Embedded JRE in VRTScscm package (Java GUI) on version 5.0 is affected by the security vulnerability released by Oracle CVE-2010-4476

Article:TECH156649  |  Created: 2011-03-27  |  Updated: 2011-03-27  |  Article URL http://www.symantec.com/docs/TECH156649
Article Type
Technical Solution

Product(s)


Issue



Embedded JRE in VRTScscm package (Java GUI) on version 5.0 is affected by the security vulnerability released by Oracle CVE-2010-4476 


Environment



Supported Versions:
Veritas Cluster Server Java Console (VCS Java GUI) : VRTScscm 5.0
 


Cause



The VERITAS Java GUI products use shared Java Runtime software. When bugs are found in the Java software, it is required that vendors like Oracle and IBM provide tools to update this 'software'.
For CVE-2010-4476, it is required that Java GUI Java Runtime libraries are updated using tools provided by Oracle and IBM.
 


Solution



 On the Windows, Solaris, HP-UX and Linux platforms, Oracle (Sun) has provided the fpupdater tool.
The fpupdater tool resolves CVE-2010-4476 by applying fixes to the 'rt.jar' files used by VERITAS Cluster Serve Java Console Software. For more information visit
http://www.oracle.com/technetwork/java/javase/fpupdater-tool-readme-305936.html#systems

- Download "Java SE Floating Point Updater Tool" from the Oracle website:
http://www.oracle.com/technetwork/java/javase/downloads/index.html#fpupdater

This fix is appropriate for the Windows, Solaris, HP-UX and Linux platforms.
- Check that the Floating Point Updater (FPUpdater) version should be 1.0.
- Extract the zip file.
- Take fpupdater.jar and copy it to some temporary location.


[For VCS Java GUI]
----------------------
Close all running instances of Java GUI.
Run following commands:

For Windows:
- Go to the temp directory where fpupdater.jar is present. From that directory run following command: <INSTALL DIR>\jre\bin\java -jar fpupdater.jar -u –v
For example, if you install Java GUI on default location the command would look like:
C:\Program Files\VERITAS\Cluster Manager\ jre\bin\java -jar fpupdater.jar -u –v

For Unix:
- Go to the temp directory where fpupdater.jar is present.
From that directory run following command:
# /opt/VRTSjre/jre1.5/bin/java -jar fpupdater.jar -u –v
 

IBM AIX Solution:
This fix provided by IBM has been applied and verified by Symantec for the Java GUI on 5.0.
Determine the current version of JRE, so that the appropriate JRE patch can be downloaded:
- Run following command to get jre version used in Java GUI:
# /opt/VRTSjre/jre1.5/bin/java -version

Download Patch:
- if jre version is 1.6.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94423_FIX_1.jar
- if jre version is 1.5.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94331_FIX_1.jar
- if jre version is 1.4.x then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/PM31983_FIX_1.jar

Download the update installer for Java tool from IBM ftpsite:
- ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/UpdateInstallerforJava.zip

Instructions for applying the fix for jre version 1.6.0 on AIX Platform:
- Stop all running instances of Java GUI.
- Extract UpdateInstallerforJava.zip to some temporary location. After extraction it will have JavaUpdateInstaller.jar file.
- Copy downloaded patch file (example, IZ94423_FIX_1.jar) to same temporary location.
- Go to temporary directory and run command /opt/VRTSjre/jre1.5/bin/java -jar JavaUpdateInstaller.jar -install IZ94423_FIX_1.jar /opt/VRTSjre ".
- After the installation is complete, it will show message like "IZ94423_FIX_1 has been successfully installed to SDK /opt/VRTSjre”

 





Article URL http://www.symantec.com/docs/TECH156649


Terms of use for this information are found in Legal Notices