resources

September 30, 2010 – Advisory: Data Corruption with NFS mounted file systems

InterSystems has received reports of data corruption in NFS-mounted file systems on IBM AIX-based machines.

The risk is specific to AIX mounted file systems and is independent of the OS hosting the NFS server.

InterSystems recommends that all files involved in the durability of a Caché or Ensemble environment hosted on AIX not be located on NFS-mounted file systems.

This recommendation applies to all versions of Caché, Ensemble and AIX.

InterSystems has supplied IBM with the details of our research including steps to recreate the problem in a test environment.  We will update this advisory as more information becomes available.

If you have further questions regarding this alert, please contact the InterSystems Worldwide Response Center (WRC).


April 15, 2010 – Alert: LDAP Authentication Exploit

InterSystems has corrected a defect that can allow unauthorized users to access a system that employs LDAP for authentication.

This vulnerability:

  • exists for all Caché and Ensemble versions
  • exists for OpenVMS and Unix clients connecting to any LDAP server
  • exists for Windows clients connecting to a non-Active Directory LDAP server
  • does NOT exist for Windows clients connecting to a Windows Active Directory LDAP server

The correction for this defect, identified as STC1759, is included in Maintenance Release 2010.1.1 and will be included in the upcoming Maintenance Release 2009.1.5.  It is also available via Ad Hoc Distribution.

If you have further questions regarding this alert, please contact the InterSystems Worldwide Response Center (WRC).


April 15, 2010 – Update: Database Encryption in VMS/Tru64 Clusters (Encryption not required)

This alert supersedes the alert: “March 5, 2010 – Database Encryption in VMS/Tru64 Clusters“

InterSystems has identified an additional manifestation of the defect identified in the earlier alert. This new case can result in both corruption of cluster-mounted databases and a system becoming unresponsive.

This new situation exists in all Caché and Ensemble versions 5.1 through 2010.1.0, but only on OpenVMS and Tru64 UNIX platforms, and only for databases that are cluster mounted. Note: unlike the manifestation described in the earlier alert it is NOT necessary for databases to be encrypted in order to be at risk for this problem.

The defect is triggered when a member of the cluster crashes, is forced down, or is stopped without shutting down Caché or Ensemble normally.

As noted before, the correction for this defect is identified as JO2314. This correction is included in Maintenance Release 2010.1.1 and is planned for inclusion in the upcoming 2009.1.5 Maintenance Release. It is also available via Ad Hoc distribution.

Please see the text of the earlier alert for further details:

“March 5, 2010 – Database Encryption in VMS/Tru64 Clusters
InterSystems has corrected a defect that can result in corruption of encrypted databases on OpenVMS and Tru64 UNIX platforms.

This defect exists on all Caché and Ensemble versions 5.1 through 2010.1.0. The defect only exists on OpenVMS and Tru64 UNIX platforms. Only databases that are both encrypted and cluster mounted are at risk.

The defect is triggered when a member of the cluster crashes, is forced down, or is stopped without shutting down Caché normally.

A correction for this defect is available and is identified as JO2314. It will be included in the upcoming release of 2010.1.1 and all future maintenance releases of earlier versions. InterSystems recommends that installations at risk request an Ad Hoc distribution including this correction.

The correction must be installed on all cluster members, and it can be installed as part of a rolling upgrade provided that no encrypted databases are cluster mounted.”

If you have further questions regarding this, please contact InterSystems Worldwide Response Center (WRC).


April 9, 2010 – Alert: VMS/Tru64 Cluster Journal Restore

InterSystems has corrected a defect with cluster journal restore that can result in missing data after dejournalling to cluster mounted databases.  This problem does not affect journal restore to non-cluster mounted databases.  Cluster failover is not at risk for this defect.

Only Caché and Ensemble 2009.1 through 2010.1 are at risk.  The defect is present only for OpenVMS and Tru64 Unix, clustered environments.

The correction for this defect, identified as HYY1544, is included in the Caché and Ensemble 2010.1.1 Maintenance Distribution.  The correction is also available via Ad Hoc distribution.

