=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2011/VULN191
_____________________________________________________________________

DATE                      : 07/03/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running CICS Transaction Gateway.

======================================================================
http://www-01.ibm.com/support/docview.wss?uid=swg21468358
______________________________________________________________________

CICS Transaction Gateway and Java security issue CVE-2010-4476
  Flash (Alert)

Abstract
This alert describes how CICS Transaction Gateway (CICS TG) is affected by
serious security issue CVE-2010-4476 (Java Runtime Environment hangs when
converting "2.2250738585072012e-308" to a binary floating-point number).

Content

Problem Description
On 8 February 2011 Oracle published a security vulnerability CVE-2010-4476
concerning a critical class library security vulnerability which affects the
Java Runtime Environment (JRE). This also affects Java Runtime Environments
provided by IBM, detailed in the Critical security vulnerability alert for
CVE-2010-4476 issued by IBM.

This alert describes how CICS TG is affected by this vulnerability and the
solutions that are available.


Issue
Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a
binary floating-point number. This same hang occurs if the number is written
without scientific notation (324 decimal places).


What is affected?

CICS TG Runtime Components
CICS Transaction Gateway runtime components provided by IBM are not affected
by this security alert.


User exit code running in the CICS TG
The samples provided with CICS TG for the Security, Request Monitoring, and
CICS Request exit points are not affected by this security alert.

Any exit code written in house or by a third party is at risk from this
exposure. Exit code runs as part of CICS TG and if it is affected it can cause
CICS TG to hang, which results in a denial of service exposure.


Other Java applications using the CICS TG provided JRE
Any Java program using the JRE provided by CICS TG is at risk of this exposure.


CICS TG Configuration Utility
The ctgcfg configuration utility provided by CICS TG is affected by this
security alert.

The configuration utility does not include any network or remote access
capability and can be started only by a user already logged on to the system
who has sufficient permission to execute the utility launcher file. No remote
or unauthorised exploitation is possible.


Solution
Please contact your IBM CICS Transaction Gateway support organization to
request an update for the JRE supplied with your CICS TG. The update refreshes
the JRE to the latest Java service level in addition to including a fix for
this issue.

If you require an immediate patch and cannot move to the latest service refresh
level, IBM have provided an update installer and patches that allow you to
temporarily fix this security vulnerability. Please refer to the Critical
security vulnerability alert for CVE-2010-4476 page issued by IBM for links to
the appropriate patches for your JRE. If you apply a temporary patch to your
JRE, you should contact your IBM CICS Transaction Gateway support organization
to request a permanent fix for your specific JRE version.

Important: The IBM Update Installer for Java is a temporary mechanism for
addressing this critical security vulnerability. A subsequent update to your
JRE might remove fixes applied by the IBM Update Installer for Java. You should
always use fixes provided by your IBM Product support team where available.

Related information
IBM Security Alert for CVE-2010-4476
Oracle Security Alert for CVE-2010-4476
CICS Transaction Server Alert for CVE-2010-4476
WebSphere Application Server Alert for CVE-2010-4476

Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information" at
www.ibm.com/legal/copytrade.shtml.


======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================