Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

  IBM Tivoli Composite Application Manager for Transactions Response Time Interim Fix 21 README Tivoli Composite Application Manager for
           Transactions Readme
                                3 June 2013


        AusCERT Security Bulletin Summary

Product:           Tivoli Composite Application Manager for Transactions
Publisher:         IBM
Operating System:  Linux variants
Impact/Access:     Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                   Modify Arbitrary Files          -- Remote/Unauthenticated
                   Delete Arbitrary Files          -- Remote/Unauthenticated
                   Denial of Service               -- Remote/Unauthenticated
                   Access Confidential Data        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

IBM Tivoli Composite Application Manager for Transactions Response Time 
Interim Fix 21 README Tivoli Composite Application Manager for Transactions Readme

Document information
Tivoli Composite Application Manager for Transactions

Reference #:

Modified date:

Readme file for:
Product/Component Release:
Update Name:
Fix ID:,,
Publication Date: 31 May 2013
Last modified date: 31 May 2013


Download location 
Prerequisites and co-requisites 

Installation information

Additional information 
List of fixes 
Document change history 

Download location
The information included in this document is published at product release time. 
For the latest updates on this release please refer to the on-line document: 
To download this update you must first login to IBM FixCentral. Once logged in, 
you may select from the individual download packages. 
Below is a list of components, platforms, and file names that apply to 
this Readme file.

Fix Download for AIX

Product/Component Name:		Platform:	Fix:
Tivoli Composite 
Application Manager 		AIX
for Transactions	

Fix Download for Linux

Product/Component Name:		Platform:	Fix:
Tivoli Composite 
Application Manager 		Linux
for Transactions	

Fix Download for Windows

Product/Component Name:		Platform:	Fix:
Tivoli Composite 
Application Manager 		Windows
for Transactions	

Prerequisites and co-requisites

This update for ITCAM for Transactions Response Time may be applied to the 
following base versions.
Note: Supported base versions include interim fixes applied to any of the 
above release levels. 

This MDV replaces the two JREs shipped with the Robotics Response Time (T6) 
agent to the latest level. This remediates multiple security issues.
This patch is applicable for the T6 agent:
* versions 7.3.0.x, 7.2.0.x and 7.1.0.x
* platforms Windows, AIX and Linux platforms. 
The T6's JREs are used when playing back Rational Performance Tester (RPT)
scripts only, thus not available on Solaris and HPUX (RPT playback on supported 
on those platforms).

7.3 agents need to update both java60 and java 70 JREs. 7.2 and 7.1 agents 
only needs to update java60. These variations are noted in the installation 
steps below.

Any customisations done to the existing JREs needs to be preseved. Since these 
JREs are product specific (ie only used by the T6 agent), there should only be 
at most one customisation as instructed by IBM support; which is to enable 
strong encryption by updating the JRE's encryption policy (see technote in 
Related Material).

After the patch, the Java versions will be:
* Java 6.0 SR13 FP2
* Java 7.0 SR4 FP2

Related material: 
* Oracle's Java April 2013 CPU Advisory - details vulnerabilities addressed
* Details on Strong Encryption keys

Superseded By: 


Installation information

1 Before Installing the fix pack
- ----------------------------------
A. Validate pre-existing java is older than ones delivered in this IFix.
The RRT Agent's javas are located in
java60: $ITMHOME\tmaitm6\java60
java70: $ITMHOME\tmaitm6\java70 - only in and later
java60: $ITMHOME/tmaitm6/java60
java70: $ITMHOME/tmaitm6/java70 - only in and later

Check their versions, eg
C:\ibm\itm\TMAITM6> .\java70\jre\bin\java.exe -version

java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr2-20120901_01(SR2))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20120809_118929 
(JIT enabled, AOT enabled)
J9VM - R26_Java726_SR2_20120809_0948_B118929
JIT - r11.b01_20120808_24925
GC - R26_Java726_SR2_20120809_0948_B118929
J9CL - 20120809_118929)
JCL - 20120831_02 based on Oracle 7u3-b05

Notice that J9VM indicates it is SR2 (no Fixpack) and hence it is 
older than SR4 FP2 and needs update. 

2 Applying the fix pack
- -------------------------
1. If you are using 7.2 and 7.1 T6 agents, you do not need to 
unarchive the \java70 directory. For 7.3 onwards, please unarchive
both JREs.
2. If you have updated the T6 jre to use strong encryption, you must
migrate the policy files to the new JREs. The two files are:
See: http://www-01.ibm.com/support/docview.wss?uid=swg21245273

A. Back up existing java
1. Stop the T6 agent
2. Backup existing java jres, e.g.
> c:
> cd c:\ibm\itm\tmaitm6\
> move java60 java60.old
> move java70 java70.old - only in and later.

B. Replace the JREs
1. Unzip/Untar the archive to the same directory, e.g.
After unarchiving your directory structure should be like

c:\IBM\ITM\TMAITM6>dir java*
Volume in drive C has no label.
Volume Serial Number is 44AB-01FC

Directory of c:\IBM\ITM\TMAITM6

29/05/2013 02:02 PM <DIR> java60
12/03/2012 04:08 PM <DIR> java60.old
29/05/2013 02:04 PM <DIR> java70
13/02/2013 02:14 PM <DIR> java70.old
0 File(s) 0 bytes
4 Dir(s) 30,808,731,648 bytes free
2. (Optional) Preserve security policy files, e.g.
> cd c:\ibm\itm\tmaitm6\
> copy java60.old\jre\lib\security\local_policy.jar java60\jre\lib\security
> copy java60.old\jre\lib\security\US_export_policy.jar java60\jre\lib\security
> copy java70.old\jre\lib\security\local_policy.jar java70\jre\lib\security
> copy java70.old\jre\lib\security\US_export_policy.jar java70\jre\lib\security

C. Validate the update JRE version/function 
1. check version number of JRE 6.0, e.g.
> c:
> cd c:\ibm\itm\tmaitm6
> java60\jre\bin\java.exe -version
java version "1.6.0"
Java(TM) SE Runtime Environment (build pwi3260sr13fp2-20130424_01(SR13 FP2))
IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows Server 2008 R2 x86-32 jvmwi32
60sr13fp2-20130423_146146 (JIT enabled, AOT enabled)
J9VM - 20130423_146146
JIT - r9_20130108_31100ifx1
GC - 20121212_AA)
JCL - 20130419_01

> java70\jre\bin\java.exe -version
java version "1.7.0"
Java(TM) SE Runtime Environment (build pwi3270sr4fp2-20130426_01(SR4 FP2))
IBM J9 VM (build 2.6, JRE 1.7.0 Windows Server 2008 R2 x86-32 20130422_146026 
(JIT enabled, AOT enabled)
J9VM - R26_Java726_SR4_FP2_20130422_1320_B146026
JIT - r11.b03_20130131_32403ifx4
GC - R26_Java726_SR4_FP2_20130422_1320_B146026
J9CL - 20130422_146026)
JCL - 20130425_01 based on Oracle 7u21-b09

D. Restart Agent and ensure RPT Script playback works.

E. (Optional) Delete the backup java runtimes.
Additional information
This fix pack image contains the following files:

- - - md5sum 38615978329e6ea2f9d973a10e5bfdf4
- - - md5sum 38615978329e6ea2f9d973a10e5bfdf4
- - - md5sum c3274c6a250f3e7a5bf2fa8b5bdd653f

The tar/zip files contains the following:
- - 
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
- -
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
- -
\java60\* - JRE 1.6.0 SR13 FP2
\java70\* - JRE 1.7.0 SR4 FP2 - Not required for 7.2 and 7.1 T6s
List of fixes
A) APAR Content:

B) Additional Non APAR Defects:

N/A C) Enhancements


Document change history

Version	Date		Description of change
1.0	31 May 2013	Initial Version

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967