Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0771 IBM Tivoli Composite Application Manager for Transactions Response Time 7.3.0.1 Interim Fix 21 README Tivoli Composite Application Manager for Transactions 7.3.0.1 7.3.0.1-TIV-CAMRT-IF0021 Readme 3 June 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Tivoli Composite Application Manager for Transactions Publisher: IBM Operating System: Linux variants AIX Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=isg400001531 - --------------------------BEGIN INCLUDED TEXT-------------------- IBM Tivoli Composite Application Manager for Transactions Response Time 7.3.0.1 Interim Fix 21 README Tivoli Composite Application Manager for Transactions 7.3.0.1 7.3.0.1-TIV-CAMRT-IF0021 Readme Document information Tivoli Composite Application Manager for Transactions Reference #: 00001531 Modified date: 2013-05-31 Readme file for: 7.3.0.1-TIV-CAMRT-IF0021 Product/Component Release: 7.3.0.1 Update Name: 7.3.0.1-TIV-CAMRT-IF0021 Fix ID: 7.3.0.1-TIV-CAMRT-AIX-IF0021, 7.3.0.1-TIV-CAMRT-LINUX-IF0021, 7.3.0.1-TIV-CAMRT-WINDOWS-IF0021 Publication Date: 31 May 2013 Last modified date: 31 May 2013 Contents Download location Prerequisites and co-requisites Installation information Installing Additional information List of fixes Document change history Download location The information included in this document is published at product release time. For the latest updates on this release please refer to the on-line document: To download this update you must first login to IBM FixCentral. Once logged in, you may select from the individual download packages. http://www.ibm.com/eserver/support/fixes/ Below is a list of components, platforms, and file names that apply to this Readme file. Fix Download for AIX Product/Component Name: Platform: Fix: Tivoli Composite Application Manager AIX 7.3.0.1-TIV-CAMRT-AIX-IF0021 for Transactions Fix Download for Linux Product/Component Name: Platform: Fix: Tivoli Composite Application Manager Linux 7.3.0.1-TIV-CAMRT-LINUX-IF0021 for Transactions Fix Download for Windows Product/Component Name: Platform: Fix: Tivoli Composite Application Manager Windows 7.3.0.1-TIV-CAMRT-WINDOWS-IF0021 for Transactions Prerequisites and co-requisites This update for ITCAM for Transactions Response Time may be applied to the following base versions. 7.1.X.X 7.2.X.X 7.3.X.X Note: Supported base versions include interim fixes applied to any of the above release levels. This MDV replaces the two JREs shipped with the Robotics Response Time (T6) agent to the latest level. This remediates multiple security issues. This patch is applicable for the T6 agent: * versions 7.3.0.x, 7.2.0.x and 7.1.0.x * platforms Windows, AIX and Linux platforms. The T6's JREs are used when playing back Rational Performance Tester (RPT) scripts only, thus not available on Solaris and HPUX (RPT playback on supported on those platforms). 7.3 agents need to update both java60 and java 70 JREs. 7.2 and 7.1 agents only needs to update java60. These variations are noted in the installation steps below. Any customisations done to the existing JREs needs to be preseved. Since these JREs are product specific (ie only used by the T6 agent), there should only be at most one customisation as instructed by IBM support; which is to enable strong encryption by updating the JRE's encryption policy (see technote in Related Material). After the patch, the Java versions will be: * Java 6.0 SR13 FP2 * Java 7.0 SR4 FP2 Related material: * Oracle's Java April 2013 CPU Advisory - details vulnerabilities addressed http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html * Details on Strong Encryption keys http://www-01.ibm.com/support/docview.wss?uid=swg21245273 Superseded By: N/A Supersedes: N/A Installation information Installing 1 Before Installing the fix pack - ---------------------------------- A. Validate pre-existing java is older than ones delivered in this IFix. The RRT Agent's javas are located in Windows: java60: $ITMHOME\tmaitm6\java60 java70: $ITMHOME\tmaitm6\java70 - only in 7.3.0.1-LA2 and later Unix: java60: $ITMHOME/tmaitm6/java60 java70: $ITMHOME/tmaitm6/java70 - only in 7.3.0.1-LA2 and later Check their versions, eg C:\ibm\itm\TMAITM6> .\java70\jre\bin\java.exe -version java version "1.7.0" Java(TM) SE Runtime Environment (build pwi3270sr2-20120901_01(SR2)) IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20120809_118929 (JIT enabled, AOT enabled) J9VM - R26_Java726_SR2_20120809_0948_B118929 JIT - r11.b01_20120808_24925 GC - R26_Java726_SR2_20120809_0948_B118929 J9CL - 20120809_118929) JCL - 20120831_02 based on Oracle 7u3-b05 Notice that J9VM indicates it is SR2 (no Fixpack) and hence it is older than SR4 FP2 and needs update. 2 Applying the fix pack - ------------------------- Notes: 1. If you are using 7.2 and 7.1 T6 agents, you do not need to unarchive the \java70 directory. For 7.3 onwards, please unarchive both JREs. 2. If you have updated the T6 jre to use strong encryption, you must migrate the policy files to the new JREs. The two files are: <JRE_HOME>\lib\security\local_policy.jar <JRE_HOME>\lib\security\US_export_policy.jar See: http://www-01.ibm.com/support/docview.wss?uid=swg21245273 A. Back up existing java 1. Stop the T6 agent 2. Backup existing java jres, e.g. > c: > cd c:\ibm\itm\tmaitm6\ > move java60 java60.old > move java70 java70.old - only in 7.3.0.1-LA and later. B. Replace the JREs 1. Unzip/Untar the archive to the same directory, e.g. After unarchiving your directory structure should be like c:\IBM\ITM\TMAITM6>dir java* Volume in drive C has no label. Volume Serial Number is 44AB-01FC Directory of c:\IBM\ITM\TMAITM6 29/05/2013 02:02 PM <DIR> java60 12/03/2012 04:08 PM <DIR> java60.old 29/05/2013 02:04 PM <DIR> java70 13/02/2013 02:14 PM <DIR> java70.old 0 File(s) 0 bytes 4 Dir(s) 30,808,731,648 bytes free 2. (Optional) Preserve security policy files, e.g. > cd c:\ibm\itm\tmaitm6\ > copy java60.old\jre\lib\security\local_policy.jar java60\jre\lib\security > copy java60.old\jre\lib\security\US_export_policy.jar java60\jre\lib\security > copy java70.old\jre\lib\security\local_policy.jar java70\jre\lib\security > copy java70.old\jre\lib\security\US_export_policy.jar java70\jre\lib\security C. Validate the update JRE version/function 1. check version number of JRE 6.0, e.g. > c: > cd c:\ibm\itm\tmaitm6 > java60\jre\bin\java.exe -version java version "1.6.0" Java(TM) SE Runtime Environment (build pwi3260sr13fp2-20130424_01(SR13 FP2)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows Server 2008 R2 x86-32 jvmwi32 60sr13fp2-20130423_146146 (JIT enabled, AOT enabled) J9VM - 20130423_146146 JIT - r9_20130108_31100ifx1 GC - 20121212_AA) JCL - 20130419_01 > java70\jre\bin\java.exe -version java version "1.7.0" Java(TM) SE Runtime Environment (build pwi3270sr4fp2-20130426_01(SR4 FP2)) IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20130422_146026 (JIT enabled, AOT enabled) J9VM - R26_Java726_SR4_FP2_20130422_1320_B146026 JIT - r11.b03_20130131_32403ifx4 GC - R26_Java726_SR4_FP2_20130422_1320_B146026 J9CL - 20130422_146026) JCL - 20130425_01 based on Oracle 7u21-b09 D. Restart Agent and ensure RPT Script playback works. E. (Optional) Delete the backup java runtimes. Additional information This fix pack image contains the following files: - - 7.3.0.1-TIV-CAMRT-AIX-IF0021.tar - md5sum 38615978329e6ea2f9d973a10e5bfdf4 - - 7.3.0.1-TIV-CAMRT-Linux-IF0021.tar - md5sum 38615978329e6ea2f9d973a10e5bfdf4 - - 7.3.0.1-TIV-CAMRT-Windows-IF0021.zip - md5sum c3274c6a250f3e7a5bf2fa8b5bdd653f The tar/zip files contains the following: - - 7.3.0.1-TIV-CAMRT-AIX-IF0021.tar \java60\* - JRE 1.6.0 SR13 FP2 \java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s - - 7.3.0.1-TIV-CAMRT-Linux-IF0021.tar \java60\* - JRE 1.6.0 SR13 FP2 \java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s - - 7.3.0.1-TIV-CAMRT-Windows-IF0021.zip \java60\* - JRE 1.6.0 SR13 FP2 \java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s List of fixes A) APAR Content: IV43371 RRT: SECURITY UPDATES FOR JRE(S) - MAY 2013 B) Additional Non APAR Defects: N/A C) Enhancements N/A Document change history Version Date Description of change 1.0 31 May 2013 Initial Version - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUaw5Iu4yVqjM2NGpAQLz3Q/6Amaw2SEwBo+R+btoIEOBQV+X5G3jwwJj deCv7AFSzB6R0WuBfenzkHqft0GVcg9ORd+AI5CXCl/FkMYVgvOk38ZDdY1iiDom oAFWwMNFQuB9sh8Cn+9pq86t2XNQnfucOUBFYv5M4O0nscogXDSt42LXYg9nH/4U LKY6ZSbNo2UUWAbAtxLKNM1yVDqeT2L3Gj/kdjc5uDIv8NFbj/OsbCkd/ffh23s0 WxMh3rvr8dof2/1LCuNXz7PfufesdxQgdvPkQfel4sL3W+Pzdno+gfKm+n9NxQt4 TKEeNwI3e0Yp+W3o9r3DaMnJ+o3R6wSRJEwm0WrEBoCjlnyGh0Egmbs1cto+pyYJ j7VSlYt2gi6cWTy41ZOVn39GfK2hY7dbeBmIX7AY84XE/xsiZGfB7Ih/ZponzWva MoX6WHjzXfekG5Bk/aVI7DKLp2wr6XL4yFeNIloFzdBzpMuFg+e+M2ktaqJYzLP1 wArjPfzmZZ/DCzF7Pod+JfYDf6N4rGNB+xDAO++Mx2PHurgPaE2jCZ8/DmB+cFEf 3jRg0RzC9Z4HJ9hzg9LRxVT5mEl8HI5taHeMrOZVKwonrfTgAk83XK2ZCI8TRRZV XJ8qwNjEIRaVCE1tJPkNR/Wi/XQq/LAp/V6gRyjisL99zKdyHyt4joe4OrtX8aMW 0D26xe+NWhk= =g3JB -----END PGP SIGNATURE-----