Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.0179
Upgradation of JRE packaged by IBM Rational License Key
Server and IBM Rational License Key Administrator
16 February 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM Rational License Key Server
IBM Rational License Key Administrator
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
Impact/Access: Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2011-3547
Reference: ASB-2011.0092
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21579415
- --------------------------BEGIN INCLUDED TEXT--------------------
Upgradation of JRE packaged by IBM Rational License Key Server and IBM Rational
License Key Administrator
Fix readme
Abstract
IBM Rational License Key Server and IBM Rational License Key Administrator have
upgraded the JRE that they package in order to mitigate a security vulnerability
in Java Runtime Environment.
Content
JRE VULNERABILITY DETAILS:
A vulnerability in the Java Runtime Environment component in Oracle Java SE JDK
and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and
earlier allows remote untrusted Java Web Start applications and untrusted Java
applets to affect confidentiality via unknown vectors related to Networking.
The vulnerability ID is CVE-2011-3547.
AFFECTED PLATFORMS:
The list of platforms affected by this vulnerability is as follows.
AIX 5.1
AIX 5.2.*
AIX 5.3.*
AIX 6.1.*
HP-UX 11.0 PA-RISC
HP-UX 11i v1 PA-RISC
HP-UX 11i v2 IA64
HP-UX 11i v2 PA-RISC
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
Solaris 10 SPARC
Solaris 8 x86-32
Solaris 9 x86-32
Windows 2000 SP4 Advanced Server/Server/Professional
Windows Server 2003 SP2 Enterprise/Standard x86-32
Windows Server 2003 SP2 Enterprise/Standard x86-64
Windows XP SP2 Professional x86-32
Windows Server 2008 Enterprise/Standard x86-32
Windows Server 2008 Enterprise/Standard x86-64
Windows Server 2008 R2 Enterprise x86-32
Windows Server 2008 R2 Enterprise x86-64
Windows Vista Business/Enterprise/Ultimate SP2 x86-32
Windows 7 Enterprise/Professional/Ultimate x86-32
Windows 7 Enterprise/Professional/Ultimate x86-64
Note:- All the versions of the License Server may not run on all of the above
platforms.
REMEDIATION:
The recommended solution is to apply the iFixes provided by IBM as outlined
here.
Vendor Fix(es):
For IBM RLKS 812 or RLKS 8.1.1 Users
An iFix is available to address this vulnerability. Links for downloading the
fixes and the installation instructions are listed below.
RLKS 812 iFix 02
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Rational&product=ibm/Rational/Rational+Common+Licensing&release=8.1.2&platform=All&function=fixId&fixids=RLKS_812_ifix_02&includeSupersedes=0
RLKS 811 iFix 06
http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Rational&product=ibm/Rational/Rational+Common+Licensing&release=8.1.1&platform=All&function=fixId&fixids=Rational_RLKS_811_iFix06&includeSupersedes=0
How to install the iFixes
To install the Rational License Key Server fix on Windows platforms:
1. Download the Windows iFix.zip file.
2. Extract the compressed files to an appropriate directory.
3. Add the iFix repository location in Installation Manager as follows:
a) Launch IBM Installation Manager.
b) Click File->Preferences->Repositories.
c) Click Add Repository.
d) Browse to or enter the file path to the repository.config file. The
repository.config file is located in the sub-directory "ifix" where you
extracted the compressed files.
4. Stop the Rational License Key Server before installing the iFix.
Ensure the following processes are not running - lmgrd, lmutil, lmtools and ibmratl.
5. On the main page of Installation Manager click, Update.
6. Follow the instructions to install the iFix.
7. Start the Rational License Key Server.
To install the Rational License Key Server fix on Unix platforms:
1. Download the iFix.tar file for the platform.
2. Extract the iFix.tar: tar -xvf <iFix>.tar.
Use GNU tar for the extraction as the long names in the JRE directory
cannot be handled by the native tars.
3. Go to the installation location of the license server.
4. Navigate to the config sub-folder.
5. Run the start_lmgrd_on_this_host script file with the stop option:
./start_lmgrd_on_this_host stop
6. The license server stops. To verify, run the command: ps -ef | grep
lmgrd
7. Navigate to sub-directory
<installation_directory>/base/cots/flexlm.11.8/<Platform>
8. Overwrite files in this directory with all the files from the iFix.
9. Navigate to the sub-directory
<installation_directory>/config/jrexxx.<platform> or
<installation_directory>/config/jre142.<platform>/jre.
The JRE version can be either 1.4.2 or 1.5.0.
10. Delete the directories named "bin", "lib", "plugin" and "javaws"
wherever applicable.
11. Copy the diretories named named "bin", "lib", "plugin" and "javaws"
from the iFix wherever applicable.
12. Navigate to the sub-directory
<installation_directory>/config/migrationutility.
13. Replace the file named "licmigrationutility.sh" from the iFix.
14. Go to the <installation_directory>/config/ directory.
15. Start the license server using the command:
./start_lmgrd_on_this_host start
Note:- The iFix can also be used as a complete, standalone installer on Unix
platforms.
For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users
There are no plans to release fixes for Rational License Server v8.x, v7.x and
Telelogic License Server 2.0. IBM recommends all customers using these versions
of license servers migrate to IBM Rational License Key server 8.1.2 and update
the IBM Rational License Key server 8.1.2 with the fix for the security
vulnerability described in this Technote.
Instructions on migrating to RLKS 8.1.2 are available through this Info
Center Link.
Migration to RLKS 8.1.2
http://publib.boulder.ibm.com/infocenter/rational/v0r0m0/topic/com.ibm.rational.license.doc/topics/t_migrate_rational.html
RLKS 8.1.2 can be downloaded from your Passport Advantage account or here
812 Download Link
https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?lang=en_US&source=RATL-RATIONAL
Workaround(s):
None
REFERENCES:
More about the JRE security vulnerability can be read at CVE-2011-3547.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBTzxrCO4yVqjM2NGpAQJ/wRAAt294D8HgQA5N6RpYvQ9DBNmZLPJ87SiY
+pYo6ZUpCBZ30oo+PE6uuMNCTtkaImhZJtoC2Ikz83dGkOpxxusd3Kq00AqVn9tG
l1ZueaRk6oAZMevdTMyGSvWRZrSwG+ZdwDupPQ0BVdfBdo4grq5RUmanLn9BV5LE
nqSeJYDmchm3p+2d3ntKx+MlAXbZcFcc5Lj8nXL7ym8G4z+pXPYPNujcyUZCmR8E
WxTtMRguALeOUNpenYEmMjt8qgPNjcj91mIiP9JFTR/ETAL/8qYeN1c+mzl+cfSG
17hALLe5795SFASWNoX1cpiA35qW3bnIDlJyd6JuXGZ8dA9DsUH9jJl6naJ5cEeG
F2w/CM8ZjAN2jlP/D9+d5YkSA642zEoV7QR6i0HKDJ9DSL3mIkyI08x0Q+dFxedz
5yLRRCboqdUILAlnuR2I/Dr7AG4cguTGh6pxGeolGQClh3vOz+/oZKDXgsKMuJrV
GhHK+nw/7CHQMI8nowydO2RCFLHgWUZYQ4ibCaeLmvdipPJ8Pa7EW8w11VVRCmAq
S7+K1O4C5mavFQIWFynZm6zwaKiG7nttTLQuU+bs3vU+jpliMZpqdVPFpGKxnT39
zSYKNR83QbDsGm5pjgcGgBf7b77q0FVQ2JafGQzLBSYvkLh4UA0nxEME0vGIVABX
kvhOW3FjCfs=
=mcAP
-----END PGP SIGNATURE-----