Readme File for IBM® Spectrum Conductor 2.2.0 Interim Fix 600957

Readme File for: IBM Spectrum Conductor

Product Release: 2.2.0

Update Name: Interim Fix 600957

Fix ID: sc-2.2-build600957-jpmc

Publication Date: January 9, 2022

 

This interim fix upgrades log4j 2.x to version 2.17.1 to resolve security vulnerability issues CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for IBM Spectrum Conductor 2.2.0.

Contents

1. List of fixes

2. Download location

3. Product and components affected

4. Installation and configuration

5. Uninstallation

6. List of files

7. Product notifications

8. Copyright and trademark information

 

1.    List of fixes

APAR: P104518

2.    Download location

Download interim fix 600957 from the following location: https://www.ibm.com/eserver/support/fixes/

3.    Product and components affected

Component name, Platform, Fix ID:

 GUI, Linux x86_64, Linux ppc64le, sc-2.2-build600957-jpmc

4.    Installation and configuration

Follow the instructions in this section to download and install this interim fix to your cluster.

System requirements

Linux x86_64 or Linux ppc64le

Installation

a.     Log on to the primary host in the cluster as the cluster administrator:

egosh user logon -u Admin -x Admin

b.   Stop the WEBGUI and REST services:

      egosh service stop WEBGUI REST

c.     For recovery purposes, log on to each management host in your cluster as the cluster administrator and back up the following file:

cd $EGO_TOP/

tar -cvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.*.jar

tar -uvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.*.jar

tar -uvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.*.jar

tar -uvf backup_old_600957.tar wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.*.jar

d.   Remove the old version log4j 2.x jar files:

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.*.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.*.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.*.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.*.jar

e.   On each management host, create a directory (for example, /scfixes) and download the following package to this directory:

egowlp-8.5.5.9_noarch_build600957.tar.gz

f.   Install the package:

tar zvxfo /scfixes/egowlp-8.5.5.9_noarch_build600957.tar.gz -C $EGO_TOP/

g.   Delete all subdirectories and files from the following directories:

rm -rf $EGO_TOP/gui/work/*

rm -rf $EGO_TOP/gui/workarea/*

(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*

h.     Clear your browser cache.    

i.    From the primary host, restart the previously stopped services previously.

5.    Uninstallation

If required, follow the instructions in this section to uninstall this interim fix from your cluster.

a.     Log on to the primary host in the cluster as the cluster administrator:

egosh user logon -u Admin -x Admin

b.   Stop the WEBGUI and REST services.

c.   On each management host, remove the installed fix.:

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.17.1.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.17.1.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.17.1.jar

rm $EGO_TOP/wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar

d.     Log on to each management host in your cluster as the cluster administrator and restore your backup for the following file:

cd $EGO_TOP

tar -xvf backup_old_600957.tar

e.     Delete all subdirectories and files from the following directories:

rm -rf $EGO_TOP/gui/work/*

rm -rf $EGO_TOP/gui/workarea/*

(Optional) rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*

f.     Clear your browser cache.

g.  From the primary host, restart the previously stopped services.

6.    List of files

wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-1.2-api-2.17.1.jar

wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-api-2.17.1.jar

wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-core-2.17.1.jar

wlp/usr/servers/gui/apps/kc/1.5.1/kc/WEB-INF/lib/log4j-slf4j-impl-2.17.1.jar

7.    Product notification

To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes. 

8.    Copyright and trademark information

© Copyright IBM Corporation 2022

U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.

IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.