Readme File for IBM® Platform Symphony 6.1.1 Interim Fix 468914

Readme File for: IBM Platform Symphony

Product Release: 6.1.1

Update Name: Interim Fix 468914

Fix ID: sym-6.1.1-build468914

Publication Date: September 18, 2017

This readme file provides guidance on upgrading Apache Struts to version 2.3.34 in IBM Platform Symphony 6.1.1 in order to fix Struts security vulnerabilities CVE-2017-12611, CVE-2017-9804, CVE-2017-7672, CVE-2017-9787 and CVE-2017-9791.

Contents

1. List of fixes

2. Download location

3. Product and components affected

4. Installation and configuration

5. List of files

6. Copyright and trademark information

1.     List of fixes

APAR: P102379

2.     Download location

Download interim fix 468914 and 446371 from the following location: https://www.ibm.com/eserver/support/fixes/

3.     Product and components affected

Component name, Platform, Fix ID:

PMC, linux2.6-glibc2.3-x86_64, sym-6.1.1-build468914

4.     Installation and configuration

Follow these steps to upgrade Struts on Linux hosts in the Platform Symphony cluster. To upgrade Struts on Windows hosts in the cluster, use the Linux steps as a reference and use the Windows commands and environment variables for patching.

Before installation

a.      Log on to each management host in the cluster and download the struts-2.3.34-lib.zip package from the following location:

http://archive.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.

b.      Stop the Platform Management Console service (WEBGUI):

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

c.      For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/symgui

> mkdir -p /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/1.2.8/lib/commons-collections-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/1.2.8/lib/commons-digester-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/1.2.8/lib/commons-fileupload-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/1.2.8/lib/commons-io-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/1.2.8/lib/commons-logging-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/struts2-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/xwork-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/javassist-*.jar /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-*.jar /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui

d.      If your cluster does not contain the Platform Symphony 6.1.1 security service pack (sym-6.1.1-spk-Security-build227853), back up the following files:

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/sym/dashboard/action/DashboardAction.class /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/widget/preference/PreferenceAction.class /tmp/guibackup/symgui

> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml /tmp/guibackup/symgui

Installation

a.      On each management host, unzip the struts-2.3.34-lib.zip package and copy the following files to your cluster directory:

> unzip struts-2.3.34-lib.zip

> cd struts-2.3.34/lib

> cp commons-collections-3.2.2.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-digester-2.0.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-io-2.2.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-lang3-3.2.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-logging-1.1.3.jar $EGO_TOP/gui/1.2.8/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/

> cp ognl-3.0.21.jar $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/

> cp struts2-core-2.3.34.jar $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/

> cp xwork-core-2.3.34.jar $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/

> cp commons-io-2.2.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp commons-lang3-3.2.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp javassist-3.11.0.GA.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp ognl-3.0.21.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp struts2-core-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp struts2-json-plugin-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp struts2-spring-plugin-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

> cp xwork-core-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

b.      If your cluster does not contain the Platform Symphony 6.1.1 security fix build227853, download interim fix sym-6.1.1-build446371, then decompress the sym6.1.1_lnx26-lib23-x64_build446371.tar.gz package to the IBM Platform Symphony installation directory:

> tar zxof sym6.1.1_lnx26-lib23-x64_build446371.tar.gz -C $EGO_TOP

After installation

a.      Delete all subdirectories and files in the following directory:

$EGO_TOP/gui/work/*

b.      Launch your browser and clear the browser cache.

c.      Start the WEBGUI service:

> egosh service start WEBGUI

Uninstallation

a.      Stop the WEBGUI service:

> egosh user logon -u Admin -x Admin  

> egosh service stop WEBGUI

b.      Log on to each management host in the cluster and delete the JAR files that were introduced by this fix.

c.      Restore the following files from your backup:

> mv /tmp/guibackup/*.jar $EGO_TOP/gui/1.2.8/lib

> mv /tmp/guibackup/perfgui/*.jar $EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/

> mv /tmp/guibackup/symgui/*.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/

d.      If your cluster does not contain the Platform Symphony 6.1.1 security service pack (sym-6.1.1-spk-Security-build227853), restore the following files:

> cp /tmp/guibackup/symgui/DashboardAction.class $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/sym/dashboard/action/

> cp /tmp/guibackup/symgui/PreferenceAction.class $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/widget/preference/

> cp /tmp/guibackup/symgui/web.xml $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/

e.      Delete all subdirectories and files in the following directory:

$EGO_TOP/gui/work/*

f.       Launch your browser and clear the browser cache.

g.      Start the WEBGUI service:

> egosh service start WEBGUI

5.     Copyright and trademark information

© Copyright IBM Corporation 2017

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.