <path>\JavaUpdateInstaller.jar -install <path>\IZ94423_FIX_1.jar C:\java
* **Updating the Java used for IBM Rational ClearCase/ClearQuest: **
**BEFORE**
** **C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -version
.........
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar ParseDoubleTest.jar
Test failed
.........
C:\UpdateInstallerforJava>java -jar JavaUpdateInstaller.jar -install c:\IZ94331_FIX_1.jar "C:\Program Files (x86)\IBM\RationalSDLC\Common\JAVA5.0"
.........
.........
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>.\java -jar ParseDoubleTest.jar
Test succeeded
**AFTER:**
**The following example steps show in Rational ClearCase/ClearQuest version 7 on the Windows 64 bit server platform.**
.........
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>java -jar <path>\ParseDoubleTest.jar
Test failed
.........
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>java -jar <path>\JavaUpdateInstaller.jar -install <path>\IZ94331_FIX_1.jar "C:\Program Files (x86)\IBM\RationalSDLC\Common\JAVA5.0"
.........
C:\Program Files (x86)\IBM\RationalSDLC\common\JAVA5.0\jre\bin>java -jar <path>\ParseDoubleTest.jar
Test succeeded
-takki
* * *
**DCF** \-**Update Document #1468287**
Submitted by: Yendra Waney on 03/16/2011 01:09 PM
Technote Owner:** **Denise M McKinnon| Segment: Software Development
Product: Rational Support
Component: --
---|---
Required fields are marked with an asterisk (*****) and must be filled in to complete the form.
**Title***| **Denial of Service Security Exposure with Java causes JRE/JDK hang (CVE-2010-4476)**
---|---
Please input your comments * :
Hi Denise
Today asked if he needs to stop RQM before applying the patch to WAS. The answers is yes, because you need to stop WAS.
The second question was if you run a risk if you apply the patch. My answer was, that the patch only applies to WAS and leaves the RQM files unchanged. Therefore every issue that occurs after applying the patch is a Websphere issue.
Do you think it would be useful to add such comments?
Thanks & regards
`===============`
* * *
`**NOTE**``: The original author of this technote is Fred Bickford.`
`Original`
Original unpublished copy:
This Security Alert addresses a serious security issue [CVE-2010-4476](<http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html>)[](<http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html>) (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number).
This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and or crash resulting in a denial of service exposure. This same hang will occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
Websphere has released a fix for Websphere products that Rational may ship with its tools (for example Websphere Application Server used in CM Server).
[http://www-01.ibm.com/support/docview.wss?uid=swg21462019&myns=swgws&mynp=OCSSEQTP&mync=E](<http://www-01.ibm.com/support/docview.wss?uid=swg21462019&myns=swgws&mynp=OCSSEQTP&mync=E>)
Although IBM Rational ClearCase CM Server should not be affected after applying the WebSphere Application Server fix, IBM Rational Change Management (CM) Server maintains its own Java instance that will need to have a fix applied when available.
Below is a technote that can be used for reference for those customers needing to upgrade or apply the latest fixes for WebSphere Application Server:
[Technote 1390803](<https://www.ibm.com/support/docview.wss?uid=swg21390803>) **How to update the IBM WebSphere Application Server components in Rational ClearCase and Rational ClearQuest 7.1**
* * *
**STATUS**
This issue is being investigated by IBM Rational as a high priority and a fix for the Java we ship for our products will be made available.
Updates will be made to this alert as new information becomes available.
`-------------------------------------------------------------------------
1. WebSphere Application Server: Flashes
- TITLE: Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476) (PM32387)
- URL: ``[http://www.ibm.com/support/docview.wss?uid=swg21462019&myns=swgws&mynp=OCSSEQTP&mync=E](<http://www.ibm.com/support/docview.wss?uid=swg21462019&myns=swgws&mynp=OCSSEQTP&mync=E>)``
- ABSTRACT: This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This problem only occurs with 2.2250738585072012e-308, which also happens to be the largest floating point number. PM32387 will be the umbrella APAR which will contain the information for all related APARs for the WebSphere Application Server product.`
[{"Product":{"code":"SS7DVG","label":"IBM Engineering Lifecycle Optimization - Method Composer"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSUC3U","label":"IBM Engineering Workflow Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSSH27","label":"Rational ClearCase"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"7.1;7.1.1;7.1.2;8.0;8.0.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SSSH5A","label":"Rational ClearQuest"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSRTLW","label":"Rational Application Developer for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS4JCV","label":"Rational Software Architect for WebSphere Software"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB15","label":"Integration"}},{"Product":{"code":"SSYK2S","label":"Rational Software Architect Designer"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS5JSH","label":"Rational Software Architect RealTime Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS6RBX","label":"Rational System Architect"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSKR2T","label":"IBM Engineering Requirements Management DOORS"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSJMXE","label":"IBM Rational Functional Tester"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General Information","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]
## Product Synonym
Rational Team Concert;Rational Method ComposerRelated
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P