Security Bulletin: IBM Intelligent Operations Center 1.5 WebSphere Application Server - Oracle Java CPU April 2013

Abstract

The Java vulnerabilities identified in the April 2013 Oracle Java security alert need to be fixed in IBM Intelligent Operations Center 1.5. The procedures in this security bulletin identify appropriate IBM patches for these Java vulnerabilities and directs how to apply them. No reference to other IBM product update pages should be necessary.

Content

Vulnerability details

The following vulnerabilities are fixed by the instructions in this security bulletin.

CVE ID	DESCRIPTION
CVE-2013-2422
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83570
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
CVE-2013-2435
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83563
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
CVE-2013-2432
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83559
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2431
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83564
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
CVE-2013-1557
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83572
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors.
CVE-2013-1537
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83571
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to RMI .
CVE-2013-1558
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83561
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Beans.
CVE-2013-2440
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83562
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
CVE-2013-1518
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83566
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via vectors related to JAXP.
CVE-2013-0401
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82823
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	The JRE component allows remote attackers to execute arbitrary code via vectors related to AWT.
CVE-2013-1488
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82821
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	The JRE component allows remote attackers to execute arbitrary code via unspecified vectors involving reflection and Libraries.
CVE-2013-1491
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82820
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	The JRE component allows remote attackers to execute arbitrary code via vectors related to 2D.
CVE-2013-1569
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83557
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2384
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83556
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2383
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83555
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2394
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83576
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2419
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83581
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect availability via unknown vectors related to 2D.
CVE-2013-2420
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83560
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2421
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83573
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to HotSpot.
CVE-2013-2423
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83591
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to HotSpot.
CVE-2013-2426
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83574
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries.
CVE-2013-2428
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83568
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to JavaFX.
CVE-2013-2434
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83558
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to 2D.
CVE-2013-2436
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83575
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Libraries
CVE-2013-2429
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83578
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO
CVE-2013-2430
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83577
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to ImageIO.
CVE-2013-1563
CVSS Base Score: 7.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83579
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to Install.
CVE-2013-2438
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83585
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:P/A:N	Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to JavaFX.
CVE-2013-2424
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83582
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N	Unspecified vulnerability in the JRE component allows remote attackers to affect confidentiality via vectors related to JMX.
CVE-2013-2417
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83586
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P	Unspecified vulnerability in the JRE component allows remote attackers to affect availability via unknown vectors related to Networking.
CVE-2013-2418
CVSS Base Score: 4.6
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83587
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:L/Au:N/C:P/I:P/A:P	Unspecified vulnerability in the JRE component allows local users to affect confidentiality, integrity, and availability via unknown vectors related to Deployment.
CVE-2013-1540
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83590
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N	Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Deployment.
CVE-2013-2433
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83589
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N	Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Deployment.
CVE-2013-2416
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83588
CVSS Environmental Score*: Undefined
CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N	Unspecified vulnerability in the JRE component allows remote attackers to affect integrity via unknown vectors related to Deployment.
CVE-2013-2415
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83592
CVSS Environmental Score*: Undefined
CVSS Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N	Unspecified vulnerability in the JRE component allows local users to affect confidentiality via vectors related to JAX-WS.

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

---

Assumptions

These procedures assume some familiarity with Linux usage. A user may wish to deviate from some of the steps, such as putting files in different places, depending on local conventions. In this document, it is assumed that patches are downloaded to the Intelligent Operations Center installation server and then distributed from there. An IBM ID is required to download the packages.

It is also assumed that the hostnames of the Intelligent Operations Center servers are as follows. If they are different for your installation, change the values as appropriate for your installation.

Database server: ioc15db

Application server: ioc15app
Event server: ioc15event
Management server: ioc15mgmt

All the steps should be run as the root user unless otherwise noted. The Administrator might wish to temporarily enable remote root login, which is disabled by cyber hygiene. See Re-enabling remote root log on. in the product documentation.

---

Stop all IBM Intelligent Operations Center services

Stop all IBM Intelligent Operations Center services by running the following on the management server:

su – ibmadmin

/opt/IBM/ISP/mgmt/scripts/IOCControl.sh stop all ``_<IOCControl_password>_
exit

---

Install IBM Update Installer for WebSphere V7.0.0.29

The Update Installer installs updates to IBM WebSphere software. This patch updates the Update Installer first, on the three Intelligent Operations Center servers that have it installed. You can use any server to download the patches, but this document assumes that the installation server is used to download any of the files used to update.

1. Log on to the installation server as the root user.

2. Download the 7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz package.

3. Choose Save File when prompted in /root/Downloads

4. Move the file to a staging area for patches. For example a directory for this Technote for Java April 2013 patches by running the following commands

`mkdir -p /root/Downloads/TN_Java_4-2013_WAS_Update_Installer

mv /root/Downloads/7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz /root/Downloads/TN_Java_4-2013_WAS_Update_Installer

cd /root/Downloads/TN_Java_4-2013_WAS_Update_Installer
`

5. Copy the file to the application, event, and management servers by running the following commands.

sftp ioc15app

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`put 7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz

quit

sftp ioc15`event

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`put 7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz

quit

sftp ioc15mgmt`

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`put 7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz

quit
`

6. Install the update installer package on the application server, event server, and management server by doing the following steps on each server.

g. Using the graphical desktop, log on as the root user.

h. Run the following commands:

`mkdir -p /root/Downloads/TN_Java_4-2013_WAS_Update_Installer

mv /root/7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz /root/Downloads/TN_Java_4-2013_WAS_Update_Installer

cd /root/Downloads/TN_Java_4-2013_WAS_Update_Installer

tar -zxvf 7.0.0.29-WS-UPDI-LinuxAMD64.tar.gz
`
i. Install the update installer by running the following commands.

`cd /root/Downloads/TN_Java_4-2013_WAS_Update_Installer/UpdateInstaller

./install.sh
`
j. Do the following to install the update installer.
xi. Accept all defaults and click Next to go to the next screen.
xii. For the Software License Agreement" check I accept and clickNext.
xiii. After System Prerequisites Check Passed, click Next.
xiv. After Installed Locations Detected", “/opt/IBM/WebSphere/UpdateInstaller” is displayed, click Next.
xv. After Installation Complete Success is displayed, clear Launch IBM Update Installer for WebSphere Softwareand click Finish.

---

Download WebSphere Application Server version 7 fix pack 29 and related patches

Download the fix packs and related patches on the installation server and distribute to the appropriate servers.

1. Log on to the installation server as the root user.

2. Download the fix pack for the application server

c. Download the 7.0.0-WS-WAS-LinuxX64-FP0000029.pak package.

d. Log on with your IBM ID and password, if required.

e. Choose Save File when prompted in /root/Downloads

f. Move the file to a staging area for patches.

`mkdir -p /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack

mv /root/Downloads/2013_WAS_7.0.0.29_Fix_Pack /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack`

7. Download the fix pack for the web server plug-ins.

h. Download the 7.0.0-WS-PLG-LinuxX64-FP0000029.pak package.

i. Choose Save File when prompted in /root/Downloads

j. Move the file to a staging area for patches.

mv /root/Downloads/7.0.0-WS-PLG-LinuxX64-FP0000029.pak /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack

11. Download the fix pack for the IBM HTTP Server.

l. Download the 7.0.0-WS-IHS-LinuxX64-FP0000029.pak package.

m. Choose Save File when prompted in /root/Downloads

n. Move the file to a staging area for patches.

mv /root/Downloads/7.0.0-WS-IHS-LinuxX64-FP0000029.pak /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack

15. Download the fix pack for the Java SDK.

p. Download the 7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak package.

q. Choose Save File when prompted in /root/Downloads

r. Move the file to a staging area for patches.

mv /root/Downloads/7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack

19. Download the fix pack for the DMZ Secure Proxy Server

t. Download the 7.0.0-WS-NDDMZ-LinuxX64-FP0000029.pak package.

u. Choose Save File when prompted in /root/Downloads

v. Move the file to a staging area for patches.

mv /root/Downloads/7.0.0-WS-NDDMZ-LinuxX64-FP0000029.pak /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack

23. Copy the files to the application, event, and management servers by running the following commands.

cd /root/Downloads/TN_Java_4-2013_WAS_7.0.0.29_Fix_Pack `` sftp ioc15app

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`mput *.pak /opt/IBM/WebSphere/UpdateInstaller/maintenance
quit

sftp ioc15`event

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`mput *.pak /opt/IBM/WebSphere/UpdateInstaller/maintenance

quit

sftp ioc15mgmt`

Enter “yes” to continue with connecting if prompted

Enter the root password for the server

`mput *.pak /opt/IBM/WebSphere/UpdateInstaller/maintenance

quit`

---

Download WebSphere Application Server version 6.1 fix pack 47 and related patches

1. Download the 6.1.0-WS-WAS-LinuxX64-FP0000047.pak package

2. .Log on with your IBM ID and password, if required.

3. Choose Save File when prompted in /root/Downloads

4. Download the 6.1.0-WS-WASSDK-LinuxX64-FP0000047 package.

5. Choose Save File when prompted in /root/Downloads

6. Download the 6.1.0.0-WS-WASJavaSDK-Linux64-IFPM96452.pak package.

7. Choose Save File when prompted in /root/Downloads

8. Move the files to a staging area for patches.

`mkdir -p /root/Downloads/WAS_6.1_FixPack

mv /root/Downloads/*.pak /root/Downloads/WAS_6.1_FixPack

cd /root/Downloads/WAS_6.1_FixPack`

9. Move the files to the event server by running the following commands:

`sftp ioc15``event

``mput *.pak /opt/IBM/WebSphere/UpdateInstaller/maintenance

quit`

---

Use the WebSphere Update Installer installation wizard to update the application server

1. Run /opt/IBM/WebSphere/UpdateInstaller/update.sh

2. For Product Selection Directory Pathspecify ``/opt/IBM/HTTPServer/Plugins

3. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak

7.0.0-WS-PLG-LinuxX64-FP0000029.pak`

4. On Installation Summary, select Verify my permission to perform the installation.

5. Continue through the installer until the maintenance package is updated.

6. Click Relaunch to restart the installer.

7. For Product Selection Directory Pathspecify /opt/IBM/HTTPServer

8. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

7.0.0-WS-IHS-LinuxX64-FP0000029.pak

9. On Installation Summary, select Verify my permission to perform the installation.

10. Continue through the installer until the maintenance package is updated.

11. Click Relaunch to restart the installer.

12. For Product Selection Directory Pathspecify /opt/IBM/AppServer

13. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`77.0.0-WS-WAS-LinuxX64-FP0000029.pak

7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak`

14. On Installation Summary, select Verify my permission to perform the installation.

15. Continue through the installer until the maintenance package is updated and click Finish.

16. Delete the /opt/IBM/WebSphere/wp_profile1/configuration/org.eclipse.osgi folder.

---

Use the WebSphere Update Installer installation wizard to update the management server

1. Run /opt/IBM/WebSphere/UpdateInstaller/update.sh

2. For Product Selection Directory Pathspecify /opt/IBM/HTTPServer/Plugins

3. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak

7.0.0-WS-PLG-LinuxX64-FP0000029.pak`

4. On Installation Summary, select Verify my permission to perform the installation.

5. Continue through the installer until the maintenance package is updated.

6. Click Relaunch to restart the installer.

7. For Product Selection Directory Pathspecify /opt/IBM/HTTPServer

8. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

7.0.0-WS-IHS-LinuxX64-FP0000029.pak

9. On Installation Summary, select Verify my permission to perform the installation.

10. Continue through the installer until the maintenance package is updated.

11. Click Relaunch to restart the installer.

12. For Product Selection Directory Pathspecify /opt/IBM/AppServer

13. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`77.0.0-WS-WAS-LinuxX64-FP0000029.pak

