IBM InfoSphere Master Information Hub v9.0.2.40 Readme


Abstract

IBM® InfoSphere™ Master Information Hub for Weblogic® and IBM WebSphere® Application Server for Version 9.0.2.40 including installation-related instructions, prerequisites and co-requisites, and list of fixes..

Readme file for: IBM InfoSphere Master Information Hub for Weblogic® and WebSphere® Application Server
Product/Component Release: 9.0.2
Update Name: 9.0.2.40
Fix ID: MIH_9.0.2.40_hotfix_WAS, MIH_9.0.2.40_hotfix_WL

Contents

Download location
Prerequisites and co-requisites
Installation information:
   Prior to installation
   Installing
   Important Changes
Contacting IBM Software support
List of fixes
Copyright and trademark information

Download location

Download fixes from Fix Central (select Information Management -> InfoSphere MIH -> 9.0.2 -> AIX)
http://www-933.ibm.com/support/fixcentral/

Below is a list of products/components names, platforms, and file names that apply to this ReadMe file.

Product/Component Name:

Platform:

File Name:

InfoSphere Master Information Hub 9.0.2.40

WebSphere Application Server

MIH90240_WAS.jar

InfoSphere Master Information Hub 9.0.2.40

WebLogic

MIH90240_WL.jar

 

Prerequisites and co-requisites

This is a roll-up fix that contains all the fixes from 9.0.2.1 to 9.0.2.39. It can be installed directly on top of MDM 9.0.2, or any hot fix from 9.0.2.1 to 9.0.2.39.


Installation information:

Prior to installation

Client customizations or extensions may impact the update process. Please consider the impact of custom configurations and extensions before proceeding with the update of this hot fix to your environments.

Installing

To install, replace or merge the assets (such as jars, properties files, XSDs, etc.) in your environment with the assets included in this hot fix, execute the provided scripts (if provided) and redeploy. Remember to make a backup of the original environment before applying the hot fix in the event that there is cause to roll back the hot fix. For more details on how to deploy a hot fix, please refer to the document 'DeployFix_Guidelines.pdf'.

UIs installation (iFix90235):

**************************

The fix uses the "Double Submit Cookies" technique mentioned in the XSRF Prevention Cheat Sheet. When the server gets a POST request from the client, it will check to see if the request contains a csrfToken parameter (which is the session ID). If it matches with the server's value, it will continue with the request. Otherwise, it redirect to the specified page in the filter. With this fix, the UI need to add a new hidden field within all the form tags to include the csrfToken in its request.

 

Steps to apply fix (For non-customized UI):

 

1. Go to WAS Admin Console, then go to Servers -> Server Types -> WebSphere application servers, Stop UI instance. (BAUI)

 

2. Go to Applications -> Application Types -> WebSphere enterprise applications, Export original UI .ear file.

 

3. Open propertiesUI.jar in the new UI .ear file, change default UI setting by copying mdmUIConfiguration.properties from the original propertiesUI.jar and replacing the new mdmUIConfiguration.properties.

 

4. Go to Applications -> Application Types -> WebSphere enterprise applications, Update with new UI .ear file.

 

5. Go to System administration -> Save changes to master repository, check Synchronize changes with Nodes and Save.

 

6. Go to Servers -> Server Types -> WebSphere application servers, Start UI instance.

 

 

Steps to apply fix (For customized UI):

 

1. Adjust the SessionFilter.java (CommonUIUtilities/src/com.ibm.mdm.ui.filter and CommonUIModel/src/com.ibm.mdm.ui.filter packages) by adding the following section of code after the closing of the "if(httpSession == null)" section of code (since the CSRF check will only be done when there is a valid session) in the "doFilter" method:

 

