198 Lotus blogs updated hourly. Who will post next? Home | Blogs | Search | About 
 
Latest 7 Posts
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 6
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 8
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 6
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 5
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 3
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 3
Wikis content not accessible…
Thu, Jan 26th 2017 9
Top 10
DB2 Instance autostart does not work on SLES 12 / RHEL 7
Tue, Jul 12th 2016 14
IBM Connections 5.5 – Problem with ibm_upload_module and NFS
Mon, Jul 4th 2016 13
Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) (2016.06.28)
Tue, Sep 13th 2016 13
SAML – Enterprise SSO in the WebSphere world
Mon, Jul 20th 2015 11
IBM Connections: Create external Users / Community using rest API
Wed, Mar 25th 2015 10
CCM files editing in IBM Docs 1.0.7 – a tough job
Tue, Apr 21st 2015 10
Automatic modification of WebSphere Plugin (Primary / BackupServers) to maintain two-line concept
Wed, Jul 6th 2016 10
IBM Connections (SDI aka TDI) – Synchronize users based on group membership
Tue, Feb 3rd 2015 9
IBM Connections 5 CR2 – Atom feed changes
Mon, Jun 22nd 2015 9
WebSphere custom TAI – Doing SSO the right way
Tue, Sep 6th 2016 9


Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
Twitter Google+ Facebook LinkedIn Addthis Email Gmail Flipboard Reddit Tumblr WhatsApp StumbleUpon Yammer Evernote Delicious
Elke Hildebrandt    

Classification

Score of 10 is urgent! Affects all IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server (indirectly all GIS Portal and Connection users are affected)! If you need assistance please contact us (support@gis-ag.com) for further procedure.

Link to IBM site: http://www-01.ibm.com/support/docview.wss?uid=swg21982223

Content:

  1. Summary
  2. Vulnerability Details
  3. Affected Products and Versions
  4. Remediation/Fixes

Summary

There are multiple vulnerabilities in IBM® SDK Java™ Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus four additional vulnerabilities. These may affect some configurations of IBM WebSphere Application Server Full Profile, IBM WebSphere Application Server Liberty Profile, and IBM WebSphere Application Server Hypervisor Edition.

Vulnerability Details

This bulletin covers all applicable Java SE CVEs published by Oracle as part of their April 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK but WebSphere Application Server is not vulnerable to them. You will need to evaluate your own code to determine if you are vulnerable. Please refer to the Reference section for more information on the advisories not applicable to WebSphere Application Server. HP fixes are on a delayed schedule.
CVEID: CVE-2016-3427
DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

CVEID: CVE-2016-3426
DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Java SDK shipped with IBM WebSphere Application Server Version 8.5.0.0 through 8.5.5.9, Version 8.0.0.0 through 8.0.0.12, Version 7.0.0.0 through 7.0.0.41.

  • This does not occur on IBM Java SDK shipped with WebSphere Application Servers Fix Packs 8.5.5.10, 8.0.0.13 and 7.0.0.43 or later.

Remediation/Fixes

Download and apply the interim fix APARs below, for your appropriate release

For the IBM Java SDK updates:
For V8.5.0.0 through 8.5.5.9 WebSphere Application Server Liberty:

Upgrade to WebSphere Application Server Liberty Profile Fix Packs as noted below or later fix pack level and apply one of the interim fixes below:

  • Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61189: Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 25 (optional)
  • Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61187: Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 40 (optional)
  • Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.2 or later then apply Interim Fix PI61186: Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 40 (optional)
  • Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61184: Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 3 (optional)
  • For a Liberty Archive Fix – Upgrade to WebSphere Application Server Liberty Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61185: Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 3 (optional)

–OR–

  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 10 (8.5.5.10) or later (targeted to be available 15 August 2016).


