Readme File for IBM® Platform
Symphony 6.1.1 Interim Fix 468914
Readme File for: IBM Platform Symphony
Product Release: 6.1.1
Update Name: Interim Fix 468914
Fix ID: sym-6.1.1-build468914
Publication Date: September 18, 2017
This readme file provides guidance on
upgrading Apache Struts to version 2.3.34 in IBM Platform Symphony 6.1.1 in
order to fix Struts security vulnerabilities CVE-2017-12611, CVE-2017-9804, CVE-2017-7672,
CVE-2017-9787 and CVE-2017-9791.
Contents
1.
List of fixes
2.
Download location
3.
Product and components affected
4.
Installation and configuration
5.
List of files
6.
Copyright and trademark information
1.
List
of fixes
APAR: P102379
2.
Download
location
Download interim
fix 468914 and 446371 from the following location: https://www.ibm.com/eserver/support/fixes/
3.
Product
and components affected
Component name,
Platform, Fix ID:
PMC,
linux2.6-glibc2.3-x86_64, sym-6.1.1-build468914
4.
Installation
and configuration
Follow these steps to
upgrade Struts on Linux hosts in the Platform Symphony cluster. To upgrade Struts
on Windows hosts in the cluster, use the Linux steps as a reference and use the Windows
commands and environment variables for patching.
Before installation
a. Log on to each management host in the cluster and download the struts-2.3.34-lib.zip package from the following location:
http://archive.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip.
b.
Stop the Platform Management
Console service (WEBGUI):
> egosh
user logon -u Admin -x Admin
c.
For backup purposes, move the
following files, which will be replaced by new files:
> mkdir -p
/tmp/guibackup/symgui
> mkdir -p
/tmp/guibackup/perfgui
> mv
$EGO_TOP/gui/1.2.8/lib/commons-collections-*.jar /tmp/guibackup/
> mv
$EGO_TOP/gui/1.2.8/lib/commons-digester-*.jar /tmp/guibackup/
> mv
$EGO_TOP/gui/1.2.8/lib/commons-fileupload-*.jar /tmp/guibackup/
> mv
$EGO_TOP/gui/1.2.8/lib/commons-io-*.jar /tmp/guibackup/
> mv
$EGO_TOP/gui/1.2.8/lib/commons-logging-*.jar /tmp/guibackup/
> mv
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/freemarker-*.jar
/tmp/guibackup/perfgui
> mv
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui
> mv
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/struts2-*.jar
/tmp/guibackup/perfgui
> mv
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/xwork-*.jar /tmp/guibackup/perfgui
> mv $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/freemarker-*.jar
/tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/javassist-*.jar
/tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/org.apache.commons-io-*.jar
/tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/struts2-*.jar /tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/symgui
d.
If your cluster does not
contain the Platform Symphony 6.1.1 security service pack (sym-6.1.1-spk-Security-build227853), back up the following files:
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/sym/dashboard/action/DashboardAction.class
/tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/widget/preference/PreferenceAction.class
/tmp/guibackup/symgui
> mv
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml /tmp/guibackup/symgui
Installation
a.
On each management host, unzip
the struts-2.3.34-lib.zip package and copy the following files to your cluster directory:
> unzip struts-2.3.34-lib.zip
> cd struts-2.3.34/lib
> cp commons-collections-3.2.2.jar
$EGO_TOP/gui/1.2.8/lib/
> cp commons-digester-2.0.jar
$EGO_TOP/gui/1.2.8/lib/
> cp
commons-fileupload-1.3.2.jar $EGO_TOP/gui/1.2.8/lib/
> cp commons-io-2.2.jar
$EGO_TOP/gui/1.2.8/lib/
> cp commons-lang3-3.2.jar
$EGO_TOP/gui/1.2.8/lib/
> cp commons-logging-1.1.3.jar
$EGO_TOP/gui/1.2.8/lib/
> cp freemarker-2.3.22.jar
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/
> cp ognl-3.0.21.jar
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/
> cp struts2-core-2.3.34.jar
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/
> cp xwork-core-2.3.34.jar
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/
> cp commons-io-2.2.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp commons-lang3-3.2.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp freemarker-2.3.22.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp javassist-3.11.0.GA.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp ognl-3.0.21.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp struts2-core-2.3.34.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp
struts2-json-plugin-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp
struts2-spring-plugin-2.3.34.jar $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
> cp xwork-core-2.3.34.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
b.
If your cluster does not
contain the Platform Symphony 6.1.1 security fix build227853, download interim
fix sym-6.1.1-build446371,
then decompress the sym6.1.1_lnx26-lib23-x64_build446371.tar.gz package to the IBM Platform Symphony installation directory:
> tar zxof sym6.1.1_lnx26-lib23-x64_build446371.tar.gz
-C $EGO_TOP
After installation
a.
Delete all subdirectories and
files in the following directory:
$EGO_TOP/gui/work/*
b.
Launch your browser and clear
the browser cache.
c.
Start the WEBGUI service:
> egosh service start WEBGUI
Uninstallation
a.
Stop the WEBGUI service:
> egosh
user logon -u Admin -x Admin
b.
Log on to each
management host in the cluster and delete the JAR files that were introduced by
this fix.
c.
Restore the
following files from your backup:
> mv /tmp/guibackup/*.jar $EGO_TOP/gui/1.2.8/lib
> mv /tmp/guibackup/perfgui/*.jar
$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/lib/
> mv /tmp/guibackup/symgui/*.jar
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/lib/
d.
If your cluster
does not contain the Platform Symphony 6.1.1 security service pack (sym-6.1.1-spk-Security-build227853), restore the following files:
> cp
/tmp/guibackup/symgui/DashboardAction.class
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/sym/dashboard/action/
> cp /tmp/guibackup/symgui/PreferenceAction.class
$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/classes/com/platform/gui/widget/preference/
> cp /tmp/guibackup/symgui/web.xml $EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/
e.
Delete all
subdirectories and files in the following directory:
$EGO_TOP/gui/work/*
f.
Launch your browser and clear the browser cache.
g.
Start the WEBGUI
service:
>
egosh service start WEBGUI
5.
Copyright
and trademark information
© Copyright IBM
Corporation 2017
U.S. Government Users
Restricted Rights - Use, duplication or disclosure restricted by GSA ADP
Schedule Contract with IBM Corp.
IBM®, the IBM
logo, and ibm.com® are trademarks of International Business Machines Corp.,
registered in many jurisdictions worldwide. Other product and service names
might be trademarks of IBM or other companies. A current list of IBM trademarks
is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.