This interim fix provides instructions on upgrading Apache Tomcat from v6.0.43 to v8.5.37 in IBM Platform Symphony 7.1 Fix Pack 1 in order to address security vulnerability CVE-2018-11784 in Apache Tomcat.
CVE-ID: CVE-2018-11784
Description: Apache Tomcat could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability in the default servlet. An attacker could exploit this vulnerability using a specially-crafted URL to redirect a victim to arbitrary Web sites.
CVSS Base Score: 7.4
CVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/150860> for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
Platform Symphony 7.1 Fix Pack 1
Applicability
Operating systems: Linux-x86_64
Cluster type: Single grid cluster
Packages
Product | APAR | _Remediation/First Fix _ |
---|---|---|
IBM Platform Symphony 7.1 Fix Pack 1 | P102834 |
sym7.1_lnx26-lib23-x64_build509541.tar.gz
Apache Tomcat 8.5.37 | N/A |
Installation
Log on to the primary host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> source $EGO_TOP/cshrc.platform
> egosh service stop WEBGUI
Log on to each management host in the cluster and back up the following files for recovery purposes:
$EGO_TOP/gui/3.1/tomcat/
$EGO_CONFDIR/…/…/gui/conf/catalina.policy
$EGO_CONFDIR/…/…/gui/conf/catalina.properties
$EGO_CONFDIR/…/…/gui/conf/server.xml$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml
Copy the apache-tomcat-8.5.37.tar.gz package to a temporary folder and decompress the file:
> cp apache-tomcat-8.5.37.tar.gz /tmp
> tar zxvf apache-tomcat-8.5.37.tar.gz
> rm -rf apache-tomcat-8.5.37/conf/
> rm -rf apache-tomcat-8.5.37/work/
> rm -rf apache-tomcat-8.5.37/logs/
Copy the Tomcat folder:
> rm -rf $EGO_TOP/gui/3.1/tomcat
> cp -rf apache-tomcat-8.5.37 $EGO_TOP/gui/3.1/tomcat
Copy the sym7.1_lnx26-lib23-x64_build509541.tar.gz package and decompress it:
> tar zxfo sym7.1_lnx26-lib23-x64_build509541.tar.gz -C $EGO_TOP
If you ran the “egoconfig mghostshared_dir” command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory:
> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/…/…/gui/conf/catalina.policy
> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/…/…/gui/conf/catalina.properties
> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/…/…/gui/conf/server.xml
If you modified the $EGO_CONFDIR/…/…/gui/conf/server.xml configuration file for details such as the GUI service port, manually redo those changes.
Edit the web.xml files to add the following configuration:
1. Edit each of the following files:
$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml
2. Find the “<servlet-name>dwr-invoker</servlet-name>” line in the “</servlet>” section and add the following configuration:
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
For example:
<servlet>
<servlet-name>dwr-invoker</servlet-name>
<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class>
<init-param>
<param-name>debug</param-name>
<param-value>true</param-value>
</init-param>
<init-param>
<param-name>crossDomainSessionSecurity</param-name>
<param-value>false</param-value>
</init-param>
</servlet>
On each management host, delete all subdirectories and files in the following directory:
> rm -rf $EGO_TOP/gui/work/*
On all client hosts, open your web browser and clear the browser cache.
Start the WEBGUI service:
> source $EGO_TOP/cshrc.platform
> egosh service start WEBGUI
In the $EGO_TOP/gui/logs/catalina.out file, check whether the GUI version indicates version 8.5.37:
INFO: Server version: Apache Tomcat/8.5.37
Follow the instructions in this section to uninstall this update in your cluster, if required.
Log on to the primary host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> source $EGO_TOP/cshrc.platform
> egosh service stop WEBGUI
On each management host, restore the backup files:
1. Remove the Tomcat folder, which was introduced by this interim fix:
> rm -rf $EGO_TOP/gui/3.1/tomcat
2. Restore the following folders and files from your backup:
$EGO_TOP/gui/3.1/tomcat
$EGO_CONFDIR/…/…/gui/conf/catalina.policy
$EGO_CONFDIR/…/…/gui/conf/catalina.properties
$EGO_CONFDIR/…/…/gui/conf/server.xml
$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml
$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml
$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml
$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml
Delete all subdirectories and files in the following directory:
> rm -rf $EGO_TOP/gui/work/*
On all client hosts, open your web browser and clear the browser cache.
Start the WEBGUI service:
> source $EGO_TOP/cshrc.platform
> egosh service start WEBGUI
None
CPE | Name | Operator | Version |
---|---|---|---|
platform symphony | eq | 7.1 | |
platform symphony | eq | 1 |