7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak`

14. On Installation Summary, select Verify my permission to perform the installation.

15. Continue through the installer until the maintenance package is updated and click Finish.

16. Reset the ownership of files using the following command:

chown -R ibmadmin:ibmadmins /opt/IBM/WebSphere/AppServer/profiles/*

---

Use the WebSphere Update Installer installation wizard to update the event server

1. Run /opt/IBM/WebSphere/UpdateInstaller/update.sh

2. For Product Selection Directory Pathspecify /opt/IBM/HTTPServer/Plugins

3. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak

7.0.0-WS-PLG-LinuxX64-FP0000029.pak`

4. On Installation Summary, select Verify my permission to perform the installation.

5. Continue through the installer until the maintenance package is updated.

6. Click Relaunch to restart the installer.

7. For Product Selection Directory Pathspecify /opt/IBM/HTTPServer

8. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

7.0.0-WS-IHS-LinuxX64-FP0000029.pak

9. On Installation Summary, select Verify my permission to perform the installation.

10. Continue through the installer until the maintenance package is updated .

11. Click Relaunch to restart the installer.

12. For Product Selection Directory Pathspecify /opt/IBM/AppServerV61

13. Continue through the installer selecting the defaults. For Available Maintenance Package to Install accept the following packages.

`6.1.0-WS-WASSDK-LinuxX64-FP0000047.pak

6.1.0-WS-WAS-LinuxX64-FP0000047.pak

6.1.0.0-WS-WASJavaSDK-LinuxX64-IFPM86452.pak

**IMPORTANT:**Do not select 7.0.0-WS-WAS-LinuxX64-FP0000029.pakor7.0.0-WS-WASSDK-LinuxX64-FP0000029.pak` .

14. On Installation Summary, select Verify my permission to perform the installation.

15. Continue through the installer until the maintenance package is updated the click Finish .

---

Install Tivoli Access Manager for e-Business WebSEAL, Patch 6.1.1-ISS-AWS-FP0007

The data server and management server will be updated.

• The data server will have GSKit updated.
• The management server will have GSKit and Tivoli Access Manager 6.1.1.4/WebSEAL updated.

1. Log on to the installation server as the root user.

2. Download the IBM Global Security Kit GSKit Version 7.0.4.42. package.

c. Enter an IBM ID and password.

d. Find the IBM Global Security Kit (GSKit V7.0.4.42) Version 7.0.4.42, All OS per ESD/PA Media Pks package.

e. Click Continueand accept the license agreement.

f. Find the IBM Global Security Kit (GSKit V7.0.4.42) for Linux ia-32 gsk7bas-7.0-4.42.i386.rpm (4.2 mb) package. The 32-bit version must be used regardless of system architecture.

g. Save the file to the /root/Downloads/gsk7bas-7.0-4.42.i386.rpm directory.

h. Run the following command.

mkdir -p /root/Downloads/TN_Java_4-2013_TAM_for_eB_WebSEAL

i. Run the following command to move the file to a staging area:

mv /root/Downloads/gsk*.rpm /root/Downloads/TN_Java_4-2013_TAM_for_eB_WebSEAL

10. Download the TAM patches package.

k. Enter an IBM ID and password.

l. Download the following packages:

`6.1.1-ISS-AWS-FP0007-LIN.tar.Z

6.1.1-ISS-TAM-FP0007-LIN.tar.Z `

m. (Optional) Non-English customers should download the following International Language Pack update.

6.1.1.7-ISS-TAM-LANGPK.tar.Z

n. Save the files in the /root/Downloads/TN_Java_4-2013_TAM_for_eB_WebSEAL directory.

