Readme File for IBM® Spectrum Conductor 2.2.0 Interim Fix 600957
Readme File for: IBM Spectrum Conductor
Product Release: 2.2.0
Update Name: Interim Fix 600957
Fix ID: sc-2.2-build600957-jpmc
Publication Date: January 9, 2022
This interim fix upgrades log4j 2.x to version 2.17.1 to resolve security vulnerability issues CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for IBM Spectrum Conductor 2.2.0.
Contents
1. List of fixes
2. Download location
3. Product and components affected
4. Installation and configuration
5. Uninstallation
6. List of files
7. Product notifications
8. Copyright and trademark information
1. List of fixes
APAR: P104518
2. Download location
Download interim fix 600957 from the following location: https://www.ibm.com/eserver/support/fixes/
3. Product and components affected
Component name, Platform, Fix ID:
GUI, Linux x86_64, Linux ppc64le, sc-2.2-build600957-jpmc
4. Installation and configuration
Follow the instructions in this section to download and install this interim fix to your cluster.
System requirements
Linux x86_64 or Linux ppc64le
Installation
a. Log on to the primary host in the cluster as the cluster administrator:
egosh user logon -u Admin -x Admin
b. Stop the WEBGUI and REST services:
egosh service
stop WEBGUI REST
c. For
recovery purposes, log on to each management host in your cluster as the
cluster administrator and back up the following file:
cd
$EGO_TOP/
tar -cvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.*.jar
tar -uvf
backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.*.jar
tar -uvf
backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.*.jar
tar -uvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.*.jar
d. Remove
the old version log4j 2.x jar files:
rm
$EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.*.jar
rm
$EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.*.jar
rm
$EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.*.jar
rm
$EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.*.jar
e. On each management host, create a directory
(for example, /scfixes) and download
the following
package to this directory:
egowlp-8.5.5.9_noarch_build600957.tar.gz
f. Install the package:
tar zvxfo /scfixes/egowlp-8.5.5.9_noarch_build600957.tar.gz
-C $EGO_TOP/
g.
Delete all subdirectories and files
from the following directories:
rm -rf $EGO_TOP/gui/work/*
rm
-rf $EGO_TOP/gui/workarea/*
(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
h. Clear your browser cache.
i. From the primary host, restart the previously stopped services previously.
5. Uninstallation
If required, follow the instructions in this section to uninstall this interim fix from your cluster.
a. Log on to the primary host in the cluster as the cluster administrator:
egosh user logon -u Admin -x Admin
b. Stop the WEBGUI and REST services.
c. On each management host, remove the installed
fix.:
rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.17.1.jar
rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.17.1.jar
rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
d. Log on to each management host in your cluster as the cluster administrator and restore your backup for the following file:
cd
$EGO_TOP
tar -xvf backup_old_600957.tar
e. Delete all subdirectories and files from the following directories:
rm -rf $EGO_TOP/gui/work/*
rm -rf $EGO_TOP/gui/workarea/*
(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
f. Clear your browser cache.
g. From the primary host, restart the previously
stopped services.
6. List of files
wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.17.1.jar
wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.17.1.jar
wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.17.1.jar
wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar
7. Product notification
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and trademark information
© Copyright IBM Corporation 2022
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.