Problem
A serious security vulnerability (CVE-2010-4476) has been identified which can cause the Java Virtual Machine to enter an infinite loop. The issue exists in the Java class libraries and affects all products that use Java. This issue is described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
Environment
Cognos Business Intelligence on the IBM Cloud
Solution
To resolve this issue, it is necessary to update the JDKs (that are installed with IBM DB2 and IBM WebSphere Application Server) to an interim fix JDK level containing the fix for the issue.
Before you update your JDK on a production system, it is strongly recommended to:
Apply the patch in a test environment to verify that your product is working correctly
Make a backup before you apply any changes
For up-to-date information, please refer to the support website at:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
The necessary interim fixes can be downloaded at:
JDK: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-sdk6&S_PKG=amd64_6sr9fp1&S_TACT=105AGX05&S_CMP=JDK
UpdateInstaller: ftp://public.dhe.ibm.com/software/websphere/appserv/support/tools/UpdateInstaller/7.0.x/LinuxAMD64/7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz
WebSphere: ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM32173/7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak
1) Stop the Cognos Service
Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).
Stop the IBM Cognos service using the following command:
sudo /sbin/service cognos10 stop
2) Upgrade the JRE used for IBM DB2 as follows:
Install JDK 6 SR9
The JDK 6 SR9 package is 64-bit AMD/Opteron/EM64T platform (ibm-java-x86_64-sdk-6.0-9.0.bin)
Ensure execute permission is set on the installer file:
chmod +x ibm-java-x86_64-sdk-6.0-9.0.bin
Execute the installer file:
sudo ./ibm-java-x86_64-sdk-6.0-9.0.bin
Follow the on-screen instructions and choose the default location for install directory (/opt/ibm/java-x86_64-60).
Update database manager configuration
Logon as user “db2inst1” (password is set to the same password as "baadmin" password selected by user during instance creation):
su – db2inst1
Verify existing JDK_PATH:
db2 get dbm cfg | grep JDK_PATH
Note: which should pointing to /home/db2inst1/sqllib/java/jdk64
Update JDK_PATH:
db2 update dbm cfg using JDK_PATH /opt/ibm/java-x86_64-60
Verify existing JDK_PATH:
db2 get dbm cfg | grep JDK_PATH
Note: which should now pointing to /opt/ibm/java-x86_64-60
3) Upgrade the JRE used for IBM WebSphere and IBM HTTP Server
Install latest version of UpdateInstaller
The IBM UpdateInstaller is 64-bit AMD/Intel platform (7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz)
Uncompress the downloaded file:
tar -zxf 7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz
Execute the installer file:
sudo ./UpdateInstaller/install
Follow the on-screen instructions and select update an existing installation by selecting “/opt/IBM/WebSphere/UpdateInstaller”.
Once the installation is completed, select the "Launch IBM Update Installer..." option on the "Installation Complete" page to bring up the IBM Update Installer.
Install WebSphere Application Server Fixpack
Select “/opt/IBM/WebSphere/AppServer” in the production screen.
Select “install maintenance package” in the maintenance operation screen.
Select the fixpack location, which is the directory containing the fixpack file (7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak)
Ensure the fixpack is selected, and follow the on-screen instruction to complete the update.
Repeat the above steps for IBM HTTPServer.
4) Start Cognos 10 Service
Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).
Restart the IBM Cognos service using the following command:
sudo /sbin/service cognos10 start
www.cogknowhow.com