If you have any questions regarding this, please contact InterSystems Worldwide Response Center (WRC).


April 8, 2010 – Alert: ECP Application Server Hang

InterSystems has corrected a defect that can result in ECP Application Servers becoming unresponsive. The likelihood of this defect being triggered is extremely unlikely and it can only occur when the ECP Database Server is experiencing very high ECP traffic.

This defect exists only for Caché and Ensemble 2010.1. It is present for all platforms and operating systems.

The correction for this defect is identified as GK828 and is included in the 2010.1.1 Maintenance Distribution. The correction is also available via Ad Hoc distribution.

If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC).


March 18, 2010 – UPDATE: Advisory, HP-UX Patch Incompatibility

This advisory supersedes the advisory:  “November 10, 2009 – UPDATE: Advisory, HP-UX Patch Incompatibility”

As of January 27, 2010, HP has released the following patches to fix the incompatibility described in the preceding advisories:

PHSS_40537 (for HP-UX 11i v2)
PHSS_40538 (for HP-UX 11i v3)

These patches address the incompatibility on PA-RISC and Itanium platforms.  To avoid the problem described in the previous advisory the patches indicated above should be installed as appropriate for the version of HP-UX deployed. These patches are available on the HP website.

The issue addressed by these patches is described below and in the previous advisory:

InterSystems has discovered an incompatibility with specific patches for HP-UX that can cause problems with installation, startup, and normal operation of Caché and Ensemble.

These problems exist on both the PA-RISC platform and the Itanium platform.

Only installations on HP-UX 11i v2 (11.23) and HP-UX 11i v3 (11.31) versions are at risk.

All currently released versions of Caché and Ensemble are at risk.

Symptoms of the problem are:

Memory faults (core dumps) generated during Caché or Ensemble startup. Messages regarding these core dumps are displayed during startup. This may also cause startup to fail completely after the core dumps are generated.

Memory faults present in “ccontrol all” output. For example:

Instance Name     Version ID        Port   Directory
————-     ———-        —–  —–

CACHE             5.2.3.710.0       1973   /usr/cachesys

sh: 538 Memory fault(coredump)

The specific patch family for HP-UX 11i v2 is identified as:

PHSS_38134 (11.23 linker + fdp cumulative patch) This includes all superseding patches up to PHSS_39821.

The specific patch family for HP-UX 11i v3 is identified as:

PHSS_39094 (11.31 linker + fdp cumulative patch) This includes all superseding patches up to PHSS_39822.

If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC).


March 15, 2010 – Advisory – Performance Degradation on Windows Server 2003 64-bit

InterSystems has received reports of 64-bit Caché and Ensemble becoming slow, unresponsive or hung on Windows Server 2003 when large amounts of database and routine cache is configured and memory is not allocated as Windows large pages.  This problem is not restricted to any particular version of Caché or Ensemble.  This problem has not been observed with Windows Server 2008.

The symptoms occur when the total amount of shared memory configured for Caché or Ensemble exceeds two gigabytes and is not allocated as Windows large pages.  The specific behavior is that key Caché/Ensemble processes, such as the write daemon, spend more and more time in the Windows kernel (visible as %Privileged time in Windows perfmon).  This causes the system to become slow or unresponsive.

To avoid the problem:

  • Upgrading to Windows Server 2008 for compatible Caché and Ensemble versions will avoid the problem. Allocating memory as large pages is still recommended.
  • Caché or Ensemble version 2007.1 or greater:
    • Windows uses the “Lock Pages in Memory” privilege to indicate that memory should be allocated as large pages.  Ensure that the Windows security policy gives the Caché/Ensemble service account the “Lock Pages in Memory” privilege.  A restart of Caché/Ensemble while using large pages typically also requires a restart of Windows to guarantee that the amount of configured memory is allocated.  This should be built into operational procedures.
    • Note: if startup is unable to allocate the full amount of configured memory it will attempt to startup with less memory and/or not use large pages.  In versions 2007.1 through 2008.1 this could result in greater than 2GB of memory allocated not as large pages even with the “Lock Pages in Memory” privilege granted.  The actual memory allocated can be checked by reviewing the most recent Caché/Ensemble startup in the cconsole.log.
  • On older versions:
    • The use of large memory pages was introduced with 2007.1.  InterSystems recommends restricting the settings for database cache, routine cache and generic memory heap to a combined total no greater than 1800 megabytes to avoid the problem in this Advisory.

