IBM Platform Symphony 6.1.1 Fix Patch #224587 Readme File

Description

IBM Platform Symphony Standard Edition includes the Apache Struts 2 framework. Security issues related to this framework include: struts 2 security issues(s2-015, s2-016, s2-017, s2-018, s2-019) and spring security issue(CRLF Injection)

Apply this fix to resolve these security issues. And this fix patch applies only to the following platform:

·     Linux 64-bit/Windows 64-bit/Solaris 64-bit

This patch only includes bug fixes for Symphony sym-6.1.1-sym611_gui_security_patch_224587.zip.

Readme file for: IBM® Platform Symphony

Product/Component Release: 6.1.1

Update Name: Fix pack

Fix ID: sym-6.1.1-build224587

Publication date: 1^st Nov 2013

Last modified date: 1^st Nov 2013

 

Contents:

1.      Download location

2.      Products or components affected

3.      System requirements

4.      Installation and configuration

5.      List of fixes

6.      List of files

7.      Copyright and trademark information

1.   Download location

http://www.ibm.com/eserver/support/fixes/

2.   Products or components affected

 

Product/Component Name, Platform, Fix ID:

Platform Symphony/sym-6.1.1-sym611_gui_security_patch_224587.zip, Linux 64-bit/Windows 64-bit/Solaris 64-bit, sym-6.1.1-build224587.

3.   System requirements

None

4.   Installation and configuration

4.1         Before installation

 

1.   Stop the WEBGUI service

Log on to the master host as the cluster administrator and run:

1)      On Linux or On Solaris

$ source $EGO_TOP/cshrc.platform

$ egosh user logon -u Admin -x Admin

$ egosh service stop WEBGUI

2)      On Windows

                                  > egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

 2. Remove the following files to back up folder on all management hosts, or we can use sym611_apply_224587.sh to execute 4.1.2, 4.2 and 4.4.2 on Linux or Solaris

1)     On Linux or on Solaris

 >$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/ognl-2.7.3.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-aop-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-beans-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-context-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-core-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-jdbc-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-orm-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-test-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-tx-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-web-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-core-2.1.8.1.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/struts2-core-2.1.8.1.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/ognl-2.6.11.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/xwork-2.0.4.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-json-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-junit-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-acl-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-core-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-taglibs-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/xwork-core-2.1.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

2)     On Windows

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\ognl-2.7.3.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-aop-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-beans-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-context-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-core-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-jdbc-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-orm-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-test-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-tx-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-web-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-core-2.1.8.1.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\struts2-core-2.1.8.1.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\ognl-2.6.11.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\xwork-2.0.4.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-json-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-junit-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-spring-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-acl-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-core-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-taglibs-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\xwork-core-2.1.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\web.xml

4.2        Installation steps

Copy the binaries to the following directories on management hosts:

1)     On Linux or On Solaris

                            $ cp sym611_gui_security_patch_224587.zip $EGO_TOP/

$ unzip -u sym611_gui_security_patch_224587.zip

2)     On Windows

> copy sym611_gui_security_patch_224587.zip %SOAM_HOME%\..\

> unzip -u sym611_gui_security_patch_224587.zip

4.3          After installation

1. Clean up the GUI work directory and the browser cache on all management hosts. 

  About the cleaning up GUI work directory, we need delete all subdirectories and files in this directory:

1)     On Linux or Solaris

                > source $EGO_TOP/cshrc.platform

                > rm -rf $EGO_TOP/gui/work/*

2)     On Windows

> del /f /s /q %SOAM_HOME%\..\gui\work\*

2. Start the WEBGUI service

Log on to the master host as the cluster administrator and run:

1)     On Linux or On Solaris

$ source $EGO_TOP/cshrc.platform

$ egosh user logon -u Admin -x Admin

$ egosh service start WEBGUI

2)     On Windows

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI

4.4          Uninstalling

 1.     Stop the WEBGUI service

Log on to the master host as the cluster administrator and run:

1)     On Linux or on Solaris

$ source $EGO_TOP/cshrc.platform

$ egosh user logon -u Admin -x Admin

$ egosh service stop WEBGUI

2)     On Windows

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

2.    Restore the following files on all management hosts with the backed-up files

1)     On Linux or on Solaris

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/ognl-2.7.3.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-aop-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-beans-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-context-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-core-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-jdbc-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-orm-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-test-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-tx-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-web-2.5.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-core-2.1.8.1.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/struts2-core-2.1.8.1.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/ognl-2.6.11.jar

>$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/xwork-2.0.4.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-json-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-junit-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-spring-plugin-2.1.8.1.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-acl-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-core-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/spring-security-taglibs-2.0.5.RELEASE.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/xwork-core-2.1.6.jar

>$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml

2)     On Windows

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\ognl-2.7.3.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-aop-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-beans-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-context-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-core-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-jdbc-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-orm-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-test-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-tx-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-web-2.5.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-core-2.1.8.1.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\struts2-core-2.1.8.1.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\ognl-2.6.11.jar

>%SOAM_HOME%\..\gui\perf\1.2.8\perfgui\WEB-INF\lib\xwork-2.0.4.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-json-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-junit-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\struts2-spring-plugin-2.1.8.1.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-acl-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-core-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\spring-security-taglibs-2.0.5.RELEASE.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\lib\xwork-core-2.1.6.jar

>%SOAM_HOME%\..\gui\soam\6.1.1\symgui\WEB-INF\web.xml

3. Clean up the GUI work directory and the browser cache on all management hosts.

  About the cleaning up GUI work directory, we need delete all subdirectories and files in this directory:

1)     On Linux or Solaris

                > source $EGO_TOP/cshrc.platform

                > rm -rf $EGO_TOP/gui/work/*

2)     On Windows

> del /f /s /q %SOAM_HOME%\..\gui\work\*

4. Start the WEBGUI service

Log on to the master host as the cluster administrator and run:

1)     On Linux or On Solaris

$ source $EGO_TOP/cshrc.platform

$ egosh user logon -u Admin -x Admin

$ egosh service start WEBGUI

2)     On Windows

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI

5.   List of fixes

 

<SR#> [no]:  Fix Struts 2 & Spring Security Issue.

6.   List of files

·     sym611_gui_security_patch_224587.zip

 

7.       Copyright and trademark information

 

© Copyright IBM Corporation 2013

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.