Readme File for IBM® Spectrum Conductor 2.4.1 Interim Fix 600955
Readme File for: IBM Spectrum Conductor
Product Release: 2.4.1
Update Name: Interim Fix 600955
Fix ID: sc-2.4.1-build600955
Publication Date: January 11, 2022
This interim fix upgrades log4j 2.x to version 2.17.1 to resolve security vulnerability issues CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for IBM Spectrum Conductor 2.4.1.
Contents
1. List of fixes
2. Download location
3. Product and components affected
4. Installation and configuration
5. Uninstallation
6. List of files
7. Product notifications
8. Copyright and trademark information
1. List of fixes
APAR: P104516
2. Download location
Download interim fix 600955 from the following location: https://www.ibm.com/eserver/support/fixes/
3. Product and components affected
Component name, Platform, Fix ID:
ELK, ascd, PERF, GUI Linux x86_64, Linux ppc64le, sc-2.4.1-build600955
4. Installation and configuration
Follow the instructions in this section to download and install this interim fix to your cluster.
System requirements
Linux x86_64 or Linux ppc64le
Installation
a. Log on to the primary host in the cluster as the cluster administrator:
egosh user logon -u Admin -x Admin
b. Stop the Elastic Stack related services as
follows:
1)
Run egosh
service stop elk-shipper.
Verify that the elk-shipper
service is in DEFINED state:
egosh service list -ll | grep
elk-shipper | grep DEFINED
2)
Run egosh
service stop elk-indexer.
Verify that the elk-indexer
service is in DEFINED state.
3)
Run egosh
service stop elk-elasticsearch-master elk-elasticsearch-data elk-elasticsearch.
Verify that all these elk-elasticsearch services are in DEFINED state.
4)
Run egosh
service stop elk-manager.
Verify that the elk-manager
service is in DEFINED state.
c. Stop the ASCD, PERF, and WEBGUI services:
egosh service
stop ascd plc purger WEBGUI
d. For
recovery purposes, log on to each management host in your cluster as the
cluster administrator and back up the following files:
cd
$EGO_TOP
tar -cvf backup_old_600955.tar ascd/2.4.1/lib/log4j-api-2.*.jar
tar -uvf backup_old_600955.tar ascd/2.4.1/lib/log4j-core-2.*.jar
tar -uvf
backup_old_600955.tar gui/3.8/lib/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar gui/3.8/lib/log4j-core-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-slf4j-impl-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-core-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1/log4j-slf4j-impl-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-1.2-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-core-2.*.jar
tar -uvf
backup_old_600955.tar integration/elk/1.4.3/elasticsearch-7.2.1/plugins/search-guard-7/log4j-slf4j-impl-2.*.jar
tar -uvf
backup_old_600955.tar perf/cs/2.4.1/lib/log4j-api-2.*.jar
tar -uvf
backup_old_600955.tar perf/cs/2.4.1/lib/log4j-core-2.*.jar
tar -uvf backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.0-java/lib/logstash-input-http_jars.rb
tar -uvf backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/lib/logstash-input-azure_event_hubs.rb
tar -uvf backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.0-java/lib/logstash-input-beats_jars.rb
tar -uvf backup_old_600955.tar integration/elk/1.4.3/elasticsearch-7.2.1/bin/elasticsearch-sql-cli-7.2.1.jar
tar -uvf backup_old_600955.tar integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.2-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.2/logstash-input-tcp-6.0.2.jar
e. Remove
the old log4j 2.x jar files:
rm $EGO_TOP/ascd/2.4.1/lib/log4j-api-2.*.jar
rm
$EGO_TOP/ascd/2.4.1/lib/log4j-core-2.*.jar
rm
$EGO_TOP/gui/3.8/lib/log4j-api-2.*.jar
rm
$EGO_TOP/gui/3.8/lib/log4j-core-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-slf4j-impl-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-core-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.9.1/log4j-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.9.1/log4j-slf4j-impl-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.11.1/log4j-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-1.2-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-api-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-core-2.*.jar
rm
$EGO_TOP/integration/elk/1.4.3/elasticsearch-7.2.1/plugins/search-guard-7/log4j-slf4j-impl-2.*.jar
rm
$EGO_TOP/perf/cs/2.4.1/lib/log4j-api-2.*.jar
rm
$EGO_TOP/perf/cs/2.4.1/lib/log4j-core-2.*.jar
f. On each management host, create a directory
(for example, /scfixes) and download
the following packages to this directory:
egoelastic-1.4.3.0_OS_type_build600955.tar.gz
ascd-2.4.1.0_noarch_build600955.tar.gz
egomgmt-3.8.0.1_noarch_build600955.tar.gz
conductorsparkmgmt-2.4.1.0_noarch_build600955.tar.gz
where OS_type is either x86_64 or ppc64le.