Note: a similar problem was discovered several years ago and corrected by Microsoft (http://support.microsoft.com/kb/908929): the symptoms described in this Advisory occur even with this hotfix installed.

If you have any questions regarding this, please contact the InterSystems Worldwide Response Center (WRC).


March 12, 2010 – Advisory: Symantec Antivirus

This Advisory applies only to Microsoft Windows platforms running Symantec Antivirus.

InterSystems has received numerous reports of Caché and Ensemble for Windows becoming hung or unresponsive on systems running Symantec Antivirus versions earlier than Version 11.

The problem is not limited to any particular versions of Caché or Ensemble.

The problem typically appears during periods of significant database I/O activity, especially database expansion. The exact trigger is unknown.  When this problem occurs, a user process, the Caché write daemon or expansion daemon becomes blocked indefinitely attempting a read or write I/O operation on a CACHE.DAT file, causing the database system to hang.

InterSystems has contacted Symantec and recommends the following actions:

  • All directories containing Caché databases, journal files, and the write image journal should be excluded from the virus scanner.  In addition to being best practice for performance, this has been shown to prevent the problem described here.
  • Customers who are running older versions of Symantec Antivirus should upgrade to the latest version of Symantec Endpoint Protection (but at a minimum to version 11).

While these measures prevent the problem from occurring, they do not allow a system experiencing this hang to resume.  In order to recover a system that is hung in this way, you must force Caché down and restart.

If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC)


March 5, 2010 – Database Encryption in VMS/Tru64 Clusters

InterSystems has corrected a defect that can result in corruption of encrypted databases on OpenVMS and Tru64 UNIX platforms.

This defect exists on all Caché and Ensemble versions 5.1 through 2010.1.0.  The defect only exists on OpenVMS and Tru64 UNIX platforms.  Only databases that are both encrypted and cluster mounted are at risk.

The defect is triggered when a member of the cluster crashes, is forced down, or is stopped without shutting down Caché normally.

A correction for this defect is available and is identified as JO2314. It will be included in the upcoming release of 2010.1.1 and all future maintenance releases of earlier versions. InterSystems recommends that installations at risk request an Ad Hoc distribution including this correction.

The correction must be installed on all cluster members, and it can be installed as part of a rolling upgrade provided that no encrypted databases are cluster mounted.

If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC).


January 14, 2010 – Alert – Caché and Ensemble Security Exploit

InterSystems has corrected a security defect that an attacker could exploit to gain complete control of a system running Caché or Ensemble.

This vulnerability:

  • exists only for Caché and Ensemble versions: 2008.2DS,  2009.x and  2010.1
  • is present on all platforms and operating systems

A correction for this vulnerability for both Caché and Ensemble is available at:
ftp://ftp.intersystems.com/pub/cache/patches/Cache_and_Ensemble_Security_Exploit.zip
InterSystems is providing two methods for correcting this vulnerability: a routine which can be loaded and run to perform the correction and a manual process which provides more control over individual steps.

The .zip file contains three files:

  • A readme file describing the manual process to correct the vulnerability and instructions for loading and running the routine below.
  • SecurityUpdateDPV3564.xml – the routine which can be loaded and run to correct the vulnerability automatically
  • BIUtils.xml – a new class to be loaded as part of the correction

For reference: this correction is identified internally as DPV3564. This correction will be included all subsequent releases.  If you have further questions regarding this, please contact the InterSystems Worldwide Response Center (WRC).