Cognos Java Security Vulnerability CVE-2010-4476 Exposure Response

Flash (Alert)


Abstract

Last updated on April 19, 2011.

This Security Alert addresses a serious security vulnerability (CVE-2010-4476) which can cause the Java Virtual Machine to enter an infinite loop. This issue is described in more detail at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476.

To find out about applying the JRE patch to Cognos Business Intelligence on the Cloud, go to http://www.ibm.com/support/docview.wss?uid=swg21470017.

To find out about applying the JRE patch to Cognos Business Intelligence Special Edition, contact Customer Support and reference technote # 1497107.

To find out about applying the JRE patch to the Cognos Now! 4.6.0 appliance, go to http://www.ibm.com/support/docview.wss?uid=swg21473104.

Content

Products Affected
The issue exists in the Java class libraries and affects all products that use Java. IBM Cognos products that use Java include

  • Business Intelligence products:
    □ Cognos Business Intelligence* versions 10.1, 8.4.1, 8.4.0, 8.3.0
    □ Cognos Business Intelligence Developer Edition versions 10.1, 8.4.1
    □ Cognos Business Intelligence Starter Edition versions 10.1, 8.4.1
    □ Cognos PowerPlay versions 10.1, 8.4.1, 8.4.0, 7.5.0, 7.4.x,
    □ Cognos Mobile versions 10.1, 8.4.1, 8.3.1, 8.3.0
    □ Cognos Now! versions 4.6
    □ Cognos DecisionStream version 7.1.4
    □ Cognos Impromptu Web Reports versions 7.5, 7.4.x
    □ Cognos NoticeCast versions 7.5, 7.4.x
    □ Cognos Web Services versions 7.5, 7.4.x
    □ Cognos Visualizer versions 7.5, 7.4.x
    □ Cognos Query version 7.4.x
    □ Cognos Express versions 9.5.0, 9.0.0
    □ IBM Smart Analytics System Business Intelligence Module (all versions)


    * Cognos Business Intelligence includes all BI components such as Reporting, Analysis, Data Manager, Virtual View Manager, Go! Search.
  • Financial Performance Management products:
    □ Cognos Business Viewpoint versions 10.1, 8.4.1, 8.4.0
    □ Cognos Controller versions 8.5.1, 8.5.0, 8.4.0, 8.3.0
    □ Cognos Finance versions 7.5.0, 7.4.x
    □ Cognos Metrics versions 10.1, 8.4.1, 8.4.0, 8.3.0
    □ Cognos Planning versions 10.1, 8.4.1, 8.4.0, 8.3.0, 8.1.x
    □ Cognos TM1 versions 9.5.1, 9.5.0, 9.4.1, 9.4.0
  • Analytic Applications products:
    □ Cognos Banking Risk Performance - Credit Risk versions 8.4.2, 8.4.0
    □ Cognos Customer Performance Sales Analytics versions 8.4.2, 8.4.1, 8.4.0
    □ Cognos Financial Performance Analytics (AP, AR & GL) versions 8.4.2, 8.4.1, 8.4.0
    □ Cognos Supply Chain Performance Procurement Analytics versions 8.4.2, 8.4.1, 8.4.0
    □ Cognos Workforce Performance versions 8.4.2, 8.4.1, 8.4.0, 8.3.0, 8.2.0, 8.1.x
    □ Cognos Consumer Insight version 1.1.0


Description
This vulnerability can cause the Java Runtime Environment (JRE) to hang, enter an infinite loop, or crash when converting "2.2250738585072012e-308" to a binary floating-point number. The result can be a denial of service exposure. This same problem can occur if the number is written without scientific notation (that is, using all of the 324 decimal places). Any Java program that uses the Double.parseDouble method is at risk of this vulnerability.


Solution
To prevent this vulnerability from affecting your product, you must apply a patch to your existing version of Java or install a version of Java that contains the fix.

If you do not require the fix, no action is necessary.

Before you update your JRE on a production system, it is strongly recommended to:
• Apply the patch in a test environment to verify that your product is working correctly
• Make a backup before you apply any changes

Linux or UNIX Installations
On Linux or UNIX, the JRE is not provided by Cognos as part of the product. The JRE used with Cognos is a separately installed component that is available from the operating system, application server or Java vendor.

To resolve the security vulnerability, you will need to patch or upgrade the JRE to a version that is recommended by the Operating System, Application Server or Java vendor. Ensure you stop the Cognos Services before applying the patch and restart the Cognos Services once the patch has been successfully applied.

The following table provides links to vendor-supplied details and solutions to this vulnerability:
IBM http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html
HP https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=HPUXFPUPDATER
Oracle http://www.oracle.com/technetwork/topics/security/alert-cve-2010-4476-305811.html



Windows Installations

Typically, a JRE is packaged with the Windows versions of Cognos products. However, you may also use a version of Java that already existed on your system.

If you are using a JRE that already existed on the system, the solution is to update the JRE to a version that is recommended by the Operating System, Application Server or Java vendor.

If you are using the JRE version that is provided with your Cognos product, interim fixes are now available for several of the Cognos products. To determine if an interim Windows fix is available for your Cognos product as well as download and installation information, please follow the instructions at http://www.ibm.com/support/docview.wss?uid=swg24029220.

It is necessary to stop the Cognos services before applying the patch and then restart the Cognos Services once the patch has been successfully applied.

Cognos is continuing to develop interim fixes for the remaining affected products. These fixes will be made available as soon as possible.

If you cannot wait for the patch to become available from Cognos, you can also manually apply the patch to your JRE using the following steps.


Determine which version of JRE you are using
  1. In a command window, go to the cognos_location/bin/jre directory.
    If you are using a 64-bit installation, go to the cognos_location/bin64/jre directory.

  2. Type the following:
    java –version

    The resulting message will indicate whether you have an IBM or Sun version of JRE.

To apply a patch to an IBM version of JRE, do the following:
Go to the following Web page, and following the instructions provided: http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html

  1. Download the ParseDoubleTest.jar from the link above to verify if you need to apply the patch.

  2. Copy the ParseDoubleTest.jar file to the cognos_location/bin/jre directory.

  3. Open a command window in the location where you downloaded the file, and type the following:
    java –jar ParseDoubleTest.jar

    If the result is “Test Succeeded”, you do not have to apply the patch.

  4. If you have to apply the patch, download the appropriate patch file from http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html.

    For example, for JRE version 1.4 on Windows, download PM31983_FIX_1.jar.

  5. Download the Java Update Installer from the following location: http://www.ibm.com/developerworks/java/jdk/alerts/updateinstaller.html

    Unzip the UpdateInstallerforJava.zip.

  6. Ensure that you have the patch file and the unzipped Java Update Installer in the same location.

  7. In a command window, go to the location where you downloaded the patch file and the Java Update Installer, and enter the following command:

    java -jar JavaUpdateInstaller.jar -install [patch JAR file] [JAVA_HOME of target JDK]

    For example, for IBM Cognos products, the [JAVA_HOME of target JDK] is cognos_location/bin/jre/<java-version>.

    If you are installing the update for JRE version 1.4 to a default IBM Cognos installation location, the command would look like the following:

    java -jar JavaUpdateInstaller.jar -install PM31983_FIX_1.jar C:/Program Files/IBM/cognos/<Cognos Location>/bin/jre/<java-version>/bin


To apply a patch to a SUN version of JRE, do the following:
  1. Download the compressed file for Java SE Floating Point Updater Tool:
    http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

  2. Uncompress the file, and then copy fpupdater.jar to cognos_location/bin/jre/<java-version>/bin.

    If you are using a 64-bit installation, copy fpupdater.jar to cognos_location/bin64/jre/<java-version>/bin.

  3. In a command window, go to the cognos_location/bin/jre/<java-version>/bin directory, and enter the following command:

    java -jar fpupdater.jar -u -v



Cross reference information
Segment Product Component Platform Version Edition
Business Analytics Cognos Business Intelligence Not Applicable AIX, HP-UX, HP Itanium, Linux, Solaris, Windows 10.1, 8.4.1, 8.4, 8.3 All Editions
Business Analytics Cognos Mobile Not Applicable Windows 10.1, 8.4.1, 8.4, 8.3 All Editions
Business Analytics Cognos Series 7 Not Applicable AIX, HP-UX on PA-RISC, Solaris, Windows 7.5, 7.4 All Editions
Business Analytics Cognos Now! Not Applicable AIX, HP-UX, Linux, Solaris, Windows 4.6, 4.5 All Editions
Business Analytics Cognos Express Not Applicable Windows 9.0, 9.5 All Editions
Business Analytics Cognos Real-time Monitoring Not Applicable AIX, HP-UX, Linux, Solaris, Windows 10.1 All Editions
Business Analytics Cognos Business Viewpoint Not Applicable AIX, HP-UX on PA-RISC, HP Itanium, Linux, Solaris, Windows 8.4.1, 8.4, 10.1 All Editions
Business Analytics Cognos 8 Controller Not Applicable Windows 8.5.1, 8.5, 8.4, 8.3 All Editions
Business Analytics Cognos Executive Viewer Not Applicable Windows 9.5 All Editions
Business Analytics Cognos Finance Not Applicable Windows 7.5, 7.4 All Editions
Business Analytics Cognos Planning Not Applicable Windows 10.1, 8.4.1, 8.4, 8.3, 8.1 All Editions
Business Analytics Cognos TM1 Not Applicable AIX, Linux, Solaris, Windows 9.5.1, 9.5, 9.4 All Editions
Business Analytics Cognos Analytic Applications Not Applicable AIX, HP-UX, Linux, Solaris, Windows 8.4.2, 8.4.1, 8.4, 8.3 All Editions
Business Analytics Cognos 8 Workforce Performance Not Applicable AIX, Solaris, Windows, HP-UX 8.3, 8.2 All Editions
Business Analytics Cognos Consumer Insight Not Applicable Linux 1.1 All Editions
Business Analytics Cognos 8 Go! Not Applicable Windows, AIX, HP-UX, Linux, Solaris 8.4.1, 8.4, 8.3 All Editions

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Cognos Business Intelligence and Financial Performance Management

Software version:

8.0

Operating system(s):

AIX, HP Itanium, HP-UX, Linux, Solaris, Windows

Reference #:

1469482

Modified date:

2011-03-25

Translate my page

Machine Translation

Content navigation