Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

          Upgradation of JRE packaged by IBM Rational License Key
             Server and IBM Rational License Key Administrator
                             16 February 2012


        AusCERT Security Bulletin Summary

Product:           IBM Rational License Key Server
                   IBM Rational License Key Administrator
Publisher:         IBM
Operating System:  AIX
                   Linux variants
Impact/Access:     Reduced Security -- Unknown/Unspecified
Resolution:        Patch/Upgrade
CVE Names:         CVE-2011-3547  

Reference:         ASB-2011.0092

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Upgradation of JRE packaged by IBM Rational License Key Server and IBM Rational
License Key Administrator

Fix readme


IBM Rational License Key Server and IBM Rational License Key Administrator have
upgraded the JRE that they package in order to mitigate a security vulnerability
in Java Runtime Environment.



A vulnerability in the Java Runtime Environment component in Oracle Java SE JDK
and JRE 7, 6 Update 27 and earlier, 5.0 Update 31 and earlier, and 1.4.2_33 and
earlier allows remote untrusted Java Web Start applications and untrusted Java
applets to affect confidentiality via unknown vectors related to Networking.
The vulnerability ID is CVE-2011-3547.


The list of platforms affected by this vulnerability is as follows.

AIX 5.1
AIX 5.2.*
AIX 5.3.*
AIX 6.1.*
HP-UX 11i v1 PA-RISC
HP-UX 11i v2 IA64
HP-UX 11i v2 PA-RISC
Red Hat Enterprise Linux 3
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Server 10
SUSE Linux Enterprise Server 9
Solaris 10 SPARC
Solaris 8 x86-32
Solaris 9 x86-32
Windows 2000 SP4 Advanced Server/Server/Professional
Windows Server 2003 SP2 Enterprise/Standard x86-32
Windows Server 2003 SP2 Enterprise/Standard x86-64
Windows XP SP2 Professional x86-32
Windows Server 2008 Enterprise/Standard x86-32
Windows Server 2008 Enterprise/Standard x86-64
Windows Server 2008 R2 Enterprise x86-32
Windows Server 2008 R2 Enterprise x86-64
Windows Vista Business/Enterprise/Ultimate SP2 x86-32
Windows 7 Enterprise/Professional/Ultimate x86-32
Windows 7 Enterprise/Professional/Ultimate x86-64

Note:- All the versions of the License Server may not run on all of the above


The recommended solution is to apply the iFixes provided by IBM as outlined

Vendor Fix(es):

For IBM RLKS 812 or RLKS 8.1.1 Users

An iFix is available to address this vulnerability. Links for downloading the
fixes and the installation instructions are listed below.

RLKS 812 iFix 02

RLKS 811 iFix 06

How to install the iFixes

To install the Rational License Key Server fix on Windows platforms:

1.	Download the Windows iFix.zip file.
2.	Extract the compressed files to an appropriate directory.
3.	Add the iFix repository location in Installation Manager as follows:
	a)	Launch IBM Installation Manager.
	b)	Click File->Preferences->Repositories.
	c)	Click Add Repository.
	d)	Browse to or enter the file path to the repository.config file. The
		repository.config file is located in the sub-directory "ifix" where you
		extracted the compressed files.
4.	Stop the Rational License Key Server before installing the iFix. 
	Ensure the following processes are not running - lmgrd, lmutil, lmtools and ibmratl.
5.	On the main page of Installation Manager click, Update.
6.	Follow the instructions to install the iFix.
7.	Start the Rational License Key Server.

To install the Rational License Key Server fix on Unix platforms:

1.	Download the iFix.tar file for the platform.
2.	Extract the iFix.tar: tar -xvf <iFix>.tar. 
	Use GNU tar for the extraction as the long names in the JRE directory
	cannot be handled by the native tars.
3.	Go to the installation location of the license server.
4.	Navigate to the config sub-folder.
5.	Run the start_lmgrd_on_this_host script file with the stop option:
	./start_lmgrd_on_this_host stop
6.	The license server stops. To verify, run the command: ps -ef | grep
7.	Navigate to sub-directory
8.	Overwrite files in this directory with all the files from the iFix.
9.	Navigate to the sub-directory
	<installation_directory>/config/jrexxx.<platform> or
	The JRE version can be either 1.4.2 or 1.5.0.
10.	Delete the directories named "bin", "lib", "plugin" and "javaws"
	wherever applicable.
11. 	Copy the diretories named named "bin", "lib", "plugin" and "javaws"
	from the iFix wherever applicable.
12.	Navigate to the sub-directory
13. 	Replace the file named "licmigrationutility.sh" from the iFix.
14.	Go to the <installation_directory>/config/ directory.
15.	Start the license server using the command:
	./start_lmgrd_on_this_host start

Note:- The iFix can also be used as a complete, standalone installer on Unix

For IBM RLS 8.x, RLS 7.x and IBM Telelogic License Server 2.0 Users

There are no plans to release fixes for Rational License Server v8.x, v7.x and
Telelogic License Server 2.0. IBM recommends all customers using these versions
of license servers migrate to IBM Rational License Key server 8.1.2 and update
the IBM Rational License Key server 8.1.2 with the fix for the security
vulnerability described in this Technote. 

Instructions on migrating to RLKS 8.1.2 are available through this Info
Center Link.

Migration to RLKS 8.1.2

RLKS 8.1.2 can be downloaded from your Passport Advantage account or here

812 Download Link



More about the JRE security vulnerability can be read at CVE-2011-3547.

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines
Corp., registered in many jurisdictions worldwide. Other product and service
names might be trademarks of IBM or other companies. A current list of IBM
trademarks is available on the Web at "Copyright and trademark information"
at www.ibm.com/legal/copytrade.shtml.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967