Readme File for IBM® Spectrum Symphony 7.1.2 and IBM Spectrum
Conductor with Spark 2.2 Interim Fix 481384
Readme File for: IBM Spectrum Symphony and IBM Spectrum Conductor with Spark
Product Release: 7.1.2
and 2.2
Update Name: Interim
Fix 481384
Fix ID: sym-7.1.2-cws-2.2_x86_64-build481384-jpmc
Publication Date: February
27, 2018
This interim fix provides the following security fixes for a cluster with IBM Spectrum Symphony 7.1.2 and IBM Spectrum Conductor with Spark 2.2 installed:
·
Arbitrary Remote Code
Execution (RCE)
·
Inadequate
permissions for notebook data directories
·
Vertical authorization bypassing on the Symping page
·
XML entity expansion (XXE)
·
Cross-site Scripting Stored (XSS)
·
Arbitrary file reading
·
Clear text of the user passwords reflected in the GUI
·
User enumeration
Contents
1. List of fixes
2. Download location
3. Product and
components affected
4. Installation and
configuration
5. Uninstallation
6. List of files
7. Copyright and
trademark information
1.
List of fixes
APAR: P102505
2.
Download location
Download interim fix 481384
from the following location: https://www.ibm.com/eserver/support/fixes/
3.
Product and components affected
Component
name, Platform, Fix ID:
PMC/REST/EGO/Jupyter-4.1.0, Linux x86_64, sym-7.1.2-cws-2.2_x86_64-build481384-jpmc
4.
Installation and configuration
Follow the instructions in this section to download
and install this interim fix in your cluster.
System requirements
Linux x86_64
Before installation
1.
Log on to the master host as the cluster administrator and stop the
following services:
egosh user logon -u Admin -x
Admin
egosh service stop WEBGUI REST
2.
For recovery purposes, back up the following files:
cd $EGO_TOP
tar -cvf backup.tar
gui/conf/useracl/permission_GUIPermissionSoam.acl
tar -uf backup.tar wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/symping/symping.jsp
tar -uf backup.tar gui/3.5/lib/commons-ego.jar
tar -uf backup.tar wlp/usr/shared/resources/rest/3.5/commons-ego.jar
tar -uf backup.tar gui/3.5/lib/egogui.jar
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/api/symping/SympingConfSetting.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/appConf/ExportAppProfileAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/appConf/ImportAppProAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/application/RegisterAppXmlAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/common/FormatXMLAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/srvpackage/ConfigurePackageProfileAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/srvpackage/ExportDeploymentXmlAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/wizard/CreateAppWizardOperator.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/wizard/importAppProActionWizard.class
tar -uf backup.tar gui/3.5/lib/soamgui.jar
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/lib/soamgui.jar
tar -uf backup.tar
wlp/usr/servers/gui/apps/perf/3.5/perfgui/WEB-INF/classes/com/platform/perf/report/action/ReportAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/appConf/ExportAppProfileAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/appConf/ImportAppProAction.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/applications/AddApplicationAction.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/lib/soamgui.jar
tar -uf backup.tar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/lib/soamgui.jar
tar -uf backup.tar gui/3.5/lib/rest-ego-3.5.0.jar
tar -uf backup.tar
wlp/usr/servers/gui/apps/ego/3.4/platform/generaltable/getDeviceInfo.jsp
tar -uf backup.tar
wlp/usr/servers/gui/apps/ego/3.5/platform/generaltable/getDeviceInfo.jsp
tar -uf backup.tar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/generaltable/getDeviceInfo.jsp
tar -uf backup.tar
3.5/linux-x86_64/bin/egosh
tar -uf backup.tar
3.5/linux-x86_64/lib/jni/libVEMApiCommon.so
tar –uf backup.tar
$EGO_CONFDIR/../../conductorspark/conf/notebooks/Jupyter-4.1.0/Jupyter-4.1.0.tar.gz
Installation
1.
Log on to each management host in your cluster as the cluster
administrator and decompress the sym-7.1.2.0-cws-2.2.0.0_x86_64-build481384.tar.gz file to the directory
where you installed IBM Spectrum Symphony and IBM Spectrum Conductor with
Spark.
