Readme File for IBM® Spectrum Symphony 7.3.0 Interim Fix 600936
Readme File for: IBM Spectrum Symphony
Product Release: 7.3.0
Update Name: Interim Fix 600936
Fix ID: sym-7.3-build600936
Publication Date: January 9, 2022
This interim fix upgrades log4j 2.x to version 2.17.1 to resolve security vulnerability issues CVE-2021-44228, CVE-2021-44832, CVE-2021-45046, and CVE-2021-45105 for IBM Spectrum Symphony 7.3.0 on Linux.
Contents
1. List of fixes
2. Download location
3. Product and components affected
4. Installation and configuration
5. Uninstallation
6. List of files
7. Product notifications
8. Copyright and trademark information
1. List of fixes
APAR: P104506
2. Download location
Download interim fix 600936 from the following location: https://www.ibm.com/eserver/support/fixes/
3. Product and components affected
Component name, Platform, Fix ID:
ELK, GUI, KC, Linux x86_64, sym-7.3-build600936
4. Installation and configuration
Follow the instructions in this section to download and install this interim fix to your cluster.
System requirements
Linux x86_64
Installation
a. Log on to the primary host in the cluster as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
>
egosh service stop WEBGUI
b. Stop the Elastic Stack related services as
follows:
1)
Run egosh service stop elk-shipper.
Verify that the elk-shipper
service is in DEFINED state:
egosh service list -ll | grep
elk-shipper | grep DEFINED
2)
Run egosh service stop elk-indexer.
Verify that the elk-indexer
service is in DEFINED state.
3)
Run egosh service stop elk-elasticsearch elk-elasticsearch-master
elk-elasticsearch-data.
Verify that all these elk-elasticsearch
services are in DEFINED state.
4)
Run egosh service stop elk-manager.
Verify that the elk-manager
service is in DEFINED state.
c. For
recovery purposes, log on to each management host in your cluster as the
cluster administrator and back up the following files:
cd
$EGO_TOP
tar
-cvf backup_old_600936.tar gui/3.8/lib/log4j-api-2.*.jar
tar
-uvf backup_old_600936.tar gui/3.8/lib/log4j-core-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-1.2-api-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-api-2.*.jar
tar
-uvf backup_old_600936.tar integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-core-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-core/2.8.2/log4j-core-2.*.jar
tar
-uvf backup_old_600936.tar integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
tar -uvf
backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-slf4j-impl-2.*.jar
tar
-uvf backup_old_600936.tar integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-api-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.26-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-core/2.8.2/log4j-core-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
tar -uvf
backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
tar
-uvf backup_old_600936.tar integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/logstash-core_jars.rb
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/gemspec_jars.rb
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/lib/logstash-output-elasticsearch_jars.rb
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.26-java/lib/logstash-input-beats_jars.rb
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/logstash-input-kafka.gemspec
tar
-uvf backup_old_600936.tar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/specifications/logstash-input-kafka-5.1.11.gemspec
d. Remove
the old log4j 2.x jar files:
rm
-rf $EGO_TOP/gui/3.8/lib/log4j-api-2.*.jar
rm
-rf $EGO_TOP/gui/3.8/lib/log4j-core-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-1.2-api-2.*.jar
rm
-rf $EGO_TOP/integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-api-2.*.jar
rm
-rf $EGO_TOP/integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-core-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-core/2.8.2/log4j-core-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-slf4j-impl-2.*.jar
rm
-rf $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-api-2.*.jar
rm
-rf $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.26-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
rm
-rf $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-core/2.8.2/log4j-core-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.8.2/log4j-api-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
rm
-rf
$EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j-slf4j-impl/2.8.2/log4j-slf4j-impl-2.*.jar
e. On each management host, create a directory
(for example, /symfixes) and download the egomgmt-3.7.0_noarch_build600936.tar.gz
and egoelastic-1.4.1.0_x86_64_build600936.tar.gz packages
to the directory:
f. Run the egoinstallfixes
command to install the egomgmt-3.8.0.0_noarch_build600936.tar.gz
and egoelastic-1.4.2.0_x86_64_build600936.tar.gz packages:
> egoinstallfixes /symfixes/egomgmt-3.8.0.0_noarch_build600936.tar.gz
> egoinstallfixes
/symfixes/egoelastic-1.4.2.0_x86_64_build600936.tar.gz
Important: Running the egoinstallfixes command automatically backs up the current binary files to a fix backup directory. For recovery purposes of the original file, do not delete this backup directory. For more information on using this command, see the egoinstallfixes command reference.
g. Run the pversions
command to verify the installation:
> pversions -b
600936
h. Delete all subdirectories and files from the
following directories:
> rm -rf $EGO_TOP/gui/work/*
>
rm -rf $EGO_TOP/gui/workarea/*
(Optional) > rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
i. Clear your browser cache.
j. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/logstash-core_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require
'org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar'
require
'org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar'
require
'org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar'
require_jar
'org.apache.logging.log4j', 'log4j-core', '2.17.1'
require_jar
'org.apache.logging.log4j', 'log4j-api', '2.17.1'
require_jar
'org.apache.logging.log4j', 'log4j-slf4j-impl', '2.17.1'
k. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/logstash-core/gemspec_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
gem.requirements
<< "jar org.apache.logging.log4j:log4j-api, 2.17.1"
gem.requirements
<< "jar org.apache.logging.log4j:log4j-core, 2.17.1"
gem.requirements << "jar
org.apache.logging.log4j:log4j-slf4j-impl, 2.17.1"
l. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/lib/logstash-output-elasticsearch_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require_jar('org.apache.logging.log4j',
'log4j-core', '2.17.1')
require_jar('org.apache.logging.log4j',
'log4j-api', '2.17.1')
require_jar('org.apache.logging.log4j',
'log4j-slf4j-impl', '2.17.1')
m. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.26-java/lib/logstash-input-beats_jars.rb
file to use log4j*2.17.1 and remove the old version as
follows:
require_jar('org.apache.logging.log4j',
'log4j-api', '2.17.1')
n. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/logstash-input-kafka.gemspec
file to log4j*2.17.1 and remove the old version as follows:
s.requirements
<< "jar 'org.apache.logging.log4j:log4j-slf4j-impl', '2.17.1'"
o. Edit the $EGO_TOP/integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/specifications/logstash-input-kafka-5.1.11.gemspec
file to use log4j*2.17.1 and remove the old version as
follows:
s.requirements
= ["jar 'org.apache.kafka:kafka-clients', '0.10.0.1'", "jar
'org.apache.logging.log4j:log4j-slf4j-impl', '2.17.1'"]
p. From the primary host, start the WEBGUI
service:
>
egosh service start WEBGUI
q. If required, restart the Elastic Stack
related services.
5. Uninstallation
If required, follow the instructions in this section to uninstall this interim fix from your cluster.
a. Log on to the primary host in the cluster as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
>
egosh service stop WEBGUI
b. Stop the Elastic Search related services as
described in step b of the “Installation” section.
c. On each management host, roll back this
interim fix:
>
egoinstallfixes -r 600936
d. Log on to each management host in your cluster as the cluster administrator and restore your backup for the following file:
cd
$EGO_TOP
tar
-xvf backup_old_600936.tar
e. Delete all subdirectories and files from the following directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
(Optional) > rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
f. Clear your browser cache.
g. From the primary host, start the WEBGUI service:
>
egosh service start WEBGUI
h. If required, restart the Elastic Stack
related services.
6. List of files
gui/3.8/lib/log4j-api-2.17.1.jar
gui/3.8/lib/log4j-core-2.17.1.jar
integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-1.2-api-2.17.1.jar
integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-api-2.17.1.jar
integration/elk/1.4.2/elasticsearch-5.4.2/lib/log4j-core-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/logstash-core/lib/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-beats-3.1.26-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-api-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-input-kafka-5.1.11/vendor/jar-dependencies/runtime-jars/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-api/2.17.1/log4j-api-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-core/2.17.1/log4j-core-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
integration/elk/1.4.2/logstash-5.6.6/vendor/bundle/jruby/1.9/gems/logstash-output-elasticsearch-7.4.2-java/vendor/jar-dependencies/org/apache/logging/log4j-slf4j-impl/2.17.1/log4j-slf4j-impl-2.17.1.jar
7. Product notification
To receive information about product solution and patch updates automatically, subscribe to product notifications on the My Notifications page www.ibm.com/support/mynotifications/ on the IBM Support website (http://support.ibm.com). You can edit your subscription settings to choose the types of information you want to get notification about, for example, security bulletins, fixes, troubleshooting, and product enhancements or documentation changes.
8. Copyright and trademark information
© Copyright IBM Corporation 2022
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo, and ibm.com® are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.