    //Check to see if the csrfToken in session is up-to-date
    String sessionId = httpSession.getId();
    String idInSession = (String)httpSession.getAttribute("csrfToken");
    if( idInSession == null || idInSession.compareTo(sessionId) != 0){
        httpSession.setAttribute("csrfToken",sessionId);
        logger.info("Updated csrfToken in session");
    }
    //Check CSRF Token
    String requestMethodType = httpRequest.getMethod();
    if(requestMethodType.compareToIgnoreCase("POST")==0 && !(url.endsWith("j_security_check")) && !(url.endsWith("ibm_security_logout")) ){
        logger.info("Handling a POST request");
        // is a POST Request, need to check csrfToken
        Enumeration namesEnum = httpRequest.getParameterNames();
        boolean isTokenMatched = false;
        while(namesEnum.hasMoreElements()){
            String paramName = namesEnum.nextElement();
            if(paramName.endsWith("csrfToken")){
                String csrfToken = httpRequest.getParameter(paramName);
                if(csrfToken.compareTo(sessionId) == 0){
                    isTokenMatched = true;
                    break;
                }
            }
        }
        if(!isTokenMatched ){
            logger.error("CSRF Token not found");
            httpResponse.sendRedirect(httpRequest.getContextPath() + "/faces/login.jsp");
            return;
        }
        logger.info("CSRF Token matches session ID");
    }

2. Apply the following code in all .jsp pages where there is a "</h:form>" tag (can just do a search for the tag):

<h:inputHidden id="csrfToken" value="#{csrfToken}"></h:inputHidden>

 

3. Restart server and republish.

Important Changes

o       For the PMR 78313,211,788 fix, please apply the attached fixed 'DWLMessagingAdapter.properties' in the properties.jar inside MDM ear file By default, we set the delivery mode in JMS header as 'PERSISTENT'. If client would like to set the delivery mode to 'NON_PERSISTENT', please go to configure it in DWLMessagingAdapter.properties.


o       In addition to code change for PMR#15435,211,788, the following config entry need to be added into DWLCommon_extension.properties and tcrm_extension.properties. CurrentDateTime_To_SystemCurrentTimestamp=false
If you do not choose this option, the config entry does not have to be added. When EndDate is current date, MDM Server default behavior is to igore time portion and convert current date and time to current timestamp.


o       Please check the following details regarding the MDM Server Information Center security issue and learning how to apply the attached fixes

      


*************

TITLE: Security Bulletin: Open Redirect and Cross-Site Scripting Vulnerabilities in the locally installable IBM® InfoSphere™ Master Data Management Server Information Center (CVE-2012-2159, CVE-2012-2161)

 

SUMMARY: The installed InfoSphere MDM Server Information Center gives you local access to all of the information that you need to take full advantage of InfoSphere MDM Server. Some scripts in the help system used by the InfoSphere MDM Server Information Center are vulnerable to open redirect or cross-site scripting attacks.

 

This security bulletin only applies to the locally installed InfoSphere MDM Server Information Center and not the core InfoSphere MDM Server product. If you do not have an information center installed on a local or intranet system, then this security bulletin is not applicable.

 

VULNERABILITY DETAILS:

 

CVE ID: CVE-2012-2159

 

DESCRIPTION: Some scripts used by the help system are vulnerable to redirects from trusted to untrusted web sites when users click a malicious link.

 

CVSS:

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74832 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

 

 

CVE ID: CVE-2012-2161

 

DESCRIPTION: Some scripts used by the help system are vulnerable to cross-site scripting attacks. An attacker could potentially exploit this vulnerability to collect user credentials or cookie data when users click a malicious link.

 

CVSS:

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/74833 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

 

 

AFFECTED PLATFORMS:

The following locally installed IBM InfoSphere MDM Server Information Center editions running on Linux, AIX, and Windows are affected by this security bulletin:

 

IBM® InfoSphere™ MDM Server 9.0.2 Information Center

 

REMEDIATION: The recommended solution is to apply the fix for each named product as soon as practical. Please see below for information on the fixes available.

Fix:

The fix for this vulnerability is available for download for InfoSphere MDM Server Information Center releases v9.0.2

 

The package for each version includes the patch for the base information center code.

