Readme File for IBM® Spectrum Symphony 7.3.0 and IBM® Spectrum Conductor 2.4.1 Interim Fix 543160
Readme File for: IBM Spectrum Symphony and IBM Spectrum Conductor
Product Release: 7.3.0 and 2.4.1
Update Name: Interim Fix 543160
Fix ID: sym-7.3-cws-2.4.1-build543160-jpmc
Publication Date: March 23, 2020
To resolve Common Vulnerabilities and Exposures
(CVEs) security issues for an environment with both IBM Spectrum Symphony 7.3.0
and IBM Spectrum Conductor 2.4.1 installed, use this readme file as guidance to
removing various files as they can pose security issues.
After you have completed the steps in the “Removing steps and directories”
section, your environment will avoid several CVEs. This table outlines what you
will remove, and what specific CVE that the removal addresses:
Component affected |
File or directory to be removed |
CVE addressed |
MapReduce |
zookeeper-3.4.6.jar |
CVE-2017-5637 CVE-2018-8012 CVE-2019-0201 |
|
netty-3.6.2.Final.jar |
CVE-2014-0193 CVE-2014-3488 |
|
netty-all-4.0.23.Final.jar |
CVE-2015-2156 CVE-2016-4970 CVE-2019-10797 CVE-2019-16869 CVE-2019-20444 CVE-2019-20445 |
OpenIdClient |
spring-boot-starter-web-1.3.0.RELEASE.jar |
CVE-2017-8046 |
|
spring-webmvc-4.2.3.RELEASE.jar |
CVE-2016-5007 CVE-2016-9878 CVE-2018-1258 CVE-2018-15756 |
|
spring-security-web-4.2.3.RELEASE.jar |
CVE-2018-1199 CVE-2019-11272 CVE-2019-3795 |
|
spring-expression-4.3.9.RELEASE.jar |
CVE-2018-11039 CVE-2018-11040 CVE-2018-1199 CVE-2018-1257 CVE-2018-1270 CVE-2018-1271 CVE-2018-1272 CVE-2018-1275 CVE-2018-15756 |
HostFactory |
nimbus-jose-jwt-3.1.2.jar |
CVE-2017-12972 CVE-2017-12973 CVE-2017-12974 CVE-2019-17195 |
Additionally, this readme will guide you to delete the unused Spark1.6.1-Conductor2.4.1 directory, to avoid future security scan issues.
Contents
1. List of fixes
2. Download location
3. Product and components affected
4. Procedure
5. Product notifications
6. Copyright and trademark information
1. List of fixes
APAR: P103476
2. Download location
Download interim fix 539927 and 543160 from the following location: https://www.ibm.com/eserver/support/fixes/
3. Product and components affected
Component name, Platform, Fix ID:
MapReduce/OpenIdClient/HostFactory/Spark, Linux x86_64, sym-7.3-cws-2.4.1-build543160-jpmc
4. Procedure
System requirements
Linux x86_64
Prerequisites
Apply fix 539927 for your IBM Spectrum Symphony 7.3.0 and IBM Speectrum Conductor 2.4.1 environment.
Pre-checking
This readme file walks
you through removing specific files and directories so that you can avoid the
listed CVEs in your environment. Ensure that you complete the following
pre-checking steps before removing the files and directories.
1.
Log on to the master host
as the cluster administrator and ensure that the cluster has fix 539927
installed on it, by running the following commands:
> pversions -p egocore|grep
539927
Applied: Package egocore,
version 3.8.0.1, fix P103401, build 539927, installed Mar 19
2020
> pversions -p soamcore
| grep 539927
Applied: Package soamcore,
version 7.3.0.0, fix P103401, build 539927, installed Mar 19
2020
> pversions -p soammgmt
| grep 539927
Package soammgmt, version 7.3.0.0, fix P103401, build 539927,
installed Mar 19 2020
2.
Stop all services and shut
down your cluster:
> egosh service stop all
> egosh ego shutdown all
Removing files and
directories
1.
On the management host, disable the MapReduce, OpenIdClient and HostFactory features by renaming the mrss.xml, OpenIdClient.xml and hostfactory.xml
files under the $EGO_ESRVDIR/esc/conf/services/ directory.
Choose a name that does not end with *.xml; for example, rename the files to mrss.xml.bak, hostfactory.xml.bak
and OpenIdClient.xml.bak:
> mv $EGO_ESRVDIR/esc/conf/services/mrss.xml
$EGO_ESRVDIR/esc/conf/services/mrss.xml.bak
> mv $EGO_ESRVDIR/esc/conf/services/OpenIdClient.xml $EGO_ESRVDIR/esc/conf/services/OpenIdClient.xml.bak
> mv $EGO_ESRVDIR/esc/conf/services/hostfactory.xml $EGO_ESRVDIR/esc/conf/services/hostfactory.xml.bak
2. On each management host, delete the following unused files and directories:
> rm -rf $SOAM_HOME/mapreduce/7.3/linux-x86_64/lib/hadoop-2.7.x/*
> rm -rf $EGO_TOP/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war
> touch $EGO_TOP/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war
> rm -rf
$EGO_TOP/patch/backup/soammgmt_noarch_539927/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war
> touch
$EGO_TOP/patch/backup/soammgmt_noarch_539927/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war
> rm
$EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar
> rm -rf $EGO_TOP/conductorspark/conf/packages/Spark1.6.1-Conductor2.4.1/
> rm -rf
$EGO_TOP/conductorspark/activation/conductorsparkcore2.4.1/conf/packages/Spark1.6.1-Conductor2.4.1/
3. On each compute host, delete the following unused files:
> rm -rf $SOAM_HOME/mapreduce/7.3/linux-x86_64/lib/hadoop-2.7.x/*
> rm
$EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar
4.
Start the cluster. Log on
to the master host as the cluster administrator and run:
> egosh ego start all
5. Product
notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
6. Copyright and trademark information
© Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.