16 February 2012
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0179 Upgradation of JRE packaged by IBM Rational License Key Server and IBM Rational License Key Administrator 16 February 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Rational License Key Server IBM Rational License Key Administrator Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows Impact/Access: Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2011-3547 Reference: ASB-2011.0092 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21579415 - --------------------------BEGIN INCLUDED TEXT-------------------- Upgradation of JRE packaged by IBM Rational License Key Server and IBM Rational License Key Administrator Fix readme Abstract IBM Rational License Key Server and IBM Rational License Key Administrator have upgraded the JRE that they package in order to mitigate a security vulnerability in Java Runtime Environment. Content JRE VULNERABILITY DETAILS: A vulnerability in the Java Runtime Environment component in Oracle Java SE JDK and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and earlier allows remote untrusted Java Web Start applications and untrusted Java applets to affect confidentiality via unknown vectors related to Networking. The vulnerability ID is CVE-2011-3547. AFFECTED PLATFORMS: The list of platforms affected by this vulnerability is as follows. AIX 5.1 AIX 5.2.* AIX 5.3.* AIX 6.1.* HP-UX 11.0 PA-RISC HP-UX 11i v1 PA-RISC HP-UX 11i v2 IA64 HP-UX 11i v2 PA-RISC Red Hat Enterprise Linux 3 Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 SUSE Linux Enterprise Server 11 SUSE Linux Enterprise Server 10 SUSE Linux Enterprise Server 9 Solaris 10 SPARC Solaris 8 x86-32 Solaris 9 x86-32 Windows 2000 SP4 Advanced Server/Server/Professional Windows Server 2003 SP2 Enterprise/Standard x86-32 Windows Server 2003 SP2 Enterprise/Standard x86-64 Windows XP SP2 Professional x86-32 Windows Server 2008 Enterprise/Standard x86-32 Windows Server 2008 Enterprise/Standard x86-64 Windows Server 2008 R2 Enterprise x86-32 Windows Server 2008 R2 Enterprise x86-64 Windows Vista Business/Enterprise/Ultimate SP2 x86-32 Windows 7 Enterprise/Professional/Ultimate x86-32 Windows 7 Enterprise/Professional/Ultimate x86-64 Note:- All the versions of the License Server may not run on all of the above platforms. REMEDIATION: The recommended solution is to apply the iFixes provided by IBM as outlined here. Vendor Fix(es): For IBM RLKS 812 or RLKS 8.1.1 Users An iFix is available to address this vulnerability. Links for downloading the fixes and the installation instructions are listed below. RLKS 812 iFix 02 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Rational&product=ibm/Rational/Rational+Common+Licensing&release=8.1.2&platform=All&function=fixId&fixids=RLKS_812_ifix_02&includeSupersedes=0 RLKS 811 iFix 06 http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/Rational&product=ibm/Rational/Rational+Common+Licensing&release=8.1.1&platform=All&function=fixId&fixids=Rational_RLKS_811_iFix06&includeSupersedes=0 How to install the iFixes To install the Rational License Key Server fix on Windows platforms: 1. Download the Windows iFix.zip file. 2. Extract the compressed files to an appropriate directory. 3. Add the iFix repository location in Installation Manager as follows: a) Launch IBM Installation Manager. b) Click File->Preferences->Repositories. c) Click Add Repository. d) Browse to or enter the file path to the repository.config file. The repository.config file is located in the sub-directory "ifix" where you extracted the compressed files. 