 

Product Version

Platform

Patch file name

9.0.2

Windows

IBM-Help-Win32_patch4_3.4.3.v20120416-1215.zip

9.0.2

AIX or Linux

IBM-Help-AIX64(LINUX32)_patch4_3.4.3.v20120416-1215.tar

 

 

Installing the patch on your local system:

1.        Download the patch for the applicable InfoSphere MDM Server information center version and platform from the following URL: XXX

2.        Stop the information center if it is running:

a)        Navigate to the information center installation directory, then go to ...\MDMserver_IC\ibm_help\

b)        Run the stop script. The name of this script will differ depending on the version, but will be either IC_end.bat or stop_infocenter.bat.

c)        Wait for the information center process to end.

3.        Extract the patch.

4.        Copy all of the extracted folders and files to your original information center installation directory. This will overwrite several files in the ...\MDMserver_IC\ibm_help\eclipse\plugins\ directory.

5.        Restart the information center:

a)        Navigate to the information center installation directory, then go to ...\MDMserver_IC\ibm_help\

b)        Run the start script. The name of this script will differ depending on the version, but will be either IC_start.bat or start_infocenter.bat.

 

 

Workarounds: None known; apply fixes.

 

Mitigations: If applying the fix is not possible or feasible, then uninstall the locally installed information center and use the information centers available on ibm.com:

 

V9.0.2: http://publib.boulder.ibm.com/infocenter/mdm/v9r0m2/index.jsp

 

Alternately, you can use the PDF versions of the documentation that were installed with the InfoSphere MDM Server product installation.

 

 

REFERENCES:

·         Complete CVSS Guide

·                     On-line Calculator V2

·                     X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/74832)

·                     X-Force Vulnerability Database (http://xforce.iss.net/xforce/xfdb/74833)

 

 

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

 

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


*************

o       Besides applying EventManager.jar in the iFix for PMR#20021,082,000, the following entry needs to be added into EventManager.properties to use the 2 new SQLs with literal values of EventStatus. EventStatus_LiteralValue_SQL_Enabled=true
If the value is false or the configure entry is not added into EventManager.properties, MDM Server functions same using original parameterized EventStatus SQL.

Contacting IBM Software support

IBM Software Support provides assistance with product defects.

Before you submit your problem to IBM Software Support, ensure that your company has an active IBM software maintenance contract, and that you are authorized to submit problems to IBM. The type of software maintenance contract that you need depends on the type of product you have.

Product support can be obtained through the following methods.

On the Web

Go to http://www.ibm.com/software/data/masterdata/customer/
and click Support on the left side of the page.

By Telephone

If you are in North America, call 1-800-IBM-SERV (1-800-426-7378)

If you are outside of North America, check the Web page http://www.ibm.com/planetwide/ for contact information for your area.


List of fixes

 

Incident/PMR

 

Description

1

PMR#43548,057,649

Fixed code to avoid null error message generated by RequestParserFactory and enhance batch framework to process exception properly for null error message.

2

PMR#43475,211,788

Fixed code to close JMS queue connection in DWLMessagingAdapter when exception occurred.

3

PMR#53528,057,649

Fixed code to resolve SQLCODE -301 error by properly matching Java type in SQL parameters.

4

PMR#76331,211,788

Fixed code to enable below services to return default settings if have with inquiry level 1 : getAllContractRoleLocationPrivacyPreferences, getAllPartyAddressPrivacyPreferences and getAllPartyContactMethodPrivacyPreferences.

5

PMR#78313,211,788

Fix code to allow client to set delivery mode in JMS header when using Generic JMS Provider.

6

PMR#78803,211,788

Fix code to handle exception properly when DWLControl field length exceeds DB field length in TAIL.

7

PMR#16166,057,649

Fix code to avoid SQL -301 error with DB2 z/OS platform.

8

PMR#04680,999,832

Fixed code to avoid memory issues in StringBuilderCache.

