Readme File for IBM^® Spectrum Symphony 7.1.2 Interim Fix 462733

Readme file for: IBM Spectrum Symphony

Product/Component Release: 7.1.2

Update Name: Interim Fix 462733

Fix ID: sym-7.1.2-build462733

Publication date: August 18, 2017

This readme file provides guidance on upgrading Apache Struts to version 2.3.33 in IBM Spectrum Symphony 7.1.2 to fix security vulnerability CVE-2017-9787.

Contents

1.   List of Fixes

2.  Download location

3.   Products or components affected

4.   Installation and configuration

5.  Uninstallation

6.   Copyright and trademark information

1.    List of Fixes

APAR: P102315

2.    Download location

Download interim fix 462733 from the following location: https://www.ibm.com/eserver/support/fixes/

3.    Products or components affected

Component name, Platform, Fix ID:

PMC, Linux-x86_64/Windows-x86_64, sym-7.1.2-build462733

4.    Installation and configuration

Follow these steps to upgrade Struts in a cluster with IBM Spectrum Symphony 7.1.2 installed:

Before installation

1.      Log on to each management host in the cluster and download the struts-2.3.33-lib.zip package from the following location:

http://archive.apache.org/dist/struts/2.3.33/struts-2.3.33-lib.zip.

2.      Stop the cluster management console service (WEBGUI):

> egosh user logon -u Admin -x Admin  

> egosh service stop WEBGUI

3.      For recovery purposes, move the files corresponding to your host operating system to a backup directory.

o   If you upgraded Struts to 2.3.32 according to the IBM Security Bulletin, use the following commands:

> mkdir -p /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-digester-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-logging-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/

o   If you did not upgrade Struts to 2.3.32, use the following commands:

> mkdir -p /tmp/guibackup/egogui

> mkdir -p /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-digester-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-logging-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-1.5.jar /tmp/guibackup/egogui/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/

Installation

On each management host, unzip the struts-2.3.33-lib.zip package and copy the files for your host operating system to your cluster directory.

o   If you upgraded Struts to 2.3.32 according to the IBM Security Bulletin, use the following commands:

> unzip -u struts-2.3.33-lib.zip

> cd struts-2.3.33/lib/

> cp commons-digester-2.0.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-logging-1.1.3.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-core-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-json-plugin-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-spring-plugin-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp xwork-core-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-core-2.3.33.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp xwork-core-2.3.33.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

o   If you did not upgrade Struts to 2.3.32, use the following commands:

> unzip -u struts-2.3.33-lib.zip

> cd struts-2.3.33/lib/

> cp commons-digester-2.0.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-logging-1.1.3.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp ognl-3.0.19.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-core-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-json-plugin-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-spring-plugin-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp xwork-core-2.3.33.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp xstream-1.4.8.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp ognl-3.0.19.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp struts2-core-2.3.33.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp xwork-core-2.3.33.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

After installation

1.      On each management host, delete all subdirectories and files in the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

2.      Clear your browser cache.

3.      Log on to the master host as the cluster administrator and start the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI

5.    Uninstallation

If required, follow these steps to uninstall the Struts upgrade in the IBM Spectrum Symphony 7.1.2 cluster:

1.      Log on to the master host as the cluster administrator and stop the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

2.      Delete all the .jar files that were introduced by this interim fix.

3.      On each management host, restore your backup files:

> mv /tmp/guibackup/*.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> mv /tmp/guibackup/perfgui/*.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> mv /tmp/guibackup/egogui/*.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

4.      On each management host, delete all subdirectories and files in the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

5.      Clear your browser cache.

6.      Log on to the master host as the cluster administrator and start the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI

6.    Copyright and trademark information

© Copyright IBM Corporation 2017

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.