Security Bulletin: Vulnerability in IBM Java SDK affects IBM Platform Symphony and IBM Spectrum Symphony (CVE-2016-3610 CVE-2016-3598 CVE-2016-3606 CVE-2016-3587 CVE-2016-3511 CVE-2016-3550 CVE-2016-3485)

Summary

Vulnerability in IBM Java SDK affects IBM Platform Symphony and IBM Spectrum Symphony

Vulnerability Details

CVE IDs**:** CVE-2016-3610 CVE-2016-3598 CVE-2016-3606 CVE-2016-3587 CVE-2016-3511 CVE-2016-3550 CVE-2016-3485_ _

Affected Products and Versions

IBM Platform Symphony: 5.2, 6.1.0.1, 6.1.1, 7.1 FP1, 7.1.1
IBM Spectrum Symphony: 7.1.2

Remediation/Fixes

see workarounds

Workarounds and Mitigations

1. Download location
Download this fix from the following location: http://www.ibm.com/eserver/support/fixes/
2. Scope

---

Applicability

---

---

Operating systems

|

Linux 64-bit

Linux on POWER 64-bit

Linux on POWER 64-bit LE

Windows 64-bit

Platform Symphony or IBM Spectrum Symphony versions |

7.1.2

7.1.1

7.1 Fix Pack 1
6.1.1
6.1.0.1
5.2

Cluster types |

This solution applies to a single Platform Symphony or IBM Spectrum Symphony cluster.

Installation files

|

egojre-1.8.0.311.x86_64.rpm

egojre-1.8.0.311.ppc64.rpm

egojre-1.8.0.311.ppc64le.rpm

egojre-1.8.0.311.msi

symSetup_jre6sr16fp30_linux-64_build420845.tar.gz

symSetup_jre6sr16fp30_ppc64_build420845.tar.gz

symSetup_jre6sr16fp30_win-x86_64_build420845.zip

symSetup_jre7sr9fp50_linux-64_build420845.tar.gz

symSetup_jre7sr9fp50_ppc64_build420845.tar.gz

symSetup_jre7sr9fp50_win-x86_64_build420845.zip

symSetup_jre8sr3fp11_linux-64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64le_build420845.tar.gz

symSetup_jre8sr3fp11_win-x86_64_build420845.zip

**** 3. Installation and configuration **3.1 Before installation **

1. Shut down the cluster.

Log on to the host as the cluster administrator and run:

> source $EGO_TOP/cshrc.platform

> egosh user logon -u Admin -x Admin

> soamcontrol app disable all

> egosh service stop all

> egosh ego shutdown all

---

2. Back up the JRE folder for Platform Symphony 5.2, 6.1.0.1, 6.1.1, 7.0 Fix Pack 1, 7.1.1.

Back up the JRE folder on all hosts in the cluster:

The following steps use a Platform Symphony 7.1.1 cluster as an example:

For Linux 64-bit hosts:

$EGO_TOP/jre/3.3/linux-x86_64

For Linux on POWER 64-bit hosts:

$EGO_TOP/jre/3.3/linux-ppc64

For Linux on POWER 64-bit LE hosts:

$EGO_TOP/jre/3.3/linux-ppc64le

For Windows 64-bit hosts:

%SOAM_HOME%\…\jre\3.3

3. Uninstall the existing JRE for IBM Spectrum Symphony 7.1.2.

For Linux hosts:

Please query the existing jre package and uninstall it from the dbpath.

> rpm -qa --dbpath /tmp/rpm |grep egojre

egojre-1.8.0.3-408454.x86_64

> rpm -e egojre-1.8.0.3-408454.x86_64 --dbpath /tmp/rpm --nodeps

For Windows hosts:

You can use the Microsoft Windows “Add/Remove Programs” feature to uninstall the existing JRE package.

3.2 Installation steps

1. Log on to all hosts in the cluster and replace your current JRE folder with the downloaded ones in the following directory.

Note:

· For IBM Spectrum Symphony 7.1.2, use the JRE 8 rpm or msi packages to replace your original JRE.

· For Platform Symphony 7.1.1, use the JRE 8 packages to replace your original JRE.

· For Platform Symphony 7.1 Fix Pack 1, use the JRE 7 packages to replace your original JRE.

· For Platform Symphony 5.2, 6.1.0.1, and 6.1.1, use the JRE 6 packages to replace your original JRE.

JRE 8 packages:

symSetup_jre8sr3fp11_linux-64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64le_build420845.tar.gz

symSetup_jre8sr3fp11_win-x86_64_build420845.zip

JRE 7 packages:

symSetup_jre7sr9fp50_linux-64_build420845.tar.gz

symSetup_jre7sr9fp50_ppc64_build420845.tar.gz

symSetup_jre7sr9fp50_win-x86_64_build420845.zip

JRE 6 packages:

symSetup_jre6sr16fp30_linux-64_build420845.tar.gz

symSetup_jre6sr16fp30_ppc64_build420845.tar.gz

symSetup_jre6sr16fp30_win-x86_64_build420845.zip

The following steps use a Platform Symphony 7.1.1 cluster as an example:

For Linux 64-bit hosts:

> rm -rf $EGO_TOP/jre/3.3/linux-x86_64/*
> tar zxf symSetup_jre8sr3fp11_linux-64_build420845.tar.gz -C $EGO_TOP/jre/3.3/linux-x86_64

For Linux on POWER 64-bit host:

> rm -rf $EGO_TOP/jre/3.3/linux-ppc64/*
> tar zxf symSetup_jre8sr3fp11_ppc64_build420845.tar.gz -C $EGO_TOP/jre/3.3/linux-ppc64

For Linux on POWER 64-bit LE hosts:

> rm -rf $EGO_TOP/jre/3.3/linux-ppc64le/*
> tar zxf symSetup_jre8sr3fp11_ppc64le_build420845.tar.gz -C $EGO_TOP/jre/3.3/linux-ppc64le

For Windows 64-bit hosts:

> rd /S /Q “%SOAM_HOME%\…\jre\3.3”
> mkdir “%SOAM_HOME%\…\jre\3.3”
Then, extract the symSetup_jre8sr3fp11_win-x86_64_build420845.zip file to the %SOAM_HOME%\…\jre\3.3\ directory.

The following steps use an IBM Spectrum Symphony 7.1.2 cluster as an example:

For Linux 64-bit hosts:

The same dbpath and prefix must be used when installing IBM Spectrum Symphony 7.1.2:

> rpm –ivh --dbpath /tmp/rpm --prefix /opt/platform egojre-1.8.0.311.x86_64.rpm

For Linux on POWER 64-bit hosts:

The same dbpath and prefix must be used when installing IBM Spectrum Symphony 7.1.2:

> rpm –ivh --dbpath /tmp/rpm --prefix /opt/platform egojre-1.8.0.311.ppc64.rpm

For Linux on POWER 64-bit LE hosts:

The same dbpath and prefix must be used when installing IBM Spectrum Symphony 7.1.2:

> rpm –ivh --dbpath /tmp/rpm --prefix /opt/platform egojre-1.8.0.311.ppc64le.rpm

For Windows 64-bit hosts:
Copy the egojre-1.8.0.311.msi package to all hosts and double-click the msi package to run the installer.

---

3.3 After installation**

1. Clean up the GUI work directory and the browser cache. Delete all subdirectories and files in this directory:

> rm -rf $EGO_TOP/gui/work/*

---

2. Start the cluster.

> source $EGO_TOP/cshrc.platform

> egosh ego start all

> soamcontrol app enable <AppName>

**
3.4 Uninstalling **

1. Shut down the cluster.

Log on to the host as the cluster administrator and run:

> source $EGO_TOP/cshrc.platform

> egosh user logon -u Admin -x Admin

> soamcontrol app disable all

> egosh service stop all

> egosh ego shutdown all

**
2. Restore the backup files. **

Log on to all hosts in the cluster and restore the backup JRE folder.

The following steps use a Platform Symphony 7.1.1 cluster as an example.

For Linux 64-bit hosts, the JRE folder is:

$EGO_TOP/jre/3.3/linux-x86_64

For Linux on POWER 64-bit hosts, the JRE folder is:

$EGO_TOP/jre/3.3/linux-ppc64

For Linux on POWER 64-bit LE hosts, the JRE folder is:

$EGO_TOP/jre/3.3/linux-ppc64le

For Windows 64-bit hosts, the JRE folder is:

%SOAM_HOME%\…\jre\3.3

The following steps use an IBM Spectrum Symphony 7.1.2 cluster as an example:

For Linux 64-bit hosts, first run:

> rpm -e egojre-1.8.0.311-420845.x86_64 --dbpath /tmp/rpm/ --nodeps

then reinstall the old JRE package by extracting the egojre rpm package from released bin package.

For Linux on POWER 64-bit LE hosts, first run:

> rpm -e egojre-1.8.0.311-420845.ppc64 --dbpath /tmp/rpm/ --nodeps

then reinstall the old JRE package by extracting the egojre rpm package from released bin package.

For Linux on POWER 64-bit LE hosts, first run:

> rpm -e egojre-1.8.0.311-420845.ppc64le --dbpath /tmp/rpm/ --nodeps

then reinstall the old JRE package by extracting the egojre rpm package from released bin package.

For Windows 64-bit hosts:

You can use the Microsoft Windows “Add/Remove Programs” feature to uninstall 1.8.0.311 JRE package.

Then reinstall the old JRE package by extracting the egojre msi package from released exe package.

3. Clean up the GUI work directory and the browser cache. Delete all subdirectories and files in this directory:

> rm -rf $EGO_TOP/gui/work/*

---

4. Start the cluster and enable the application.

> source $EGO_TOP/cshrc.platform

> egosh ego start all

> soamcontrol app enable <AppName>

**
4. List of files **

egojre-1.8.0.311.x86_64.rpm

egojre-1.8.0.311.ppc64.rpm

egojre-1.8.0.311.ppc64le.rpm

egojre-1.8.0.311.msi

symSetup_jre6sr16fp30_linux-64_build420845.tar.gz

symSetup_jre6sr16fp30_ppc64_build420845.tar.gz

symSetup_jre6sr16fp30_win-x86_64_build420845.zip

symSetup_jre7sr9fp50_linux-64_build420845.tar.gz

symSetup_jre7sr9fp50_ppc64_build420845.tar.gz

symSetup_jre7sr9fp50_win-x86_64_build420845.zip

symSetup_jre8sr3fp11_linux-64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64_build420845.tar.gz

symSetup_jre8sr3fp11_ppc64le_build420845.tar.gz

symSetup_jre8sr3fp11_win-x86_64_build420845.zip
**
5. List of fixes**
APAR: P101889