Flash (Alert)
Abstract
During the first week of February 2011, a critical class library security vulnerability was blogged on the Internet and is now in the public domain. The issue is Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a binary floating-point number. This flash describes how this vulnerability affects DB2 for Linux, UNIX, and Windows.
Content
Issue:
Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a binary floating-point number.
When you might encounter this issue:
You might encounter this issue when you run Java stored procedures or Java User Defined Functions that call the Double.parseDouble method (including parseDouble(), the Double() constructor and Double.valueOf() ) with the input value of "2.2250738585072012e-308".
Note: If you are not using Double.parseDouble method which includes parseDouble(), the Double() constructor, and Double.valueOf(), with the input value of "2.2250738585072012e-308, then you are not at risk and the upgrades mentioned in this technote are optional.
Versions of DB2 for Linux, UNIX, and Windows that are affected:
The Java Development Kit (JDK) that is shipped with the following versions of the DB2 product are affected:
- Version 9.7 (including Fix Packs 9.7.0.1 through 9.7.0.4) for Linux, UNIX, and Windows.
- Version 9.5 (including Fix Packs 9.5.0.1 through 9.5.0.7) for Linux, UNIX, and Windows.
- Version 9.1 (including Fix Packs 9.1.0.1 through 9.1.0.10) for all supported operating systems.
Description of the issue:
The Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). The issue causes the Java Runtime Environment to hang, go into an infinite loop, or crash, resulting in a denial of service exposure. The same problem occurs if the number is written without scientific notation (324 decimal places).
Solution for DB2 Version 9.7 through 9.7.0.4 for Linux, UNIX, and Windows:
Solution for DB2 Version 9.5 through 9.5.0.7 for Linux, UNIX, and Windows:
Solution for DB2 Version 9.1 through 9.1.0.10 for Linux, UNIX, and Windows:
|
- IBM APAR IZ89602: (for Java 6.0) IZ89602: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
- IBM APAR IZ89620: (for Java 5.0) IZ89620: JVM CRASHES WHILE LOADING INVALID CLASS FILE.
Related information
Impact to Tivoli System Automation for Multiplatforms
| Segment | Product | Component | Platform | Version | Edition |
|---|---|---|---|---|---|
| Information Management | DB2 Connect | AIX, HP-UX, Linux, Solaris, Windows | 9.7, 9.5, 9.1 | DB2 Connect Application Server Edition, DB2 Connect Enterprise Edition, DB2 Connect Unlimited Edition for System i, DB2 Connect Unlimited Edition for System z |
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.