4. Stop the Rational License Key Server before installing the iFix. Ensure the following processes are not running - lmgrd, lmutil, lmtools and ibmratl. 5. On the main page of Installation Manager click, Update. 6. Follow the instructions to install the iFix. 7. Start the Rational License Key Server. To install the Rational License Key Server fix on Unix platforms: 1. Download the iFix.tar file for the platform. 2. Extract the iFix.tar: tar -xvf <iFix>.tar. Use GNU tar for the extraction as the long names in the JRE directory cannot be handled by the native tars. 3. Go to the installation location of the license server. 4. Navigate to the config sub-folder. 5. Run the start_lmgrd_on_this_host script file with the stop option: ./start_lmgrd_on_this_host stop 6. The license server stops. To verify, run the command: ps -ef | grep lmgrd 7. Navigate to sub-directory <installation_directory>/base/cots/flexlm.11.8/<Platform> 8. Overwrite files in this directory with all the files from the iFix. 9. Navigate to the sub-directory <installation_directory>/config/jrexxx.<platform> or <installation_directory>/config/jre142.<platform>/jre. The JRE version can be either 1.4.2 or 1.5.0. 10. Delete the directories named "bin", "lib", "plugin" and "javaws" wherever applicable. 11. Copy the diretories named named "bin", "lib", "plugin" and "javaws" from the iFix wherever applicable. 12. Navigate to the sub-directory <installation_directory>/config/migrationutility. 13. Replace the file named "licmigrationutility.sh" from the iFix. 14. Go to the <installation_directory>/config/ directory. 15. Start the license server using the command: ./start_lmgrd_on_this_host start Note:- The iFix can also be used as a complete, standalone installer on Unix platforms. For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users There are no plans to release fixes for Rational License Server v8.x, v7.x and Telelogic License Server 2.0. IBM recommends all customers using these versions of license servers migrate to IBM Rational License Key server 8.1.2 and update the IBM Rational License Key server 8.1.2 with the fix for the security vulnerability described in this Technote. Instructions on migrating to RLKS 8.1.2 are available through this Info Center Link. Migration to RLKS 8.1.2 http://publib.boulder.ibm.com/infocenter/rational/v0r0m0/topic/com.ibm.rational.license.doc/topics/t_migrate_rational.html RLKS 8.1.2 can be downloaded from your Passport Advantage account or here 812 Download Link https://www14.software.ibm.com/webapp/iwm/web/reg/pick.do?lang=en_US&source=RATL-RATIONAL Workaround(s): None REFERENCES: More about the JRE security vulnerability can be read at CVE-2011-3547. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3547 Copyright and trademark information IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTzxrCO4yVqjM2NGpAQJ/wRAAt294D8HgQA5N6RpYvQ9DBNmZLPJ87SiY +pYo6ZUpCBZ30oo+PE6uuMNCTtkaImhZJtoC2Ikz83dGkOpxxusd3Kq00AqVn9tG l1ZueaRk6oAZMevdTMyGSvWRZrSwG+ZdwDupPQ0BVdfBdo4grq5RUmanLn9BV5LE nqSeJYDmchm3p+2d3ntKx+MlAXbZcFcc5Lj8nXL7ym8G4z+pXPYPNujcyUZCmR8E WxTtMRguALeOUNpenYEmMjt8qgPNjcj91mIiP9JFTR/ETAL/8qYeN1c+mzl+cfSG 17hALLe5795SFASWNoX1cpiA35qW3bnIDlJyd6JuXGZ8dA9DsUH9jJl6naJ5cEeG F2w/CM8ZjAN2jlP/D9+d5YkSA642zEoV7QR6i0HKDJ9DSL3mIkyI08x0Q+dFxedz 5yLRRCboqdUILAlnuR2I/Dr7AG4cguTGh6pxGeolGQClh3vOz+/oZKDXgsKMuJrV GhHK+nw/7CHQMI8nowydO2RCFLHgWUZYQ4ibCaeLmvdipPJ8Pa7EW8w11VVRCmAq S7+K1O4C5mavFQIWFynZm6zwaKiG7nttTLQuU+bs3vU+jpliMZpqdVPFpGKxnT39 zSYKNR83QbDsGm5pjgcGgBf7b77q0FVQ2JafGQzLBSYvkLh4UA0nxEME0vGIVABX kvhOW3FjCfs= =mcAP -----END PGP SIGNATURE-----