Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2013.0771
IBM Tivoli Composite Application Manager for Transactions Response Time
7.3.0.1 Interim Fix 21 README Tivoli Composite Application Manager for
Transactions 7.3.0.1 7.3.0.1-TIV-CAMRT-IF0021 Readme
3 June 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Tivoli Composite Application Manager for Transactions
Publisher: IBM
Operating System: Linux variants
AIX
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=isg400001531
- --------------------------BEGIN INCLUDED TEXT--------------------
IBM Tivoli Composite Application Manager for Transactions Response Time 7.3.0.1
Interim Fix 21 README Tivoli Composite Application Manager for Transactions
7.3.0.1 7.3.0.1-TIV-CAMRT-IF0021 Readme
Document information
Tivoli Composite Application Manager for Transactions
Reference #:
00001531
Modified date:
2013-05-31
Readme file for: 7.3.0.1-TIV-CAMRT-IF0021
Product/Component Release: 7.3.0.1
Update Name: 7.3.0.1-TIV-CAMRT-IF0021
Fix ID: 7.3.0.1-TIV-CAMRT-AIX-IF0021, 7.3.0.1-TIV-CAMRT-LINUX-IF0021,
7.3.0.1-TIV-CAMRT-WINDOWS-IF0021
Publication Date: 31 May 2013
Last modified date: 31 May 2013
Contents
Download location
Prerequisites and co-requisites
Installation information
Installing
Additional information
List of fixes
Document change history
Download location
The information included in this document is published at product release time.
For the latest updates on this release please refer to the on-line document:
To download this update you must first login to IBM FixCentral. Once logged in,
you may select from the individual download packages.
http://www.ibm.com/eserver/support/fixes/
Below is a list of components, platforms, and file names that apply to
this Readme file.
Fix Download for AIX
Product/Component Name: Platform: Fix:
Tivoli Composite
Application Manager AIX 7.3.0.1-TIV-CAMRT-AIX-IF0021
for Transactions
Fix Download for Linux
Product/Component Name: Platform: Fix:
Tivoli Composite
Application Manager Linux 7.3.0.1-TIV-CAMRT-LINUX-IF0021
for Transactions
Fix Download for Windows
Product/Component Name: Platform: Fix:
Tivoli Composite
Application Manager Windows 7.3.0.1-TIV-CAMRT-WINDOWS-IF0021
for Transactions
Prerequisites and co-requisites
This update for ITCAM for Transactions Response Time may be applied to the
following base versions.
7.1.X.X
7.2.X.X
7.3.X.X
Note: Supported base versions include interim fixes applied to any of the
above release levels.
This MDV replaces the two JREs shipped with the Robotics Response Time (T6)
agent to the latest level. This remediates multiple security issues.
This patch is applicable for the T6 agent:
* versions 7.3.0.x, 7.2.0.x and 7.1.0.x
* platforms Windows, AIX and Linux platforms.
The T6's JREs are used when playing back Rational Performance Tester (RPT)
scripts only, thus not available on Solaris and HPUX (RPT playback on supported
on those platforms).
7.3 agents need to update both java60 and java 70 JREs. 7.2 and 7.1 agents
only needs to update java60. These variations are noted in the installation
steps below.
Any customisations done to the existing JREs needs to be preseved. Since these
JREs are product specific (ie only used by the T6 agent), there should only be
at most one customisation as instructed by IBM support; which is to enable
strong encryption by updating the JRE's encryption policy (see technote in
Related Material).
After the patch, the Java versions will be:
* Java 6.0 SR13 FP2
* Java 7.0 SR4 FP2
Related material:
* Oracle's Java April 2013 CPU Advisory - details vulnerabilities addressed
http://www.oracle.com/technetwork/topics/security/javacpuapr2013-1928497.html
* Details on Strong Encryption keys
http://www-01.ibm.com/support/docview.wss?uid=swg21245273
Superseded By:
N/A
Supersedes:
N/A
Installation information
Installing
1 Before Installing the fix pack
- ----------------------------------
A. Validate pre-existing java is older than ones delivered in this IFix.
The RRT Agent's javas are located in
Windows:
java60: $ITMHOME\tmaitm6\java60
java70: $ITMHOME\tmaitm6\java70 - only in 7.3.0.1-LA2 and later
Unix:
java60: $ITMHOME/tmaitm6/java60
java70: $ITMHOME/tmaitm6/java70 - only in 7.3.0.1-LA2 and later
Check their versions, eg
C:\ibm\itm\TMAITM6> .\java70\jre\bin\java.exe -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr2-20120901_01(SR2))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20120809_118929
(JIT enabled, AOT enabled)
J9VM - R26_Java726_SR2_20120809_0948_B118929
JIT - r11.b01_20120808_24925
GC - R26_Java726_SR2_20120809_0948_B118929
J9CL - 20120809_118929)
JCL - 20120831_02 based on Oracle 7u3-b05
Notice that J9VM indicates it is SR2 (no Fixpack) and hence it is
older than SR4 FP2 and needs update.
2 Applying the fix pack
- -------------------------
Notes:
1. If you are using 7.2 and 7.1 T6 agents, you do not need to
unarchive the \java70 directory. For 7.3 onwards, please unarchive
both JREs.
2. If you have updated the T6 jre to use strong encryption, you must
migrate the policy files to the new JREs. The two files are:
<JRE_HOME>\lib\security\local_policy.jar
<JRE_HOME>\lib\security\US_export_policy.jar
See: http://www-01.ibm.com/support/docview.wss?uid=swg21245273
A. Back up existing java
1. Stop the T6 agent
2. Backup existing java jres, e.g.
> c:
> cd c:\ibm\itm\tmaitm6\
> move java60 java60.old
> move java70 java70.old - only in 7.3.0.1-LA and later.
B. Replace the JREs
1. Unzip/Untar the archive to the same directory, e.g.
After unarchiving your directory structure should be like
c:\IBM\ITM\TMAITM6>dir java*
Volume in drive C has no label.
Volume Serial Number is 44AB-01FC
Directory of c:\IBM\ITM\TMAITM6
29/05/2013 02:02 PM <DIR> java60
12/03/2012 04:08 PM <DIR> java60.old
29/05/2013 02:04 PM <DIR> java70
13/02/2013 02:14 PM <DIR> java70.old
0 File(s) 0 bytes
4 Dir(s) 30,808,731,648 bytes free
2. (Optional) Preserve security policy files, e.g.
> cd c:\ibm\itm\tmaitm6\
> copy java60.old\jre\lib\security\local_policy.jar java60\jre\lib\security
> copy java60.old\jre\lib\security\US_export_policy.jar java60\jre\lib\security
> copy java70.old\jre\lib\security\local_policy.jar java70\jre\lib\security
> copy java70.old\jre\lib\security\US_export_policy.jar java70\jre\lib\security
C. Validate the update JRE version/function
1. check version number of JRE 6.0, e.g.
> c:
> cd c:\ibm\itm\tmaitm6
> java60\jre\bin\java.exe -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr13fp2-20130424_01(SR13 FP2))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows Server 2008 R2 x86-32 jvmwi32
60sr13fp2-20130423_146146 (JIT enabled, AOT enabled)
J9VM - 20130423_146146
JIT - r9_20130108_31100ifx1
GC - 20121212_AA)
JCL - 20130419_01
> java70\jre\bin\java.exe -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr4fp2-20130426_01(SR4 FP2))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20130422_146026
(JIT enabled, AOT enabled)
J9VM - R26_Java726_SR4_FP2_20130422_1320_B146026
JIT - r11.b03_20130131_32403ifx4
GC - R26_Java726_SR4_FP2_20130422_1320_B146026
J9CL - 20130422_146026)
JCL - 20130425_01 based on Oracle 7u21-b09
D. Restart Agent and ensure RPT Script playback works.
E. (Optional) Delete the backup java runtimes.
Additional information
This fix pack image contains the following files:
- - 7.3.0.1-TIV-CAMRT-AIX-IF0021.tar - md5sum 38615978329e6ea2f9d973a10e5bfdf4
- - 7.3.0.1-TIV-CAMRT-Linux-IF0021.tar - md5sum 38615978329e6ea2f9d973a10e5bfdf4
- - 7.3.0.1-TIV-CAMRT-Windows-IF0021.zip - md5sum c3274c6a250f3e7a5bf2fa8b5bdd653f
The tar/zip files contains the following:
- - 7.3.0.1-TIV-CAMRT-AIX-IF0021.tar
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
- - 7.3.0.1-TIV-CAMRT-Linux-IF0021.tar
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
- - 7.3.0.1-TIV-CAMRT-Windows-IF0021.zip
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
List of fixes
A) APAR Content:
IV43371 RRT: SECURITY UPDATES FOR JRE(S) - MAY 2013
B) Additional Non APAR Defects:
N/A C) Enhancements
N/A
Document change history
Version Date Description of change
1.0 31 May 2013 Initial Version
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUaw5Iu4yVqjM2NGpAQLz3Q/6Amaw2SEwBo+R+btoIEOBQV+X5G3jwwJj
deCv7AFSzB6R0WuBfenzkHqft0GVcg9ORd+AI5CXCl/FkMYVgvOk38ZDdY1iiDom
oAFWwMNFQuB9sh8Cn+9pq86t2XNQnfucOUBFYv5M4O0nscogXDSt42LXYg9nH/4U
LKY6ZSbNo2UUWAbAtxLKNM1yVDqeT2L3Gj/kdjc5uDIv8NFbj/OsbCkd/ffh23s0
WxMh3rvr8dof2/1LCuNXz7PfufesdxQgdvPkQfel4sL3W+Pzdno+gfKm+n9NxQt4
TKEeNwI3e0Yp+W3o9r3DaMnJ+o3R6wSRJEwm0WrEBoCjlnyGh0Egmbs1cto+pyYJ
j7VSlYt2gi6cWTy41ZOVn39GfK2hY7dbeBmIX7AY84XE/xsiZGfB7Ih/ZponzWva
MoX6WHjzXfekG5Bk/aVI7DKLp2wr6XL4yFeNIloFzdBzpMuFg+e+M2ktaqJYzLP1
wArjPfzmZZ/DCzF7Pod+JfYDf6N4rGNB+xDAO++Mx2PHurgPaE2jCZ8/DmB+cFEf
3jRg0RzC9Z4HJ9hzg9LRxVT5mEl8HI5taHeMrOZVKwonrfTgAk83XK2ZCI8TRRZV
XJ8qwNjEIRaVCE1tJPkNR/Wi/XQq/LAp/V6gRyjisL99zKdyHyt4joe4OrtX8aMW
0D26xe+NWhk=
=g3JB
-----END PGP SIGNATURE-----