For V8.5.0.0 through 8.5.5.9 WebSphere Application Server Full Profile and WebSphere Application Server Hypervisor Edition
:Upgrade to WebSphere Application Server Full Profile Fix Packs as noted below or later fix pack level and then apply one or more of the interim fixes below:

  • Upgrade to WebSphere Application Server Full Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61188: Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 25 (required)
  • Upgrade to WebSphere Application Server Full Profile Fix Pack 8.5.5.1 or later then apply Interim Fix PI61187: Will upgrade you to IBM SDK, Java Technology Edition, Version 7 Service Refresh 9 Fix Pack 40 (optional)
  • Upgrade to WebSphere Application Server Full Profile Fix Pack 8.5.5.2 or later then apply Interim Fix PI61186: Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 40 (optional)
  • Upgrade to WebSphere Application Server Full Profile Fix Pack 8.5.5.9 or later then apply Interim Fix PI61184: Will upgrade you to IBM SDK, Java Technology Edition, Version 8 Service Refresh 3 (optional)

–OR–

  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 10 (8.5.5.10) or later (targeted to be available 15 August 2016).

 

For V8.0.0.0 through 8.0.0.12 WebSphere Application Server and WebSphere Application Server Hypervisor Edition:Upgrade to WebSphere Application Server Fix Pack 8.0.0.7 or later then apply the interim fix below:

  • Apply Interim Fix PI61190: Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 25

–OR–

  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 13 (8.0.0.13) or later (targeted to be available 24 October 2016).


For V7.0.0.0 through 7.0.0.41 WebSphere Application Server and WebSphere Application Server Hypervisor Edition:
Upgrade to WebSphere Application Server Fix Pack 7.0.0.31 or later then apply the interim fix below:

  • Apply Interim Fix PI61191: Will upgrade you to IBM SDK, Java Technology Edition, Version 6 Service Refresh 16 Fix Pack 25

–OR–

  • Apply IBM Java SDK shipped with WebSphere Application Server Fix pack 43 (7.0.0.43) or later (targeted to be available 2Q2017).

For unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of the product.

Workarounds and Mitigations

none



---------------------
http://techblog.gis-ag.info/2016/09/13/security-bulletin-multiple-vulnerabilities-in-ibm-java-sdk-affect-websphere-application-server-april-2016-cpu-cve-2016-3426-cve-2016-3427/
Sep 13, 2016
8 hits