For example, run:
tar zxfo
sym-7.1.2.0-cws-2.2.0.0_x86_64-build481384.tar.gz -C $EGO_TOP/
2.
Delete the following files:
$EGO_TOP/wlp/usr/servers/gui/apps/ego/3.4/platform/generaltable/getDeviceInfo.jsp
$EGO_TOP/wlp/usr/servers/gui/apps/ego/3.5/platform/generaltable/getDeviceInfo.jsp
$EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.2/symgui/generaltable/getDeviceInfo.jsp
3.
Copy the
following configuration file to your shared directory:
cp $EGO_TOP/gui/conf/useracl/permission_GUIPermissionSoam.acl $EGO_CONFDIR/../../gui/conf/useracl/
4.
Open the $EGO_CONFDIR/../../gui/conf/pmcconf/pmc_conf_ego.xml file and add the following sections to
restrict log retrieval to a whitelist of directories for the host:
<Parameter>
<Name>RestrictHostLogRetrieve</Name>
<!-- This
parameter restricts retrieving logs for a host. -->
<!--
Valid values are true or false. By default, this parameter is false, so that there is no restriction: all logs from any
directory can be retrieved. -->
<Value>true</Value>
</Parameter>
<Parameter>
<Name>WhitelistLogsDir</Name>
<!--This
parameter takes effect only when the RestrictHostLogRetrieve
parameter is set to true. -->
<!--This
parameter allows you to define the specific directories
from which logs can be retrieved for a host. -->
<!--Define
any number of directories as required, separating multiple directories by a
semicolon (";"). -->
<Value>${SOAM_HOME};${EGO_TOP}</Value>
</Parameter>
5.
Clean up the gui/work directories by deleting
all subdirectories and files from the following directories:
rm -rf $EGO_TOP/gui/work/*
rm -rf
$EGO_TOP/gui/workarea/*
rm -rf
$EGO_TOP/kernel/rest/workarea/*
rm –rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
6.
Clear your browser cache.
7.
Start the WEBGUI and REST services:
egosh service start WEBGUI REST
8.
Update permissions for the Jupyter notebook’s data directory.
NOTE: This update can be applied to one Spark instance
group at a time; Spark instance groups that are not updated will continue to
work as is. After updating the notebook permissions, the permissions cannot be
reverted. Spark instance groups apply only to IBM Spectrum Conductor with
Spark.
a.
Stop the Spark instance group.
b.
Complete this step only if your notebook consumer
execution user is different from the Spark instance group execution user for an
existing Spark instance group. This step is not required for other types of
Spark instance groups.
Use “root” or “sudo” to change permissions for each Spark instance group
notebook base data directory:
setfacl -R -d
-m g::--- notebook_base_data_directory/Spark_instance_group_name
setfacl -R -m
g::--- notebook_base_data_directory/Spark_instance_group_name
setfacl -R -d
-m o::--- notebook_base_data_directory/Spark_instance_group_name
setfacl -R -m
o::--- notebook_base_data_directory/Spark_instance_group_name
setfacl -m u:notebook consumer user:rwx notebook_base_data_directory/Spark_instance_group_name
where:
·
notebook_base_data_directory is the parent notebook data directory where the notebook will store
child notebook data directories and notebook data. For example, /ibm/pclma/jpmc2/spark2/myspark/data
·
Spark_instance_group_name is the name specified for this Spark instance group. For example, myspark.
Here is a full example of running one of the above commands:
setfacl -R -d -m g::--- /ibm/pclma/jpmc2/spark2/myspark/data/myspark
c.
Update your Jupyter
notebook package:
i.
Decompress the $EGO_TOP/Jupyter-4.1.0.tar.gz package to a temporary directory, replace the Anaconda2-4.1.1-Linux-x86_64.sh package with your customized Anaconda package, and
then regenerate the Jupyter-4.1.0.tar.gz package.
ii.
Copy the regenerated Jupyter-4.1.0.tar.gz package to a host with web browser access.
iii.
From the cluster management console, navigate
to Workload > Spark > Notebook Management.
iv.
Select Jupyter and click Configure.
v.
Click Browse
and locate the Jupyter notebook package that you
copied in step 8c-ii, and then click Update
Notebook.
vi.
Navigate to Workload > Spark > Spark Instance Group.
vii.
