Readme File for IBM® Spectrum Conductor 2.3.0 Interim Fix 544900
Readme file for: IBM Spectrum Conductor
Product/Component release: 2.3.0
Update name: Interim Fix 544900
Fix ID: sc-2.3.0.0_build544900
Publication date: June 3, 2020
Guidance on upgrading the nimbus-jose-jwt package to version 8.10 in IBM Spectrum Conductor 2.3.0 to fix security vulnerabilities CVE-2017-16007, CVE-2017-12972 and CVE-2017-12974.
Contents
1. Download location
2. Products or components affected
3. Installation and configuration
4. Uninstallation
5. List of files
6. Product notifications
7. Copyright and trademark information
1. Download location
Download interim fix 544900 from the following location: https://www.ibm.com/eserver/support/fixes/
2. Products or components affected
Component name, Platform, Fix ID:
HostFactory, Linux-x86_64, sc-2.3.0.0_build544900
3. Installation and configuration
Follow these steps to upgrade the nimbus-jose-jwt.jar file to an IBM Spectrum Conductor 2.3.0 cluster:
a) Log on to the master host as the cluster administrator and stop the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service stop HostFactory
b) On each management and compute host, move the following file to a backup directory for recovery purposes:
> mkdir -p /tmp/hflib/
> mv $EGO_TOP/3.7/hostfactory/providers/common/lib/nimbus-jose-jwt-3.1.2.jar /tmp/hflib/
Note: To avoid compatibility issues, move the old file to another directory altogether.
c) On each management and compute host, create a directory (for example, /csfixes) and download the egocore-3.7.0.0_x86_64_build544900.tar.gz package to the directory.
d) Run the egoinstallfixes command to install the egocore-3.7.0.0_x86_64_build544900.tar.gz package:
> egoinstallfixes /csfixes/egocore-3.7.0.0_x86_64_build544900.tar.gz
e) Run the pversions command to verify the installation:
> pversions -b 544900
f) From the master host, start the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service start HostFactory
4. Uninstallation
If required, follow these steps to uninstall the upgraded .jar file from the IBM Spectrum Conductor 2.3.0 cluster:
a) Log on to the master host as the cluster administrator and stop the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service stop HostFactory
b) On each management and compute host, run the egoinstallfixes command to roll back this interim fix:
> egoinstallfixes -r 544900 --silent
c) On each management and compute host, restore the following file from your backup:
> mv /tmp/hflib/* $EGO_TOP/3.7/hostfactory/providers/common/lib/
d) From the master host, start the HostFactory service:
> egosh user logon -u Admin -x Admin
> egosh service start HostFactory
5. List of files
3.7/hostfactory/providers/common/lib/nimbus-jose-jwt-8.10.jar
6. Product notifications
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
7. Copyright and trademark information
© Copyright IBM Corporation 2020
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.