Recent Blog Posts
6
User provisioning for IBM Connections Cloud – You have the choice
Mon, Aug 28th 2017 1:42p   GIS Techblog
User provisioning for IBM Connections Cloud – You have the choice Customers who use IBM Cloud for Connections, Sametime or other applications face the problem to manage their cloud accounts. For some single users you can use the Web frontend to add or change user accounts or to assign subscriptions and licenses to users. But in real world scenarios it is not possible to manage thousands of users manually or to keep them synchronized with an on-prem user repository or LDAP. This can be handled
8
SAML & IBM Connections 5.5 – not a dream team
Fri, Aug 18th 2017 7:45a   GIS Techblog
Hi all, last week we had to fight with an activation of SAML on a IC 5.5 CR3 environment. The setup was: IBM Connections 5.5 CR3 as test instance ADFS Server 3.0 (I know… it is only tested with ADFS 2.0 – but works with 3.0 too) We followed the instructions from the IBM Connections Knowledge Center. Smooth setup everything standard procedure. When testing this setup, the redirect to the IdP was initiated. After logging into the IdP the browser was redirected to IBM Connections ACS
6
IBM Docs – Migration from DB2 –> ORACLE
Fri, Jul 7th 2017 9:52a   GIS Techblog
IBM Docs – Migration from DB2 –> ORACLE Hi, within our last big project, we had the challenge to transfer the IBM Docs database from DB2 to ORACLE. Within this database comments and other document related data is stored. Officially there is no script available to perform this move using DBT (remove constraints / transfer / reapply constraints). We looked into the database and figured out how to perform this task using DBT – so we are not dependent on any other products. We m
5
IBM Connections – trouble adding additional nodes
Wed, May 31st 2017 2:52p   GIS Techblog
IBM Connections – trouble adding additional nodes Hi all, we are currently involved in a project where we installed a 1 node IBM Connections 6 Cluster and later added a second node to the cell. So far so good… Everything that needs to be done after adding the second node is described here … Everything? Yes, mainly… but not in the mandatory details as I think! Missing custom properties and other settings might result in non-functional nodes. Especially not setting httpSess
3
SNOUG 2017 Presentation – SikaConnect goes External
Thu, Mar 23rd 2017 1:06p   GIS Techblog
SNOUG 2017 Presentation – SikaConnect goes External Hi all, yesterday I was at SNouG in Zurich. I had a great time there – good speakers and a overall perfectly organized event (would we expect sth. else from Switzerland? ) Raymond Weber from SIKA Informationssysteme AG and I did a session about the SIKA Extranet Feature:
3
Whiteboard in IBM Sametime Meeting 9.0.1 removed
Fri, Mar 17th 2017 10:43a   GIS Techblog
Whiteboard in IBM Sametime Meeting 9.0.1 removed IBM implemented in Sametime Meeting 9.0.1 a whiteboard function as technical preview. Ben described in his articel how to enable this feature: https://collaborationben.com/2016/05/20/whiteboard-in-sametime-9-0-1/ With the current cumulative Fix 901-ST-General-FP-SMOL-AK4G43  for the Meeting Server IBM has removed this function. The response on my PMR was: “I can confirm The Meetings Whiteboard feature release is being put on hold indefinitely.
9
Wikis content not accessible…
Thu, Jan 26th 2017 10:54a   GIS Techblog
Wikis content not accessible… Hi, it`s been quite a long time; many projects at the moment so that blogging needs to wait Last week we had a very interesting problem at one customer’s environment. When accessing a Wiki, the page was displayed blank – no content was available. Browsing to older versions of this wikis worked. The error in the log: Parsing error… Wikis content (the body) gets store in the filesystem as xml files. If you access a Wiki there is a XML parser
8
Automatic WebSphere plugin modification II – PowerShell for Windows
Thu, Dec 1st 2016 6:54p   GIS Techblog
Automatic WebSphere plugin modification II – PowerShell for Windows Hi, some months ago I published a shell script to automatically modify the Primary / BackupServer definition in a WebSphere plugin-cfg.xml file. As we have several Windows customers we decided to transfer this script to PowerShell so that it is also useable for a Windows Cluster installation. My colleague Jan Bruns did a great job implementing this script. It basically works the same way as the Linux script: modifywasplug
8
IBM Connections Docs – file preview not possible for some CCM pdf files
Thu, Nov 17th 2016 2:15p   GIS Techblog
IBM Connections Docs – file preview not possible for some CCM pdf files Hi all, last week we had trouble in a customer environment using the file preview functionality for some pdf files (only those that were uploaded using CCM). Instead of a preview the message was displayed: At the same time we saw the following warning in the log: The mime-type was set to “image/pcl” instead of “application/pdf”… this mime-type is not supported by IBM Docs File viewer. We had to dig deep into th
3
IBM Connections 5.5 CR2 released
Thu, Nov 10th 2016 8:13a   GIS Techblog
IBM Connections 5.5 CR2 released Hi all, IBM released CR2 for IBM Connections 5.5: The Fix list Download the CR Database updates are mandatory (Activities, Files, Homepage, Mobile, Wikis) Filenet updates are mandatory Updates for Community Surveys (Fixes the TLS 1.2 issues) A prerequisite for CR2 is at least WAS 8.5.5 FP9 (let`s see when FP10 will be officially supported) A general step-by-step guide installing CR2 is provided by IBM. A new CR2 version of the Cognos wizard can be downloaded (y




Created and Maintained by Yancy Lent - About - Planet Lotus Blog - Advertising - Mobile Edition