Readme File for IBM® Spectrum Symphony 7.3.0 and IBM® Spectrum Conductor 2.4.1 Interim Fix 543160

Readme File for: IBM Spectrum Symphony and IBM Spectrum Conductor

Product Release: 7.3.0 and 2.4.1

Update Name: Interim Fix 543160

Fix ID: sym-7.3-cws-2.4.1-build543160-jpmc

Publication Date: March 23, 2020

 

To resolve Common Vulnerabilities and Exposures (CVEs) security issues for an environment with both IBM Spectrum Symphony 7.3.0 and IBM Spectrum Conductor 2.4.1 installed, use this readme file as guidance to removing various files as they can pose security issues.

After you have completed the steps in the “Removing steps and directories” section, your environment will avoid several CVEs. This table outlines what you will remove, and what specific CVE that the removal addresses:

 

Component affected

File or directory to be removed

CVE addressed

MapReduce

zookeeper-3.4.6.jar

CVE-2017-5637

CVE-2018-8012

CVE-2019-0201

 

netty-3.6.2.Final.jar

CVE-2014-0193

CVE-2014-3488

 

netty-all-4.0.23.Final.jar

CVE-2015-2156

CVE-2016-4970

CVE-2019-10797

CVE-2019-16869

CVE-2019-20444

CVE-2019-20445

OpenIdClient

spring-boot-starter-web-1.3.0.RELEASE.jar

CVE-2017-8046

 

 

spring-webmvc-4.2.3.RELEASE.jar

CVE-2016-5007

CVE-2016-9878

CVE-2018-1258

CVE-2018-15756

 

spring-security-web-4.2.3.RELEASE.jar

CVE-2018-1199

CVE-2019-11272 

CVE-2019-3795

 

spring-expression-4.3.9.RELEASE.jar

CVE-2018-11039

CVE-2018-11040

CVE-2018-1199

CVE-2018-1257

CVE-2018-1270

CVE-2018-1271

CVE-2018-1272

CVE-2018-1275

CVE-2018-15756

HostFactory

nimbus-jose-jwt-3.1.2.jar

CVE-2017-12972

CVE-2017-12973

CVE-2017-12974

CVE-2019-17195

 

Additionally, this readme will guide you to delete the unused Spark1.6.1-Conductor2.4.1 directory, to avoid future security scan issues.



Contents

1. List of fixes

2. Download location

3. Product and components affected

4. Procedure

5. Product notifications

6. Copyright and trademark information

1.     List of fixes

APAR: P103476

2.     Download location

Download interim fix 539927 and 543160 from the following location: https://www.ibm.com/eserver/support/fixes/

3.     Product and components affected

Component name, Platform, Fix ID:

MapReduce/OpenIdClient/HostFactory/Spark, Linux x86_64, sym-7.3-cws-2.4.1-build543160-jpmc

4.     Procedure

System requirements

Linux x86_64

Prerequisites

Apply fix 539927 for your IBM Spectrum Symphony 7.3.0 and IBM Speectrum Conductor 2.4.1 environment.

Pre-checking
This readme file walks you through removing specific files and directories so that you can avoid the listed CVEs in your environment. Ensure that you complete the following pre-checking steps before removing the files and directories.

1.      Log on to the master host as the cluster administrator and ensure that the cluster has fix 539927 installed on it, by running the following commands:

> pversions -p egocore|grep 539927

  Applied:  Package egocore, version 3.8.0.1, fix P103401, build 539927, installed Mar 19 2020

> pversions -p soamcore | grep 539927

  Applied:  Package soamcore, version 7.3.0.0, fix P103401, build 539927, installed Mar 19 2020

> pversions -p soammgmt | grep 539927

         Package soammgmt, version 7.3.0.0, fix P103401, build 539927, installed Mar 19 2020

2.      Stop all services and shut down your cluster:

> egosh service stop all

> egosh ego shutdown all

Removing files and directories

1.      On the management host, disable the MapReduce, OpenIdClient and HostFactory features by renaming the mrss.xml, OpenIdClient.xml and hostfactory.xml files under the $EGO_ESRVDIR/esc/conf/services/ directory.

Choose a name that does not end with *.xml; for example, rename the files to
mrss.xml.bak, hostfactory.xml.bak and OpenIdClient.xml.bak:

> mv $EGO_ESRVDIR/esc/conf/services/mrss.xml $EGO_ESRVDIR/esc/conf/services/mrss.xml.bak

> mv $EGO_ESRVDIR/esc/conf/services/OpenIdClient.xml $EGO_ESRVDIR/esc/conf/services/OpenIdClient.xml.bak

> mv $EGO_ESRVDIR/esc/conf/services/hostfactory.xml $EGO_ESRVDIR/esc/conf/services/hostfactory.xml.bak

2.      On each management host, delete the following unused files and directories:

> rm -rf $SOAM_HOME/mapreduce/7.3/linux-x86_64/lib/hadoop-2.7.x/*

> rm -rf $EGO_TOP/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war

> touch $EGO_TOP/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war

> rm -rf $EGO_TOP/patch/backup/soammgmt_noarch_539927/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war

> touch $EGO_TOP/patch/backup/soammgmt_noarch_539927/wlp/usr/servers/openid/SymOpenIdClient-7.3.0.0.war

> rm $EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar

> rm -rf $EGO_TOP/conductorspark/conf/packages/Spark1.6.1-Conductor2.4.1/

> rm -rf $EGO_TOP/conductorspark/activation/conductorsparkcore2.4.1/conf/packages/Spark1.6.1-Conductor2.4.1/

3.      On each compute host, delete the following unused files:

> rm -rf $SOAM_HOME/mapreduce/7.3/linux-x86_64/lib/hadoop-2.7.x/*

> rm $EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar

4.      Start the cluster. Log on to the master host as the cluster administrator and run:

> egosh ego start all

5.     Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

6.     Copyright and trademark information

© Copyright IBM Corporation 2020

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.