Embedded JRE in VRTSobgui and VRTSsfmcs package is affected by the security vulnerability release by Oracle CVE-2010-4476

Article:TECH154004  |  Created: 2011-02-22  |  Updated: 2011-03-27  |  Article URL http://www.symantec.com/docs/TECH154004
Article Type
Technical Solution



Issue



Embedded JRE in VRTSobgui and VRTSsfmcs packages on version 5.0 and 5.1 are affected by the security vulnerability released by Oracle CVE-2010-4476


Environment



Supported Versions:

Veritas Enterprise Administrator Console (VRTSobgui) : SF 5.0MP3 and 5.1
Veritas Operations Manager (VRTSsfmcs) : Linux/Solaris VOM 3.1SP1 and Windows VOM 3.1


Cause



The VERITAS Java GUI products use embeded Java Runtime software. When bugs are found in the embedded Java software, it is required that vendors like Oracle and IBM provide tools to update this 'embedded software'.

For CVE-2010-4476, it is required that the VOM and VEA Java Runtime libraries are updated using tools provided by Oracle and IBM.


Solution



On the Windows, Solaris and Linux platforms, Oracle-Systems (Sun) have provided the fpupdater tool.

The fpupdater tool resolves CVE-2010-4476 by applying fixes to the 'rt.jar' files used by VERITAS VEA/VOM Software.


- Download "Java SE Floating Point Updater Tool" from the Oracle website:
http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

This fix is appropriate for the Windows, Solaris and Linux platforms.
- Check that the Floating Point Updater (FPUpdater) version should be 1.0.
- Extract the zip file.
- Take fpupdater.jar and copy it to some temporary location.

 

For VEA GUI
-----------
Close all running instances of VEA GUI.
Run following commands:

For Windows:
- Go to the temp directory where fpupdater.jar is present. From that directory run following command:
 <install dir>\VERITAS Object Bus\jre\bin\java -jar fpupdater.jar -u -v
 
For Unix:
- Go to the temp directory where fpupdater.jar is present. From that directory run following command:
# /opt/VRTSob/jre/bin/java -jar fpupdater.jar -u -v

 

For VOM (Web Server)
-------
Run following commands on the respective platforms:

For Windows:
- Stop web server using command "net stop sfmgui".
- Go to the temp directory where fpupdater.jar is present. From that directory run following command:
  <install dir>\VRTSsfmcs\esmweb\jre\bin\java -jar fpupdater.jar -u -v
- Start web server using command "net start sfmgui".
 
For Unix:
- Stop web server using command "/opt/VRTSsfmcs/cweb/sfmw stop"
- Go to temp directory where fpupdater.jar is present. From that directory run following command:
# /opt/VRTSsfmcs/esmweb/jre/bin/java -jar fpupdater.jar -u -v
- Start web server using command "/opt/VRTSsfmcs/cweb/sfmw start".
 
NOTE: Known issue for un-install of VEA GUI.
After FPUpdater tool is applied, if the user uninstalls the VEA GUI then a few files may be left behind. These can be removed manually.

Example.
C:\Program Files (x86)\Veritas\VERITAS Object Bus\jre\lib\.fpupdater.log
C:\Program Files (x86)\Veritas\VERITAS Object Bus\jre\lib\rt.jar.fpupdater

 

For the IBM AIX platform, IBM have provided JRE version specific fixes and a "UpdateInstallforJava" tool. These can be downloaded from IBM and installed on the affected machines.


 IBM AIX Solution:

This fix provided by IBM has been applied and verified by Symantec for the VEA GUI on 5.0MP3 and 5.1.

Determine the current version of JRE, so that the appropriate JRE patch can be downloaded:
- Run following command to get jre version used in VEA GUI:
# /opt/VRTSob/jre/bin/java -version

Download Patch:
- if jre version is 1.6.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94423_FIX_1.jar
- if jre version is 1.5.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94331_FIX_1.jar
- if jre version is 1.4.x then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/PM31983_FIX_1.jar

Download the update installer for Java tool from IBM ftpsite:
- ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/UpdateInstallerforJava.zip

Sample Instructions for applying the fix for jre version 1.6.0 on AIX Platform:
- Stop all running instances of VEA GUI.
- Extract UpdateInstallerforJava.zip to some temporary location. After extraction it will have JavaUpdateInstaller.jar file.
- Copy downloaded patch file (example, IZ94423_FIX_1.jar) to same temporary location.
- Go to temporary directory and run command "/opt/VRTSob/jre/bin/java -jar JavaUpdateInstaller.jar -install IZ94423_FIX_1.jar /opt/VRTSob/".
- After the installation is complete, it will show message like "IZ94423_FIX_1 has been successfully installed to SDK /opt/VRTSob/".


 





Article URL http://www.symantec.com/docs/TECH154004


Terms of use for this information are found in Legal Notices