IBM Platform Symphony Interim Fix #375368 Readme File

Abstract

Apache Commons Collections requires update to 3.2.2 to fix COLLECTIONS-580.

Description

Apache Commons Collections requires update to 3.2.2 to fix COLLECTIONS-580. The specific problem with COLLECTIONS-580 is that serialization support for unsafe classes in the functor package is disabled by default as this can be exploited for remote code execution attacks. To re-enable the feature the system property "org.apache.commons.collections.enableUnsafeSerialization" needs to be set to "true". Classes considered to be unsafe are: CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, InvokerTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure.

After applying this fix, there is no longer a security issue.

This solution applies to all supported platforms.


Readme file for: IBM® Platform Symphony

Product/Component Release: 5.2, 6.1.0.1, 6.1.1, and 7.1 Fix Pack 1

Update Name: Interim Fix 375368

Interim Fix ID: sym-build375368

Publication date: 30 November 2015

Last modified date: 30 November 2015

 

Contents:

1.     List of fixes

2.     Download location

3.     Products or components affected

4.     Installation and configuration

5.     List of files

6.     Copyright and trademark information

1.   List of fixes

APAR: P101497

2.   Download location

Download this fix from the following location: http://www.ibm.com/eserver/support/fixes/

3.   Products or components affected

Product/Component Name, Platform, Fix ID:

Platform Symphony/GUI, PERF, MapReduce, all, sym-build375368

4.   Installation and configuration

4.1 Before installation

1. Shut down the cluster.

Log on to the host as the cluster administrator and run:

> source $EGO_TOP/cshrc.platform

> soamcontrol app disable all

> egosh service stop all

> egosh ego shutdown all

2. Back up the existing Apache Commons Collections .jar files.

Back up the existing Apache Commons Collections .jar files on all hosts in the cluster. Ensure you back up to a different directly. Do not back up to the same folder, even if you rename the .jar files.

The following steps use a Platform Symphony 6.1.1 cluster as an example:

For Linux 64-bit hosts:

> cp $EGO_TOP/gui/1.2.8/lib/commons-collections-3.2.1.jar $EGO_TOP/gui/1.2.8/

> cp $EGO_TOP/perf/1.2.8/lib/commons-collections-3.1.jar $EGO_TOP/perf/1.2.8

> cp $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/lib/commons-collections-3.2.1.jar $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/

4.2 Installation steps

 

1.     Log on to all hosts in the cluster and replace your existing Apache Commons Collections .jar files with the downloaded ones in the following directory.

The following steps use a Platform Symphony 6.1.1 cluster as an example:      

For Linux 64-bit hosts:

> rm ¨Crf $EGO_TOP/gui/1.2.8/lib/commons-collections-3.2.1.jar

> cp commons-collections-3.2.2.jar $EGO_TOP/gui/1.2.8/lib/

> rm ¨Crf $EGO_TOP/perf/1.2.8/lib/commons-collections-3.1.jar

> cp commons-collections-3.2.2.jar $EGO_TOP/perf/1.2.8/lib/

> rm ¨Crf $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/lib/commons-collections-3.2.1.jar

> cp commons-collections-3.2.2.jar $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/lib/

4.3 After installation

 

1. Start the cluster.

> source $EGO_TOP/cshrc.platform

> egosh ego start all

 
4.4 Uninstalling

1. Shut down the cluster.

Log on to the host as the cluster administrator and run:

> source $EGO_TOP/cshrc.platform

> soamcontrol app disable all

> egosh service stop all

> egosh ego shutdown all

2. Restore the backup files.

Log on to all hosts in the cluster and restore the backup jar files:

The following steps use a Platform Symphony 6.1.1 cluster as an example:

For Linux 64-bit hosts:

> cp $EGO_TOP/gui/1.2.8/commons-collections-3.2.1.jar $EGO_TOP/gui/1.2.8/lib/

> cp $EGO_TOP/perf/1.2.8/commons-collections-3.1.jar $EGO_TOP/perf/1.2.8/lib/

> cp $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/commons-collections-3.2.1.jar $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/lib/

> rm $EGO_TOP/gui/1.2.8/lib/commons-collections-3.2.2.jar

> rm $EGO_TOP/perf/1.2.8/lib/commons-collections-3.2.2.jar

> rm $EGO_TOP/soam/mapreduce/6.1.1/linux2.6-glibc2.3-x86_64/lib/commons-collections-3.2.2.jar

3. Start the cluster and enable the application.

> source $EGO_TOP/cshrc.platform

> egosh ego start all

5.   List of files

 

commons-collections-3.2.2.jar

6.   Copyright and trademark information

 

© Copyright IBM Corporation 2015

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.