Readme File for IBM® Spectrum Symphony 7.3.0 Interim Fix 544084
Readme file for: IBM Spectrum Symphony
Product/Component release: 7.3.0
Update name: Interim Fix 544084
Fix ID: sym-7.3.0-build544084
Publication date: April 17, 2020
This readme file provides guidance on upgrading the nimbus-jose-jwt package to version 8.10 in IBM Spectrum Symphony 7.3.0 in order to fix security vulnerabilities CVE-2017-16007, CVE-2017-12972 and CVE-2017-12974.
Contents
1. List of fixes
2. Download location
3. Products or components affected
4. Installation and configuration
5. Uninstallation
6. List of
files
7. Product notifications
8. Copyright and trademark information
1. List of fixes
APAR: P103490
2. Download location
Download interim fix 544084 from the following location: https://www.ibm.com/eserver/support/fixes/
3. Products or components affected
Component name, Platform, Fix ID:
HostFactory, Linux-x86_64, sym-7.3.0-build544084
4.
Installation and
configuration
Follow these steps to upgrade the nimbus-jose-jwt.jar file to an IBM Spectrum Symphony 7.3.0 cluster:
a) Log on to the master host as the cluster administrator and stop the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service stop HostFactory
b)
On each management host,
as the cluster administrator:
i. Move the following file to a backup directory for recovery purposes:
> mkdir -p /tmp/hflib/
> mv
$EGO_TOP/3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar
/tmp/hflib/
Note: To avoid compatibility issues, move the old file to
another directory altogether.
ii.
Create a directory (for example, /symfixes) and download
the egocore-3.8.0.0_x86_64_build544084.tar.gz
package to the directory.
iii.
Run the egoinstallfixes command
to install the egocore-3.8.0.0_x86_64_build544084.tar.gz
package:
> egoinstallfixes /symfixes/egocore-3.8.0.0_x86_64_build544084.tar.gz --silent
iv.
Run the pversions command
to verify the installation:
> pversions -b
544084
IBM Spectrum egocore 3.8.0.0
----------------------------
binary type: linux-x86_64, Apr 15 2020, Build 544084
installed: Apr 15 2020
notes:
fixes: P103490
files: /3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-8.10.jar
c)
Optional: Repeat the previous step (step b) for each compute host. IBM
Spectrum Symphony does not use the vulnerable package in this fix on compute
hosts; applying this fix on compute hosts will prevent the vulnerabilities from
showing up in a security scan report.
d)
From the master host,
start the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service start HostFactory
5. Uninstallation
If required, follow these steps to uninstall the upgraded .jar file from the IBM Spectrum Symphony 7.3.0
cluster:
a)
Log on to the master host as
the cluster administrator and stop the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service stop HostFactory
b)
On each management host, as the cluster
administrator:
i.
Run the egoinstallfixes command
to roll back this interim fix:
> egoinstallfixes -r
544084
ii.
Restore the following file
from your backup:
> mv /tmp/hflib/* $EGO_TOP/3.8/hostfactory/providers/common/lib/
c)
Optional: If you applied this fix on compute hosts, repeat the previous
step (step b) for each compute host.
d)
From the master host,
start the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service start HostFactory
6. List of files
3.8/hostfactory/providers/common/lib/nimbus-jose-jwt-8.10.jar
7. Product notifications
To receive information about product solution and
patch updates automatically, subscribe to product notifications on the My
Notifications page http://www.ibm.com/support/mynotifications/ on the IBM
Support website (http://support.ibm.com). You can edit your subscription
settings to choose the types of information you want to get notification about,
for example, security bulletins, fixes, troubleshooting, and product
enhancements or documentation changes.
8. Copyright and trademark information
© Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.