9

PMR#04783,999,832

Fix code to avoid NotSerializableException when using with Async mode TAIL in request XML.

10

PMR#15435,211,788

Fixed code to provide an option for users not to convert EndDate to current timestamp when EndDate is current date. (Please refer to Important Changes for additional details).

11

PMR#15269,211,788

Fixed code not to send notification when notification type is expired.

12

N/A

Fix the Security issue (e.g open redirect or cross-site scripting attacks) in InfoSphere MDM Server Information Center which is a browser-basesd, eclipse plugin to store those documentation. This security patch only applies to the locally installed InfoSphere MDM Server Information Center and not the core InfoSphere MDM Server product. If you do not have an information center installed on a local or intranet system, then this security patch is not applicable.
13 PMR#04802,999,832 Fixed code to resolve NullPointerException when running getAllProductTypes transaction.
14 PMR#50255,047,649 Fixed code to make StatusConverter pluggable.
15 PMR#20021,082,000 Fixed code to add 2 SQLs with literal values of EventStatus to improve performance at DB2 for z/OS platform(Please refer to Important Changes for additional details of applying the iFix).
16 PMR#30469,379,000 Fixed code to solve SAXParseException while updating spec value with "&amp;" in the <value> tag.
17 PMR#76481,057,649 Fixed code to ensure thread-safe while populating "externalTxnKeyMap" data in TAIL component.
18 PMR#50179,211,788 Fixed code to optimize deletePartyAddress method in TCRMPartyAddressComponent.
19 PMR#17767,211,788 Correct the error message content of message type 2032 in CDERRMESSAGETP database table.
20 N/A The iFix 90231 does not contain any fix. The purpose this iFix is to make MIH iFix level consistent with MDM iFix level.
21 PMR#71164,019,866 Fixed code to avoid DWLDuplicateKeyException for TAIL in synchronous mode.
22 N/A The iFix 90233 does not contain any fix. The purpose of this iFix is to make MIH iFix level consistent with MDM iFix level.
23 N/A Fixed a security vulnerability in MDM Server HTML documentation generated by the Javadoc tool. Please refer to this documentation link for more information regarding the security vulnerability: http://www-01.ibm.com/support/docview.wss?uid=swg21641206.
24 N/A The iFix 90236 does not contain any fix. The purpose of this iFix is to make MIH iFix level consistent with MDM iFix level.
25 PMR#71164,019,866 Fixed code to solve transaction timeout exception while loading code table with large data volume.
26 PMR#77707,999,649 Fixed code not to send empty TAIL messages to JMS destination when a transaction TAIL is disabled.
27 PMR#26239,211,788 Fixed the inquiry SQL statement while running getAllAnswerSet/getAllAnswerSetsByQuestionnaire transaction with ACTIVE filter.

Copyright and trademark information

http://www.ibm.com/legal/copytrade.shtml

Notices

INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.

This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.

Microsoft, Windows, and Windows Server are trademarks of Microsoft Corporation in the United States, other countries, or both.

Intel, Intel logo, Intel Inside, Intel Inside logo, Intel Centrino, Intel Centrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.

Other company, product, or service names may be trademarks or service marks of others.

THIRD-PARTY LICENSE TERMS AND CONDITIONS, NOTICES AND INFORMATION

The license agreement for this product refers you to this file for details concerning terms and conditions applicable to third party software code included in this product, and for certain notices and other information IBM must provide to you under its license to certain software code. The relevant terms and conditions, notices and other information are provided or referenced below. Please note that any non-English version of the licenses below is unofficial and is provided to you for your convenience only. The English version of the licenses below, provided as part of the English version of this file, is the official version.

Notwithstanding the terms and conditions of any other agreement you may have with IBM or any of its related or affiliated entities (collectively "IBM"), the third party software code identified below are "Excluded Components" and are subject to the following terms and conditions:

 


© Copyright IBM Corporation 2011. All Rights Reserved.