Readme for IBM^® Spectrum Conductor with Spark 2.2.0 Interim Fix 491019 

Readme file for: IBM Spectrum Conductor with Spark

Product/Component Release: 2.2.0

Update Name: Interim Fix 491019

Fix ID: cws-2.2.0-build491019

Publication date: May 21, 2018

Abstract

The Jackson deserializer vulnerability could allow an unauthenticated user to perform code execution by sending maliciously crafted input to the readValue method of the ObjectMapper class. The Apache Thrift Go client library exposed the potential during code generation for command injection due to using an external formatting tool. 

Description

This interim fix resolves the Jackson deserializer security vulnerability (CVE-2017-7525) and the Apache Thrift remote command injection vulnerability (CVE-2016-5397) for an IBM Spectrum Conductor with Spark v2.2.0 Spark instance group that uses Spark version 2.1.0. 

Contents

1.      List of fixes

2.      Download location

3.      Products or components affected

4.      Installation and configuration

5.      List of files

6.      Copyright and trademark information

1.        List of fixes

APAR: P102576, P102577

2.        Download location

Download Fix 491019 from the following location: http://www.ibm.com/eserver/support/fixes/. 

3.        Products or components affected 

·       IBM Spectrum Conductor with Spark v2.2.0 

·       Spark version 2.1.0

·       Linux 64-bit

·       cws-2.2.0-build491019

4.        Installation and configuration

System requirements

·       Linux x86_64

Before installation

·       IBM Spectrum Conductor with Spark v2.2.0 must be installed on a supported operating system. For details, see https://www.ibm.com/support/knowledgecenter/SSZU2E_2.2.0/installing/install_upgrade.html.

Installation

1.     On the client machine where you have a browser, decompress the cws-2.2.0.0_x86_64_build491019.tgz package. For example, on Linux:

> mkdir -p /tmp/fix491019

> tar zoxf cws-2.2.0.0_x86_64_build491019.tgz -C /tmp/fix491019

2.     Launch the browser and clear the browser cache; then, log in to the cluster management console as admin.

3.     Remove the Spark 2.1.0 package if exists.

a.     Click Workload > Spark > Version Management.

b.     Select 2.1.0.

c.     Click Remove.

4.     Add the Spark 2.1.0 package to your cluster.

a.     Click Workload > Spark > Version Management.

b.     Click Add.

c.     Click Browse and select the /tmp/fix491019/Spark2.1.0-Conductor2.2.0.tgz package.

5.     Click Add.

After installation

1.     Create a new Spark instance group that uses the new Spark version 2.1.0 package. For details, see http://www.ibm.com/support/knowledgecenter/SSZU2E_2.2.0/developing_instances/developing_instances.html.

 

2.     If required, upgrade your existing Spark instance groups to use the new Spark version 2.1.0 package. For details, see https://www.ibm.com/support/knowledgecenter/SSZU2E_2.2.0/managing_instances/instance_update_spark_version.html.

 

For existing Spark instance groups, updating does not involve deleting and re-creating Spark instance groups. This patch takes effect for both newly created and updated Spark instance groups.

5.        List of files 

·       Spark2.1.0-Conductor2.2.0.tgz

6.        Copyright and trademark information

© Copyright IBM Corporation 2018

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml