Cognos Business Intelligence on the IBM Cloud

Technote (troubleshooting)

Problem(Abstract)

A serious security vulnerability (CVE-2010-4476) has been identified which can cause the Java Virtual Machine to enter an infinite loop. The issue exists in the Java class libraries and affects all products that use Java. This issue is described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476

Environment

Cognos Business Intelligence on the IBM Cloud

Resolving the problem

To resolve this issue, it is necessary to update the JDKs (that are installed with IBM DB2 and IBM WebSphere Application Server) to an interim fix JDK level containing the fix for the issue.
Before you update your JDK on a production system, it is strongly recommended to:
Apply the patch in a test environment to verify that your product is working correctly
Make a backup before you apply any changes

For up-to-date information, please refer to the support website at:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

The necessary interim fixes can be downloaded at:

JDK: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-sdk6&S_PKG=amd64_6sr9fp1&S_TACT=105AGX05&S_CMP=JDK

UpdateInstaller: ftp://public.dhe.ibm.com/software/websphere/appserv/support/tools/UpdateInstaller/7.0.x/LinuxAMD64/7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz

WebSphere: ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM32173/7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak

1) Stop the Cognos Service

Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).Stop the IBM Cognos service using the following command:sudo /sbin/service cognos10 stop

2) Upgrade the JRE used for IBM DB2 as follows:

Install JDK 6 SR9The JDK 6 SR9 package is 64-bit AMD/Opteron/EM64T platform (ibm-java-x86_64-sdk-6.0-9.0.bin)Ensure execute permission is set on the installer file:chmod +x ibm-java-x86_64-sdk-6.0-9.0.binExecute the installer file:sudo ./ibm-java-x86_64-sdk-6.0-9.0.binFollow the on-screen instructions and choose the default location for install directory (/opt/ibm/java-x86_64-60).

Update database manager configuration

Logon as user “db2inst1” (password is set to the same password as baadmin password selected by user during instance creation):su – db2inst1Verify existing JDK_PATH:db2 get dbm cfg | grep JDK_PATHNote: which should pointing to /home/db2inst1/sqllib/java/jdk64Update JDK_PATH:db2 update dbm cfg using JDK_PATH /opt/ibm/java-x86_64-60Verify existing JDK_PATH:db2 get dbm cfg | grep JDK_PATHNote: which should now pointing to /opt/ibm/java-x86_64-60

3) Upgrade the JRE used for IBM WebSphere and IBM HTTP Server

Install latest version of UpdateInstallerThe IBM UpdateInstaller is 64-bit AMD/Intel platform (7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz)Uncompress the downloaded file:tar -zxf 7.0.0.15-WS-UPDI-LinuxAMD64.tar.gzExecute the installer file:sudo ./UpdateInstaller/installFollow the on-screen instructions and select update an existing installation by selecting “/ opt/IBM/WebSphere/UpdateInstaller”.Once the installation is completed, select the "Launch IBM Update Installer..." option on the "Installation Complete" page to bring up the IBM Update Installer.Install WebSphere Application Server FixpackSelect “/opt/IBM/WebSphere/AppServer” in the production screen.Select “install maintenance package” in the maintenance operation screen.Select the fixpack location, which is the directory containing the fixpack file (7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak)Ensure the fixpack is selected, and follow the on-screen instruction to complete the update.Repeat the above steps for IBM HTTPServer.

4) Start Cognos 10 Service

Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).Restart the IBM Cognos service using the following command:sudo /sbin/service cognos10 start