Security Bulletin: IBM DataQuant is affected by an Open Source Apache Poi vulnerability.

Workarounds and Mitigations

Complete steps 1 - 8 to replace DataQuant’s Apache POI library with the latest version, which is 3.16:

1. Install 7-Zip or other file archiver.

2. Download POI 3.16 (https://archive.apache.org/dist/poi/release/bin/poi-bin-3.16-20170419.zip). Find the following jar files inside the archive:
poi-3.16.jar
poi-ooxml-3.16.jar
poi-ooxml-schemas-3.16.jar
commons-collections4-4.1.jar (under "lib" folder)
commons-codec-1.10.jar (under "lib" folder)
commons-logging-1.2.jar (under "lib" folder)
curvesapi-1.04.jar (under "ooxml-lib" folder)
xmlbeans-2.6.0.jar (under "ooxml-lib" folder)

3. In the DataQuant for Workstation\plugins folder, rename com.ibm.bi.core.poi_2.1.7.20170216.jar to com.ibm.bi.core.poi_2.1.7.20170216.zip and open it in the archiver that you have installed in step 1.
- Remove everything from the "lib" folder.
- Copy the poi-3.16.jar,poi-ooxml-3.16.jar,poi-ooxml-schemas-3.16.jar,xmlbeans-2.6.0.jar,curvesapi-1.04.jar,commons-collections4-4.1.jar files into the "lib" folder.
- Modify the META-INF\MANIFEST-MF file. Instead of:

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150
511.jar,lib/poi-ooxml-schemas-3.12-20150511.jar,lib/xmlbeans-2.6.0.jar

Type:

Bundle-ClassPath: .,lib/poi-3.16.jar,lib/poi-ooxml-3.16.jar,lib/poi-oo
xml-schemas-3.16.jar,lib/xmlbeans-2.6.0.jar,lib/curvesapi-1.04.jar,lib/commons-collections4-4.1.jar

Make sure that there are spaces at the beginning of the second and the third line.
- Save the changes, close the archiver, and rename com.ibm.bi.core.poi_2.1.7.20170216.zip to com.ibm.bi.core.poi_2.1.7.20170216.jar.

4. In the DataQuant for Workstation\plugins folder, rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar to com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip and open it in the archiver.
- Remove everything from the "lib" folder.
- Copy the poi-3.16.jar,poi-ooxml-3.16.jar,poi-ooxml-schemas-3.16.jar,xmlbeans-2.6.0.jar files into the "lib" folder.
- Modify META-INF\MANIFEST-MF file. Instead of:

Bundle-ClassPath: .,lib/poi-3.12-20150511.jar,lib/poi-ooxml-3.12-20150
511.jar,lib/poi-ooxml-schemas-3.12-20150511.jar,lib/poi-scratchpad-3.12-20150511.jar

Type:

Bundle-ClassPath: .,lib/poi-3.16.jar,lib/poi-ooxml-3.16.jar,lib/poi-oo
xml-schemas-3.16.jar,lib/xmlbeans-2.6.0.jar

Make sure that there is a space at the beginning of the second line.
-Save the changes, close the archiver, and rename com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.zip to com.ibm.rsbi.textanalytics.doc_2.1.7.20170216.jar.

5. In the DataQuant for Workstation\plugins\com.ibm.bi.thirdparty_2.1.7.20170216 folder
- Remove commons-codec-1.6.jar and commons-logging-1.1.3.jar from the "Other" folder.
- Copy commons-codec-1.10.jar and commons-logging-1.2.jar into the the "Other" folder.
- Modify META-INF\MANIFEST.MF. Instead of:

Bundle-ClassPath: Other/mail.jar,Other/DPDFGen.jar,Other/js.jar,Other/
commons-logging-1.1.3.jar,Other/httpclient-4.3.1.jar,Other/httpcore-4
.3.jar,Other/commons-codec-1.6.jar,Other/pdfbox-1.7.0.jar,Other/fontb
ox-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,Other/jackson-core-2
.2.2.jar,Other/jackson-databind-2.2.2.jar,Other/httpmime-4.3.jar

Type:

Bundle-ClassPath: Other/mail.jar,Other/DPDFGen.jar,Other/js.jar,Other/
commons-logging-1.2.jar,Other/httpclient-4.3.1.jar,Other/httpcore-4.3
.jar,Other/commons-codec-1.10.jar,Other/pdfbox-1.7.0.jar,Other/fontbo
x-1.7.0.jar,Other/jackson-annotations-2.2.2.jar,Other/jackson-core-2.
2.2.jar,Other/jackson-databind-2.2.2.jar,Other/httpmime-4.3.jar

Make sure that there are spaces at the beginning of each line (with the exception of the first line)
- Save the changes.

6. Run Data Quant for Workstation with the following command line parameters:

dataquant.exe -clean -clearPersistedState

7. For DataQuant for WebSphere\DataQuantWebSphere21.war, rename DataQuantWebSphere21.war to DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in steps #3 and #5 inside the DataQuantWebSphere21.zip\WEB-INF\eclipse\plugins folder
or replace the existing com.ibm.bi.core.poi_2.1.7.20170216.jar and com.ibm.bi.thirdparty_2.1.7.20170216 folders with the updated ones from the workstation version.
- Close file archiver.
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.war.
- Redeploy DataQuantWebSphere21.war on your web server.

8. For DataQuant for WebSphere\DataQuantWebSphere21.ear, rename DataQuantWebSphere21.ear to DataQuantWebSphere21.zip and open it in the file archiver.
Make the changes described in step #7 for the DataQuantWebSphere21.war file which is inside the DataQuantWebSphere21.zip archive, or replace the existing DataQuantWebSphere21.war with the updated DataQuantWebSphere21.war from step #7.
- Close file archiver.
- Rename DataQuantWebSphere21.zip to DataQuantWebSphere21.ear.
- Redeploy DataQuantWebSphere21.ear on your web server.