Fix for InfoSphere Warehouse 9.7.x for Java JRE/JDK denial-of-service security exposure.

Flash (Alert)


Abstract

This document describes how to upgrade Java JRE/JDK for IBM InfoSphere Warehouse 9.7.x, to fix a Java security vulnerability.

Content

On 8 February 2011, Oracle published a security alert (CVE-2010-4476) concerning a vulnerability in class library security. This can be used as a denial-of-service attack against application servers. The Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places).

To fix the problem for InfoSphere Warehouse 9.7.x releases, apply the following patches or fix packs:

1. For the Design Studio, which uses JRE 6, go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:



2. For the Administration Console, the solution depends on which level of WebSphere Application Server you are using:

WebSphere Application Server 7.0: This is the default level that is shipped with InfoSphere Warehouse, and it uses JRE 6. To apply the fix, you have two alternatives:
    • IBM recommends installing Fix Pack 15 (7.0.0.15) for WebSphere Application Server. The instructions are here:
      After you install Fix Pack 15, you must also install the JRE patch for that fix pack, following these instructions:
      After installing the fix pack and the patch, you will have the following version of Java JRE:
      java version "1.6.0"
      Java(TM) SE Runtime Environment (build pwi3260sr9ifix-20110208_02(SR9+PM18528+IZ90220+IZ94423))
      IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr9-20101209_70480 (JIT enabled, AOT enabled)
    • Alternatively, you can apply only the patch for the security vulnerability. Go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:

WebSphere Application Server 6.1 : To fix the problem, you must apply the patch for the security vulnerability for JRE 6. Go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html


3. Cubing Services and Data Mining use the copy of Java that is specified in the following directory:
    <ISWarehouse_Home> \Commons\jre

You can confirm which copy of Java is being used by Cubing Services and Data Mining in the Administration Console.
  1. Select the Cubing Services tab and click Manage Cube Servers. A list of available cube servers are displayed.
  2. Select the cube server from the list, then click to start the Edit Cube Server Wizard. Check the Cube Server Java™ VM Properties parameter, and verify the Java path.
To apply the fix, go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:

http://www.ibm.com/developerworks/java/jdk/alerts/cve-2010-4476.html


4. For DB2, follow the directions in this document:

5. For Alphablox, go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

InfoSphere Warehouse
DWE - Integrated Installer

Software version:

9.7.0, 9.7.1, 9.7.2

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows

Software edition:

Edition Independent

Reference #:

1470412

Modified date:

2013-04-01

Translate my page

Machine Translation

Content navigation