Detalji

Izdana je nova revizija sigurnosne preporuke za IBM Tivoli Common Reporting (TCR), prvotno objavljene 4. ožujka 2011. godine. Radi se o programskom paketu koji nudi jednostavan pregled i upravljanje izvještajima programskih proizvoda serije Tivoli. Nedostatak je vezan uz Java Runtime Environment, odnosno pogrešku u metodi "Double.parseDouble". Rezultat napada je rušenje ranjive aplikacije (DoS napad). Revizija je objavljena zbog izdavanja zakrpe za inačicu 1.3 (ifix4). Korisnici se upućuju na primjenu nadogradnje.

Java parseDouble Security Vulnerability Update for Tivoli Common Reporting (TCR)
 Flash (Alert)
 
Abstract
Denial of Service Security Exposure with Java JRE/JDK hanging when converting 2.2250738585072012e-308 number (CVE-2010-4476)

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability can cause the Java Runtime Environment to go into a hang, infinite loop, and/or crash resulting in a denial of service exposure. This same hang can occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or 3rd party written application.
 
Content
To remediate this vulnerability, Tivoli Common Reporting (TCR) will be releasing Interim Fixes for all its versions - 1.2, 1.3 and 2.1.

    * TCR 1.2 ifix10 will remediate the vulnerability for TIP 1.1.x JRE

    * TCR 1.3 ifix4 will remediate the vulnerability for TIP 1.1.x JRE and Cognos JRE bundled in TCR.

    * TCR 2.1 ifix2 will remediate the vulnerability for TIP 2.1 JRE and Cognos JRE bundled in TCR.


Once released, all the above ifixes will be available on the TCR Fix Central site.

The tentative release dates of the interim fixes are as follows:

    * TCR 1.2 ifix10 - 28-Feb-2011
    * TCR 1.3 ifix4 - 21-Mar-2011*
    * TCR 2.1 ifix2 - 10-Mar-2011


Note:
1. This flash will be updated if their is any change in the release dates.
2. Installation instructions of the ifix will be available along with the package.
3. Only 32-bit installation is supported in all the three ifix releases.

4.* Due to a dependency on Deployment Engine and encountering some unforseen issues, the fix availability for this release has been postponed to a later date (from the original planned 04th March 2011. Sorry for any inconvenience)
 
Related information
TCR Fix Central
Oracle Security Alert for Java Vulnerability
 
 
Product Alias/Synonym
TCR
Tivoli Common Reporting

Idi na vrh