You are here

T-694: IBM Tivoli Federated Identity Manager Products Multiple Vulnerabilities

August 16, 2011 - 3:30pm

Addthis

PROBLEM:

Multiple vulnerabilities have been reported in IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway, where some have an unknown impact while one can be exploited by malicious people to cause a DoS (Denial of Service).

PLATFORM:

IBM Tivoli Federated Identity Manager 6.x, IBM Tivoli Federated Identity Manager Business Gateway 6.x

ABSTRACT:

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application. Denial of Service Security Exposure with Java JRE/JDK hanging when converting(CVE-2010-4476)

The following products contain affected versions of the Java Runtime Environment:

IBM WebSphere Application Server Versions 7.0 through 7.0.0.13 for Distributed, i5/OS and z/OS operating systems.
IBM WebSphere Application Server Versions 6.1 through 6.1.0.35 for Distributed, i5/OS and z/OS operating systems.
IBM WebSphere Application Server Versions 6.0 through 6.0.2.43 for Distributed, i5/OS and z/OS operating systems.

reference LINKS:

Tivoli Federated Identity Manager 6.2.0
Tivoli Fed Id Mgr Business Gateway v6.2.0
Secunia - IBM Tivoli Federated Identity Manager Business Gateway 6.x

IMPACT ASSESSMENT:

High

Discussion:

This Security Alert addresses a serious security issue CVE-2010-4476 (Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number). This vulnerability might cause the Java Runtime Environment to hang, be in infinite loop, and/or crash resulting in a denial of service exposure. This same hang might occur if the number is written without scientific notation (324 decimal places). In addition to the Application Server being exposed to this attack, any Java program using the Double.parseDouble method is also at risk of this exposure including any customer written application or third party written application.

Solution:

IBM Tivoli Support Page:
Tivoli, IBM Tivoli Federated Identity Manager

Addthis