Readme File for IBM^® Platform Symphony 7.1 Fix Pack 1 Interim Fix 555696

Readme file for: Platform Symphony

Product Release: 7.1 Fix Pack 1

Update Name: Interim Fix 555696

Fix ID: sym-7.1-build555696

Publication date: August 21, 2020

This interim fix provides instructions on upgrading Apache Tomcat to v8.5.57 in IBM Platform Symphony 7.1 Fix Pack 1 to address security vulnerabilities CVE-2020-9484, CVE-2020-11996, CVE-2020-13934, and CVE-2020-13935 in Apache Tomcat.

Contents

1. List of fixes

2. Download location

3. Product and components affected

4. Installation and configuration

5. Uninstallation

6. List of files

7. Product notifications

8. Copyright and trademark information

 

1.   List of fixes

APAR: P103812

2.   Download location

• Download interim fix 555696 from the following location: http://www.ibm.com/eserver/support/fixes/
• Download Tomcat 8.5.57 (apache-tomcat-8.5.57.tar.gz) from the following location: http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.57/bin/

3.   Product and components affected

Component name, Platform, Fix ID:

PMC, Linux x86_64, sym-7.1-build555696

4.   Installation and configuration

Follow the instructions in this section to download and install this interim fix to your cluster.

System requirements

Linux x86_64

Installation

a.     Log on to the primary host as the cluster administrator and stop the WEBGUI service:

> source profile.platform

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

b.     Log on to each management host in the cluster and back up the following files for recovery purposes:

$EGO_TOP/gui/3.1/etc/linux2.6-glibc2.3-x86_64/wsm

$EGO_TOP/gui/3.1/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

c.      Copy the apache-tomcat-8.5.57.tar.gz package to a temporary folder and decompress the file:

> cp apache-tomcat-8.5.57.tar.gz /tmp

> tar zxvf apache-tomcat-8.5.57.tar.gz

> rm -rf apache-tomcat-8.5.57/conf/

> rm -rf apache-tomcat-8.5.57/work/

> rm -rf apache-tomcat-8.5.57/logs/

d.     On each management host, copy the Tomcat folder:

> rm -rf $EGO_TOP/gui/3.1/tomcat

> cp -R apache-tomcat-8.5.57 $EGO_TOP/gui/3.1/tomcat

e.     On each management host, download the sym7.1_lnx26-lib23-x64_build555696.tar.gz package and extract its contents to the top-level installation directory, for example:

> tar zxfo sym7.1_lnx26-lib23-x64_build555696.tar.gz -C $EGO_TOP

a)     If you ran the “egoconfig mghost shared_dir” command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory:

> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy

> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties

> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml

b)     If you modified the server.xml configuration file for details such as the GUI service port, manually redo those changes:

$EGO_CONFDIR/../../gui/conf/server.xml

f.       Edit the web.xml files to add the following configuration:

a)     Edit each of the following files:

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

b)     Find the “<servlet-name>dwr-invoker</servlet-name>” line in the “</servlet>” section and add the following configuration:

<init-param>

<param-name>crossDomainSessionSecurity</param-name>

<param-value>false</param-value>

</init-param>

 

For example:

      <servlet>

         <servlet-name>dwr-invoker</servlet-name>

         <servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>

             <init-param>

                 <param-name>debug</param-name>

                 <param-value>true</param-value>

             </init-param>

             <init-param>
                 <param-name>crossDomainSessionSecurity</param-name>
                 <param-value>false</param-value>
             </init-param>     

      </servlet>

g.     Delete all subdirectories and files in the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

h.     Launch your browser and clear the browser cache.

i.       From the primary host, start the WEBGUI service:

> source profile.platform

> egosh service start WEBGUI

j.       In the $EGO_TOP/gui/logs/catalina.out file, check whether the GUI version indicates version 8.5.57:

INFO: Server version number: 8.5.57.0

5.   Uninstallation

If required, follow the instructions in this section to uninstall this interim fix from your cluster:

a.     Log on to the primary host as the cluster administrator and stop the WEBGUI service:

> source profile.platform

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

b.     Log on to each management host as the cluster administrator and restore your backup for the following files:

$EGO_TOP/gui/3.1/etc/linux2.6-glibc2.3-x86_64/wsm

$EGO_TOP/gui/3.1/tomcat/

$EGO_CONFDIR/../../gui/conf/catalina.policy

$EGO_CONFDIR/../../gui/conf/catalina.properties

$EGO_CONFDIR/../../gui/conf/server.xml

$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml

$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml

$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml

$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml

c.      Delete all subdirectories and files in the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

d.     Launch your browser and clear the browser cache.

e.     From the primary host, start the WEBGUI service:

> source profile.platform

> egosh service start WEBGUI

6.   List of files

52be24d89c3232e5af8318094ced2476 gui/3.1/etc/linux2.6-glibc2.3-x86_64/wsm

0d7ec83656505517f1885492f6af775f gui/conf/catalina.policy

e0446e075e7a7081be6f45377ad5830b gui/conf/catalina.properties

29bedbe49eb5fbfa74905306f5241480 gui/conf/server.xml

b562ffb19e21518df2e82ddbbb804dfe gui/3.1/tomcat/bin/catalina.sh

7.   Product notifications

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page http://www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.

8.   Copyright and trademark information

© Copyright IBM Corporation 2020

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.