15. Copy the GSKit and TAM patches to the database and management servers by running the following commands:

`Cd /root/Downloads/TN_Java_4-2013_TAM_for_eB_WebSEAL

sftp ioc15db

put gsk*.rpm

quit

sftp ioc15mgmt

put gsk*.rpm

mput ISS.Z

quit`

16. Log on to the database server as the root user.

17. Update the IBM Global Security Toolkit (GSKit) to version 7.0.4.42.

r. Make sure the gsk7bas-7.0-4.42.i386.rpm file is in /root/directory.

s. Run rpm -U /root/gsk7bas-7.0-4.42.i386.rpm

20. Log on to the management server as the root user.

21. Update the IBM Global Security Toolkit (GSKit) to version 7.0.4.42 before installing the Tivoli Access Manager packages.

v. Verify that the /root/gsk7bas-7.0-4.42.i386.rpm file exists.

w. Run rpm -U /root/gsk7bas-7.0-4.42.i386.rpm

24. Apply the ISS-TAM-FP007 update.

y. Verify that the ``/root/6.1.1-ISS-TAM-FP0007-LIN.tar.Z file exists.

z. Extract the archive files buy running the following commands:

`gzip -d /root/6.1.1-ISS-TAM-FP0007-LIN.tar.Z

tar xvf /root/6.1.1-ISS-TAM-FP0007-LIN.tar`

aa. Apply each rpm by running the following commands:

`rpm -U /root/PDAcld-PD-6.1.1-7.i386.rpm

rpm -U /root/PDAuthADK-PD-6.1.1-7.i386.rpm

rpm -U /root/PDJrte-PD-6.1.1-7.i386.rpm

rpm -U /root/PDMgr-PD-6.1.1-7.i386.rpm

rpm -U /root/PDMgrPrxy-PD-6.1.1-7.i386.rpm

rpm -U /root/PDRTE-PD-6.1.1-7.i386.rpm

rpm -U /root/PDWPM-PD-6.1.1-7.i386.rpm

rpm -U /root/TivSecUtl-TivSec-6.1.1-2.i386.rpm`

28. (Optional) Apply the downloaded patch 6.1.1.7-ISS-TAM-LANGPK.tar.Z for non-English installations.

ac. Verify that the ``/root/6.1.1.7-ISS-TAM-LANGPK.tar.Z file exists.

ad. Extract the patch to a temporary directory by running the following commands:

`gzip -d /root/6.1.1.7-ISS-TAM-LANGPK.tar.Z

tar xvf /root/6.1.1.7-ISS-TAM-LANGPK.tar`

ae. To install language packages for Tivoli Access Manager Runtime for Java and Tivoli Access Manager Runtime with an installer, run the following commands:

`cd /opt/ibm/java-x86-64-68/bin

./java -jar /root/pdjrte_lp_setup.jar`

af. Follow the instructions on the installer and select the appropriate languages until the update is complete

ag. Run the installer for the Tivoli Access Manager Runtime by running the following command:

./java -jar /root/pdrte_lp_setup.jar

34. Apply the ISS-AWS-FP007 update.

ai. Make sure the /root/6.1.1-ISS-TAM-FP0007-LIN.tar.Z file exists.

aj. Extract the archive files by running the following commands:

`gzip -d /root/6.1.1-ISS-AWS-FP0007-LIN.tar.Z

tar xvf /root/6.1.1-ISS-AWS-FP0007-LIN.tar `

ak. Apply each rpm by running the following commands:

`rpm -U /root/PDWebRTE-PD-6.1.1-7.i386.rpm

rpm -U /root/PDWeb-PD-6.1.1-7.i386.rpm

rpm -U /root/PDWebADK-PD-6.1.1-7.i386.rpm `

---

Restart all IBM Intelligent Operations Center services

Restart all IBM Intelligent Operations Center services by running the following on the management server:

su – ibmadmin

/opt/IBM/ISP/mgmt/scripts/IOCControl.sh start all ``_<IOCControl_password>_
exit

Related Information

April 2013 Java security alert

Security Bulletin: WebSphere - Oracle CPU April 2013

Java API Documentation Updater Tool

Complete CVSS Guide

Online Calculator V2

X-Force Vulnerability Database

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

[{“Product”:{“code”:“SS3NGB”,“label”:“IBM Intelligent Operations Center”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF016”,“label”:“Linux”}],“Version”:“1.5;1.5.0.1;1.5.0.2”,“Edition”:“”,“Line of Business”:{“code”:“LOB59”,“label”:“Sustainability Software”}}]