AusCERT - ESB-2011.0194 - [Win][UNIX/Linux][Linux] IBM DB2: Denial of service

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ESB-2011.0194 - [Win][UNIX/Linux][Linux] IBM DB2: Denial of service - Remote with user interaction
Date: 18 February 2011
References: ASB-2011.0013 ESB-2011.1090.4 ESB-2012.0340

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2011.0194
  Impact to DB2 for Linux, UNIX, Windows regarding IBM Runtimes for Java
              Technology class file parser Denial of Service
                             18 February 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM DB2 9.7
                   IBM DB2 9.5
                   IBM DB2 9.1
Publisher:         IBM
Operating System:  Linux variants
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2010-4476  

Reference:         ASB-2011.0013

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21468291&myns=swgimgmt&mynp=OCSSEPGG&mync=E

- --------------------------BEGIN INCLUDED TEXT--------------------

Impact to DB2 for Linux, UNIX, Windows regarding IBM Runtimes for Java 
Technology class file parser Denial of Service ibm-rjt-classfile-dos when 
converting "2.2250738585072012e-308" (CVE-2010-4476 )

 Flash (Alert)
 
Abstract

During the first week of February 2011, a critical class library security 
vulnerability was blogged on the Internet and is now in the public domain. The 
Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a 
binary floating-point number. This flash describes how that vulnerability 
affects DB2 for Linux, UNIX and Windows.
 
Content
Issue

Java Runtime Environment hangs when it converts "2.2250738585072012e-308" to a 
binary floating-point number.

How DB2 is affected

You might encounter this issue if you run Java stored procedures that call the 
Double.parseDouble method with the input value "2.2250738585072012e-308".

Versions affected:

    * The JDK that is shipped with DB2 for Linux, UNIX, and Windows Versions
      9.7, 9.5 and 9.1, and all fixpacks on all supported operating systems. 
      Plans are in place to update the JDK that is shipped in the next DB2 
      fix packs. Please watch this space for information on the specific fix 
      packs that contain the fix.

Description:

This Security Alert addresses a serious security issue CVE-2010-4476 (Java 
Runtime Environment hangs when converting "2.2250738585072012e-308" to a 
binary floating-point number). This vulnerability can cause the Java Runtime 
Environment to hang, go into an infinite loop, or crash, resulting in a 
denial of service exposure. This same problem occurs if the number is written 
without scientific notation (324 decimal places).

Interim Solution:

If you are at risk of being affected, and cannot wait for the next DB2 fix 
pack to be available, upgrade your JDK to the Interim Fix JDK level 
applicable to your version of DB2. Refer to the Critical security 
vulnerability alert - Security Alert for CVE-2010-4476 on the IBM 
developerWorks site for instructions.

For DB2 for Linux, UNIX, and Windows Version 9.7 through 9.7.0.3a

    * Upgrade to JDK 6 SR9
    * Full Java builds for Linux and patches using IBM Update Installer for
      Java for all other platforms are available for download from the link 
      above.


For DB2 for Linux, UNIX, and Windows Version 9.5 through 9.5.0.7

    * Upgrade to JDK 5 SR12-FP2
    * Full Java builds for Linux and patches using IBM Update Installer for 
      Java for all other platforms are available for download from the link 
      above.


For DB2 Linux, UNIX, and Windows Version 9.1 through 9.1.0.10

    * Upgrade to JDK 5 SR12-FP2
    * Full Java builds for Linux and patches using IBM Update Installer for 
      Java for all other platforms are available for download from the link 
      above.


Important note about the IBM Update Installer for Java: The IBM Update 
Installer for Java is a temporary mechanism for addressing this critical 
security vulnerability. If you use the IBM Update Installer for Java, any 
future updates to your JDK might remove this patch.

Important note about installing a new JDK: You should install a new JDK (do 
not overlay the one provided with DB2) and update the database manager 
configuration parameter jdk_path to point to the new JDK.

References:

    * IBM APAR IZ89602: (for Java 6.0) IZ89602: JVM CRASHES WHILE LOADING 
      INVALID CLASS FILE.
    * IBM APAR IZ89620: (for Java 5.0) IZ89620: JVM CRASHES WHILE LOADING 
      INVALID CLASS FILE.

 
Cross Reference information
Segment 	Information Management
Product 	DB2 Connect
Component 	
Platform 	AIX, HP-UX, Linux, Solaris, Windows
Version 	9.7, 9.5, 9.1
Edition		DB2 Connect Application Server Edition, DB2 Connect Enterprise 
                Edition, DB2 Connect Unlimited Edition for System i, DB2 
                Connect Unlimited Edition for System z

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFNXb9s/iFOrG6YcBERAq92AKDRy2aWCo5UFoBB1weqR5BIkIBFlQCfRznQ
Umzph5WSrtMWinKoO0/FjEU=
=AK+F
-----END PGP SIGNATURE-----