Apply the package update for the Spark
instance group by clicking the corresponding Available: number link, and then clicking Update.
d.
Restart the Spark instance group after the package has finished updating.
5.
Uninstallation
If required, follow the
instructions in this section to uninstall this interim fix from your cluster.
1.
Log on to the master host as the cluster administrator and stop the
following services:
egosh user logon -u Admin
-x Admin
egosh service stop WEBGUI
REST
2.
Log on to each management host in the cluster and restore the following
files from your backup:
cd $EGO_TOP
tar -xvf backup.tar
3.
Copy the
following configuration file to your shared directory:
cp $EGO_TOP/gui/conf/useracl/permission_GUIPermissionSoam.acl $EGO_CONFDIR/../../gui/conf/useracl/
4.
Open the $EGO_CONFDIR/../../gui/conf/pmcconf/pmc_conf_ego.xml file and remove the following sections:
<Parameter>
<Name>RestrictHostLogRetrieve</Name>
<!-- This parameter restricts retrieving logs for a host.
-->
<!-- Valid
values are true or false. By default, this parameter is false, so that there is no restriction: all logs from any directory can
be retrieved. -->
<Value>true</Value>
</Parameter>
<Parameter>
<Name>WhitelistLogsDir</Name>
<!--This
parameter takes effect only when the RestrictHostLogRetrieve
parameter is set to true. -->
<!--This
parameter allows you to define the specific directories
from which logs can be retrieved for a host. -->
<!--Define
any number of directories as required, separating multiple directories by a
semicolon (";"). -->
<Value>${SOAM_HOME};${EGO_TOP}</Value>
</Parameter>
5.
Clean up the gui/work directories by deleting all
subdirectories and files from the following directories:
rm -rf
$EGO_TOP/gui/work/*
rm -rf
$EGO_TOP/gui/workarea/*
rm -rf
$EGO_TOP/kernel/rest/workarea/*
rm –rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
6.
Start the WEBGUI and REST services:
egosh service start WEBGUI REST
6.
List of files
gui/conf/useracl/permission_GUIPermissionSoam.acl
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/symping/symping.jsp
gui/3.5/lib/commons-ego.jar
wlp/usr/shared/resources/rest/3.5/commons-ego.jar
gui/3.5/lib/egogui.jar
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/api/symping/SympingConfSetting.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/appConf/ExportAppProfileAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/appConf/ImportAppProAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/application/RegisterAppXmlAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/common/FormatXMLAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/srvpackage/ConfigurePackageProfileAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/srvpackage/ExportDeploymentXmlAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/wizard/CreateAppWizardOperator.class
wlp/usr/servers/gui/apps/soam/7.1.2/soamgui/WEB-INF/classes/com/platform/soam/gui/web/wizard/importAppProActionWizard.class
gui/3.5/lib/soamgui.jar
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/lib/soamgui.jar
wlp/usr/servers/gui/apps/perf/3.5/perfgui/WEB-INF/classes/com/platform/perf/report/action/ReportAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/application/RegisterAppXmlAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/general/mapreduce/gui/web/wizard/CreateAppWizardOperator.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/appConf/ExportAppProfileAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/appConf/ImportAppProAction.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/action/applications/AddApplicationAction.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationRestResource.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
wlp/usr/servers/gui/apps/soam/7.1.2/symgui/WEB-INF/classes/com/platform/gui/pmr/web/rest/ApplicationV1RestResource.class
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrestv1/WEB-INF/lib/soamgui.jar
wlp/usr/servers/rest/apps/soam/7.1.2/pmrrest/WEB-INF/lib/soamgui.jar
gui/3.5/lib/rest-ego-3.5.0.jar
3.5/linux-x86_64/bin/egosh
3.5/linux-x86_64/lib/jni/libVEMApiCommon.so
Jupyter-4.1.0.tar.gz
7.
Copyright and trademark information
© Copyright IBM Corporation 2018
U.S. Government Users Restricted Rights -
Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM
Corp.
IBM®, the IBM logo, and ibm.com® are
trademarks of International Business Machines Corp., registered in many
jurisdictions worldwide. Other product and service names might be trademarks of
IBM or other companies. A current list of IBM trademarks is available on the
Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.