Readme File for IBM® Spectrum Symphony 7.3.0 Interim Fix 544084

Readme file for: IBM Spectrum Symphony

Product/Component release: 7.3.0

Update name: Interim Fix 544084

Fix ID: sym-7.3.0-build544084

Publication date: April 17, 2020

This readme file provides guidance on upgrading the nimbus-jose-jwt package to version 8.10 in IBM Spectrum Symphony 7.3.0 in order to fix security vulnerabilities CVE-2017-16007, CVE-2017-12972 and CVE-2017-12974.

Contents

1.   List of fixes

2.  Download location 

3.   Products or components affected

4.   Installation and configuration

5.  Uninstallation

6.  List of files

7.   Product notifications

8.   Copyright and trademark information

 

1.     List of fixes

APAR: P103490

2.     Download location

Download interim fix 544084 from the following location: https://www.ibm.com/eserver/support/fixes/

3.     Products or components affected

Component name, Platform, Fix ID:

HostFactory, Linux-x86_64, sym-7.3.0-build544084

4.     Installation and configuration

Follow these steps to upgrade the nimbus-jose-jwt.jar file to an IBM Spectrum Symphony 7.3.0 cluster:

a)       Log on to the master host as the cluster administrator and stop the HostFactory service:

> egosh user logon -u Admin -x Admin   

> egosh service stop HostFactory

b)       On each management host, as the cluster administrator:

                    i.            Move the following file to a backup directory for recovery purposes: 

> mkdir -p /tmp/hflib/

> mv $EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar /tmp/hflib/

Note: To avoid compatibility issues, move the old file to another directory altogether.

                   ii.           Create a directory (for example, /symfixes) and download the egocore-3.8.0.0_x86_64_build544084.tar.gz package to the directory.

                  iii.            Run the egoinstallfixes command to install the egocore-3.8.0.0_x86_64_build544084.tar.gz package:

> egoinstallfixes /symfixes/egocore-3.8.0.0_x86_64_build544084.tar.gz --silent

                 iv.            Run the pversions command to verify the installation:

> pversions -b 544084

IBM Spectrum egocore 3.8.0.0
----------------------------
  binary type: linux-x86_64, Apr 15 2020, Build 544084
  installed: Apr 15 2020
  notes:
  fixes: P103490
  files: /3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-8.10.jar

c)       Optional: Repeat the previous step (step b) for each compute host. IBM Spectrum Symphony does not use the vulnerable package in this fix on compute hosts; applying this fix on compute hosts will prevent the vulnerabilities from showing up in a security scan report.

d)       From the master host, start the HostFactory service:

> egosh user logon -u Admin -x Admin

> egosh service start HostFactory

5.     Uninstallation 

If required, follow these steps to uninstall the upgraded .jar file from the IBM Spectrum Symphony 7.3.0 cluster:

a)       Log on to the master host as the cluster administrator and stop the HostFactory service:

> egosh user logon -u Admin -x Admin

> egosh service stop HostFactory

b)       On each management host, as the cluster administrator:

                    i.            Run the egoinstallfixes command to roll back this interim fix:

> egoinstallfixes -r 544084        

                   ii.           Restore the following file from your backup:

> mv /tmp/hflib/* $EGO_TOP/3.8/hostfactory/providers/common/lib/

c)       Optional: If you applied this fix on compute hosts, repeat the previous step (step b) for each compute host.

d)       From the master host, start the HostFactory service:

> egosh user logon -u Admin -x Admin

> egosh service start HostFactory

6.     List of files

3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-8.10.jar

7.     Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes. 

8.     Copyright and trademark information

© Copyright IBM Corporation 2020

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.