Problem
A serious security vulnerability (CVE-2010-4476) has been identified which can cause the Java Virtual Machine to enter an infinite loop. The issue exists in the Java class libraries and affects all products that use Java.  This issue is described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476

Environment
Cognos Business Intelligence on the IBM Cloud

Solution
To resolve this issue, it is necessary to update the JDKs (that are installed with IBM DB2 and IBM WebSphere Application Server) to an interim fix JDK level containing the fix for the issue.

Before you update your JDK on a production system, it is strongly recommended to:
Apply the patch in a test environment to verify that your product is working correctly
Make a backup before you apply any changes

For up-to-date information, please refer to the support website at:
http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

The necessary interim fixes can be downloaded at:

JDK: https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-sdk6&S_PKG=amd64_6sr9fp1&S_TACT=105AGX05&S_CMP=JDK

UpdateInstaller:  ftp://public.dhe.ibm.com/software/websphere/appserv/support/tools/UpdateInstaller/7.0.x/LinuxAMD64/7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz

WebSphere:  ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM32173/7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak

1) Stop the Cognos Service
Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).

Stop the IBM Cognos service using the following command:
sudo /sbin/service cognos10 stop


2) Upgrade the JRE used for IBM DB2 as follows:

Install JDK 6 SR9

The JDK 6 SR9 package is 64-bit AMD/Opteron/EM64T platform (ibm-java-x86_64-sdk-6.0-9.0.bin)
Ensure execute permission is set on the installer file:
chmod +x ibm-java-x86_64-sdk-6.0-9.0.bin
Execute the installer file:
sudo ./ibm-java-x86_64-sdk-6.0-9.0.bin
Follow the on-screen instructions and choose the default location for install directory (/opt/ibm/java-x86_64-60).

Update database manager configuration

Logon as user “db2inst1” (password is set to the same password as "baadmin" password selected by user during instance creation):
su – db2inst1
Verify existing JDK_PATH:
db2 get dbm cfg | grep JDK_PATH
Note: which should pointing to /home/db2inst1/sqllib/java/jdk64
Update JDK_PATH:
db2 update dbm cfg using JDK_PATH /opt/ibm/java-x86_64-60
Verify existing JDK_PATH:
db2 get dbm cfg | grep JDK_PATH
Note: which should now pointing to /opt/ibm/java-x86_64-60


3) Upgrade the JRE used for IBM WebSphere and IBM HTTP Server

Install latest version of UpdateInstaller

The IBM UpdateInstaller is 64-bit AMD/Intel platform (7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz)
Uncompress the downloaded file:
tar -zxf 7.0.0.15-WS-UPDI-LinuxAMD64.tar.gz
Execute the installer file:
sudo ./UpdateInstaller/install
Follow the on-screen instructions and select update an existing installation by selecting “/opt/IBM/WebSphere/UpdateInstaller”.
Once the installation is completed, select the "Launch IBM Update Installer..." option on the "Installation Complete" page to bring up the IBM Update Installer.

Install WebSphere Application Server Fixpack

Select “/opt/IBM/WebSphere/AppServer” in the production screen.
Select “install maintenance package” in the maintenance operation screen.
Select the fixpack location, which is the directory containing the fixpack file (7.0.0.0-WS-WASJavaSDK-LinuxX64-IFPM32173.pak)
Ensure the fixpack is selected, and follow the on-screen instruction to complete the update.
Repeat the above steps for IBM HTTPServer.


4) Start Cognos 10 Service

Logon as user “baadmin” on a GUI based environment (e.g. VNC via SSH tunnel).

Restart the IBM Cognos service using the following command:
sudo /sbin/service cognos10 start

www.cogknowhow.com