g. On each management host, run the egoinstallfixes command to install the
following packages:
egoinstallfixes /scfixes/egoelastic-1.4.3.0_OS_type_build600955.tar.gz
egoinstallfixes /scfixes/ascd-2.4.1.0_noarch_build600955.tar.gz
egoinstallfixes /scfixes/egomgmt-3.8.0.1_noarch_build600955.tar.gz
egoinstallfixes /scfixes/conductorsparkmgmt-2.4.1.0_noarch_build600955.tar.gz
where OS_type is either x86_64 or ppc64le.
Important: Running
the egoinstallfixes command
automatically backs up the current binary files to a fix backup directory. For
recovery purposes of the original file, do not delete this backup directory.
For more information on using this command, see the egoinstallfixes command reference.
Tip for compute hosts: Compute hosts technically
are not affected by the log4j 2.x vulnerability since, IBM Spectrum Conductor
does not load these log4j 2.x jars. However, if you have concerns for security
scans, you can install these fix packages on compute hosts, as you did on management
hosts.
h. Run the pversions
command to verify the installation:
pversions -b 600955
i. Delete all subdirectories and files from the
following directories:
rm -rf $EGO_TOP/gui/work/*
rm
-rf $EGO_TOP/gui/workarea/*
(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
j. Clear your browser cache.
k. On
each management host, update the version of log4j to 2.17.1 in the following
scripts:
1).
Edit the $EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.0-java/lib/logstash-input-http_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require_jar('org.apache.logging.log4j',
'log4j-api', '2.17.1')
2).
Edit the $EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/lib/logstash-input-azure_event_hubs.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require_jar('org.apache.logging.log4j', 'log4j-slf4j-impl', '2.17.1')
require_jar('org.apache.logging.log4j', 'log4j-api', '2.17.1')
3).
Edit the $EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.0-java/lib/logstash-input-beats_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require_jar('org.apache.logging.log4j', 'log4j-api', '2.17.1')
l. On each management host, remove the
following classes from the following jar file:
zip -q -d $EGO_TOP/integration/elk/1.4.3/elasticsearch-7.2.1/bin/elasticsearch-sql-cli-7.2.1.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
zip -q -d
$EGO_TOP/integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-tcp-6.0.2-java/vendor/jar-dependencies/org/logstash/inputs/logstash-input-tcp/6.0.2/logstash-input-tcp-6.0.2.jar
org/apache/logging/log4j/core/lookup/JndiLookup.class
m. From the primary host, restart the
previously stopped services.
5. Uninstallation
If required, follow the instructions in this section to uninstall this interim fix from your cluster.
a. Log on to the primary host in the cluster as the cluster administrator:
egosh user logon -u Admin -x Admin
b. Stop the related services as described in
step b and c of the “Installation” section.
c. On each management host, roll back this
interim fix:
1)
Uninstall with the build number:
egoinstallfixes -r 600955
2) Restore your backup for the following file:
cd $EGO_TOP/
tar -xvf backup_old_600955.tar
d. Delete all subdirectories and files from the following directories:
rm -rf $EGO_TOP/gui/work/*
rm -rf $EGO_TOP/gui/workarea/*
(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
e. Clear your browser cache.
f. From
the primary host, restart the previously stopped services.
6. List of files
ascd/2.4.1/lib/log4j-core-2.17.1.jar
ascd/2.4.1/lib/log4j-api-2.17.1.jar
gui/3.8/lib/log4j-api-2.17.1.jar
gui/3.8/lib/log4j-core-2.17.1.jar
integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-1.2-api-2.17.1.jar
integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-api-2.17.1.jar
integration/elk/1.4.3/elasticsearch-7.2.1/lib/log4j-core-2.17.1.jar
integration/elk/1.4.3/elasticsearch-7.2.1/plugins/search-guard-7/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-api-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/logstash-core/lib/jars/log4j-core-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-azure_event_hubs-1.1.1/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-beats-6.0.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
integration/elk/1.4.3/logstash-7.2.1/vendor/bundle/jruby/2.5.0/gems/logstash-input-http-3.3.0-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
perf/cs/2.4.1/lib/log4j-api-2.17.1.jar
perf/cs/2.4.1/lib/log4j-core-2.17.1.jar
7. Product notification
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and trademark information
© Copyright IBM Corporation 2022
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.