Objavljena je revizija sigurnosnog upozorenja vezanog uz programski paket IBM Tivoli Common Reporting (TCR), prvotno objavljenog 4. ožujka 2011. godine. TCR je programski paket koji nudi jednostavan pregled i upravljanje izvještajima programskih proizvoda serije Tivoli. Sigurnosna ranjivost javlja se zbog pogreške u pretvorbi broja 2.2250738585072012e-308 u binarni format s decimalnom točkom. Zlonamjerni, udaljeni korisnici to mogu iskoristiti za rušenje aplikacije čime će uzrokovati napad uskraćivanja usluge. Revizija je objavljena zbog kašnjenja u objavi zakrpe za inačicu 1.3 (ifix4). Prvotno je objavljeno da će zakrpa biti dostupna od 4.3, što je ovom revizijom pomaknuto na 21.3.2011.
Java parseDouble Security Vulnerability Update for Tivoli Common Reporting (TCR)
Flash (Alert)
Abstract
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)
This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang can occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
Content
To remediate this vulnerability, Tivoli Common Reporting (TCR) will be releasing Interim Fixes for all its versions - 1.2, 1.3 and 2.1.
* TCR 1.2 ifix10 will remediate the vulnerability for TIP 1.1.x JRE
* TCR 1.3 ifix4 will remediate the vulnerability for TIP 1.1.x JRE and Cognos JRE bundled in TCR.
* TCR 2.1 ifix2 will remediate the vulnerability for TIP 2.1 JRE and Cognos JRE bundled in TCR.
Once released, all the above ifixes will be available on the TCR Fix Central site.
The tentative release dates of the interim fixes are as follows:
* TCR 1.2 ifix10 - 28-Feb-2011
* TCR 1.3 ifix4 - 21-Mar-2011*
* TCR 2.1 ifix2 - 10-Mar-2011
Note:
1. This flash will be updated if their is any change in the release dates.
2. Installation instructions of the ifix will be available along with the package.
3. Only 32-bit installation is supported in all the three ifix releases.
4.* Due to a dependency on Deployment Engine and encountering some unforseen issues, the fix availability for this release has been postponed to a later date (from the original planned 04th March 2011. Sorry for any inconvenience)
Related information
TCR Fix Central
http://www-933.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ETivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=All&platform=All&function=all&source=fc
Oracle Security Alert for Java Vulnerability
http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html
Product Alias/Synonym
TCR
Tivoli Common Reporting
Posljednje sigurnosne preporuke