This document describes how to upgrade Java JRE/JDK for IBM InfoSphere Warehouse 9.7.x, to fix a Java security vulnerability.
On 8 February 2011, Oracle published a security alert (CVE-2010-4476) concerning a vulnerability in class library security. This can be used as a denial-of-service attack against application servers. The Java Runtime Environment hangs when converting "2.2250738585072012e-308" to a binary floating-point number. This same hang occurs if the number is written without scientific notation (324 decimal places).
To fix the problem for InfoSphere Warehouse 9.7.x releases, apply the following patches or fix packs:
1. For the Design Studio, which uses JRE 6, go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:
2. For the Administration Console, the solution depends on which level of WebSphere Application Server you are using:
WebSphere Application Server 7.0: This is the default level that is shipped with InfoSphere Warehouse, and it uses JRE 6. To apply the fix, you have two alternatives:
- IBM recommends installing Fix Pack 15 (22.214.171.124) for WebSphere Application Server. The instructions are here:
- Alternatively, you can apply only the patch for the security vulnerability. Go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:
After you install Fix Pack 15, you must also install the JRE patch for that fix pack, following these instructions:
After installing the fix pack and the patch, you will have the following version of Java JRE:
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr9ifix-20110208_02(SR9+PM18528+IZ90220+IZ94423))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr9-20101209_70480 (JIT enabled, AOT enabled)
WebSphere Application Server 6.1 : To fix the problem, you must apply the patch for the security vulnerability for JRE 6. Go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system:
3. Cubing Services and Data Mining use the copy of Java that is specified in the following directory:
You can confirm which copy of Java is being used by Cubing Services and Data Mining in the Administration Console.
- Select the Cubing Services tab and click Manage Cube Servers. A list of available cube servers are displayed.
- Select the cube server from the list, then click to start the Edit Cube Server Wizard. Check the Cube Server Java™ VM Properties parameter, and verify the Java path.
4. For DB2, follow the directions in this document:
5. For Alphablox, go to this document, scroll down to Patch Availability, and follow the instructions for JRE 6 for your operation system: