SiteProtector SP9 Update - README ===================================================================== Last modified: June 6th, 2014 Copyright (c) 1994-2014 IBM Corp. All rights reserved worldwide. PLEASE READ THIS DOCUMENT IN ITS ENTIRETY. ===================================================================== CONTENTS ===================================================================== - Description - Compatibility - Applying the Update - Getting the latest Documentation - Customer Support - Reporting product issues - Files included with The Update DESCRIPTION ===================================================================== This is a Cumulative SiteProtector.jar Patch. Please see the list of issues covered below. Cumulative Patch -- 06/06/2014 ========================================= APAR IV58802 / SP Workitem 53391 --------------- When loading and re-saving a detail view multiple times, it may be possible to corrupt the view that gets saved if certain kinds of events with certain column names are present when the view is saved. Although using a corrupted view in the Analysis tab has no obvious effect, it can cause errors if a scheduled report is run on the corrupted view. The affected audience may be anyone who loads and re-saves views multiple times, and runs scheduled reports on those views. This update contains a fix to prevent view corruption specifically related to loading and re-saving views, without other column modification. The fix will only apply to new views created. APAR IV58804 / SP Workitem 53399 --------------- When viewing charts for analysis reports in a locale that uses a period as the thousand separator, the chart may be generated incorrectly when displaying event counts in the thousands. The affected audience is anyone using a locale with a period thousand separator, and using analysis view reports with charts. This update allows SiteProtector to properly generate analysis report charts in locales that use a period as the thousand separator. APAR IV61282 / SP Workitem 55366 --------------- This patch includes fixes to cover CVE-2014-0114. Rollup Core XPU -- 04/23/2014 ========================================= Note: all the issues below this point are covered by the SP 2.9.0.3 core rollup xpu. However, if you need the patch for any new issues, then the core xpu should still be applied first or other fixes may be missed. Java Upgrade -------------------------------------------- Java was upgraded to JRE 1.6.0 SR 15 FP1 Cumulative Patch -- 08/29/2013 ========================================= APAR IV51937 / SP Workitem 42913 --------------- When saving detail analysis views, column order of detail columns will not be preserved. This update allows SiteProtector to save and load the order of detail columns when saving views. Cumulative Patch -- 07/03/2013 ========================================= APAR IV45250 --------------- When using Analysis view baselines with events that have User Name data, and using a view with the User Count column, the baseline for the User Count column may not get created correctly. This update allows SiteProtector to properly create the baseline for the User Count column so it can be used similar to other baselines. Note: This does not change the behavior of baseline resetting on view or filter change, but this behavior will change in the next major released version of SiteProtector. Cumulative Patch -- 06/14/2013 ========================================= APAR IV44239 --------------- When viewing Incidents and Exceptions via the Manage Incidents/Exceptions dialog (from the analysis tab) you may not see all of your Incidents and Exceptions when certain time filters are set. This update allows SiteProtector to properly display the Incidents and Exceptions based on the time filters set. The start and end dates for the incident/exception must fall between the dates specified in the dialog. Cumulative Patch -- 01/28/2013 ========================================= APAR IV33526 --------------- When running a report from the analysis view from a console set to use a different timezone than the timezone of the app server and using custom time filters the title page of the report may display filter times that have an offset timezone. This update changes the design of how views are serialized for the purposes of passing view timezones to reporting. NOTE: Because this is a change in how views get parameterized, old saved report templates may need to be re-created before they can be re-run. The fix will only affect reports created after applying the patch. WARNING: This change is a serialization change and will therefore require that every patch applied after this one (up until the next core xpu) have a synchronized Console and App Server patch level. This means the App Server and every single console that connects to it must be patched if any are patched or you may experience serialization errors. APAR IV34825 --------------- When running a report from the analysis view from a console set to use a different timezone than the timezone of the app server and using charts in the report that include times labelled on the axis, the time labels may appear offset even though the data itself is otherwise correct. This update adjusts the dates output in the chart labels on the axis to reflect the timezone of the console. APAR IV34850 --------------- When filtering analysis data that includes IPv6 addresses and attempting to filter using a NOT filter, all of the IPv4 addresses may be filtered out in addition to the filter applied. This update allows the returned results to properly include the IPv4 addresses if they are not otherwise filtered out. APAR IV34847 --------------- When filtering analysis data by IPv6 addresses, unexpected results may occur if a certain combination of IPv6 filters is used. The result may be that all not all of the IPv6 addresses in the filter list are filtered, or that none of the IPv6 addresses get filtered. This update allows the IPv6 addresses to be properly filtered when multiple IPv6 filters are applied. APAR IV35715 --------------- SiteProtector SP9 includes a new feature that allows more specific time filters to be used when viewing data that contains detail time (i.e., not the events rolled up for performance). In past versions, detail filters were limited to times that were hour offsets from GMT, similar to non-detail views. This update removes this limitation from detail views for timezones with minute offsets from GMT that still had the filter limitation, including IST. This does not affect users in timezones with hours offset from GMT. Cumulative Patch -- 10/29/2012 ========================================= RTC 19154 / APAR IV27347 -------------------------------------------- When attempting to add Central Response rules via the Central Response wizard, such as by right-clicking an event in the analysis view, you may encounter a permissions error when using a non-admin user. This update allows SiteProtector to properly use the Central Response permissions when launching the Central Response wizard. RTC 19153 / APAR IV30929 -------------------------------------------- When a user who does not have permission to use the Central Response wizard tries to use it, you may encounter a blank dialog instead of the proper error message. This update allows SiteProtector to correctly display a permissions error when permissions are not granted for the Central Response wizard. Rollup Core XPU 2.9.0.1 -- 10/18/2012 ========================================= Note: all the issues below this point are covered by the SP 2.9.0.1 core rollup xpu. However, if you need the patch for any new issues, then the core xpu should still be applied first or other fixes may be missed. Issue ID 407642 -------------------------------------------- When viewing Proventia Server for VMWare agents tied to SiteProtector, the license will be highlighted in red. This update resolves an issue with the agent license counting mechanism for Proventia Server for VMWare. RMI Registry Security Enhancements -------------------------------------------- This changes the initial ping between the Console and the Application Server to not use the default RMI Registry port and instead only use the encrypted channel. This will change the initial port the console connects on to port 3999 and reduce the number of ports used between the Console and Application server. Cumulative Patch -- 08/27/2012 ========================================= Role file update -------------------------------------------- With the release of Update Server version 2.9.0.1 you may no longer see your Update Server agent listed in the policy tab. This is due to a change in versioning from 2.9 to 2.9.0.1 and stricter versioning required when the patch is applied. This update contains an updated role file that allows the 2.9.0.1 policy to be properly displayed. Note 5/24/2013: Update Server role file updates should now be applied only through Update Server updates and will not be contained in the patch or core updates. Cumulative Patch -- 07/23/2012 ========================================= Issue ID 407926 / RTC 16996 / APAR IV25176 -------------------------------------------- In SNMP Central Responses, the name field is populated with the Rule ID instead of the name of the rule. This update allows SNMP Central Responses to use the Rule Name in the name field instead of the Rule ID. This change should make the output of the SNMP name field be the same as previous versions. Issue ID 407852 / RTC 16136 / APAR IV25015 -------------------------------------------- When performing a scheduled analysis export and exporting the data via CSV, the Severity column will be exported as numbers (1, 2, 3) instead of text (High, Medium, Low). This update allows the severity values to be exported as text values. Issue ID 407839 / RTC 16119 / APAR IV25014 -------------------------------------------- When performing a scheduled analysis export, using the additional Filters button in the scheduled analysis export dialog, and selecting a different view from the scheduled analysis view dropdown box, it may be possible for the view to become unselected and the original view to be used instead. This update allows SiteProtector to correctly use the currently selected view from the view dropdown box when also using the additional Filters button in the scheduled analysis export dialog. Issue ID 407915 / RTC 16135 / APAR IV25040 -------------------------------------------- If attempting to view a very large number of agents in the Agent tab (over 65,000 agents) you may receieve a database error when attempting to query the health statuses for the agents due to a limitation in SQL Server. This update adds health status query batching to work around the SQL limitation. Issue ID 27737 / RTC 14166 -------------------------------------------- A console timeout feature was added to enhance the security of the console. When the idle timeout expires the user will be prompted to re-enter their password to continue viewing the console. If you wish to use this feature, it will need to be enabled in the file: \Program Files\ISS\SiteProtector\Console\config\console.xml To enable it, log in and out of the console while this patch is applied, then locate the lockoutTime tag in the base section of the console.xml file and change the enabled flag to "true". For example: The value in this configuration represents the number of minutes before the idle timer expires. Note: the timeout login screen does not support two-factor authentication. Cumulative Patch -- 06/11/2012 ========================================= Issue ID 407869 / APAR IV21380 ------------------------------ This update improves the design of SNMP Central Responses to include OtherParameters and other details if supplied by the sensor and Event Collector. These changes do not affect email responses. These enhancements are complemented by the Central Response Event Collector enhancement update (which populates OtherParameters if the sensor did not). Cumulative Patch -- 03/28/2012 ========================================= Issue ID 407786 / APAR IV17351 ------------------------------ When using email responses that contain attachments (such as in reporting emails that have the report attached), the mime header for the attachment may not be correct. This will not affect most email clients but may cause certain email clients to not display the attachment correctly. This update allows SiteProtector to use the proper mime type for the email attachment. Cumulative Patch -- 03/05/2012 ========================================= Issue ID 407759 / APAR IV15687 ------------------------------ When using the SiteProtector web console with start and end dates the filter dates may reverse when sorting on columns causing the data to not display. This update allows SiteProtector to properly order the filter dates when sorting. Cumulative Patch -- 02/20/2012 ========================================= Issue ID 407750 / APAR IV15407 ------------------------------ When using SNMP Central Responses the UserActionList field, which displays the actions taken on the sensor is no longer populated. This update allows SiteProtector to once again populate that field in the SNMP responses. Cumulative Patch -- 02/14/2012 ========================================= Issue ID 407723 / APAR IZ99927 ------------------------------ When performing a SecureSync export and import, special formatting needs to be applied when exporting certain tables. This update is the second part of a two-part fix for APAR IZ99927. This part specifically fixes the SecureSync export mechanism on the Application Server side. The second part of this fix is posted as a separate database patch. Cumulative Patch -- 01/26/2012 ========================================= Issue ID 407708 / APAR IV12600 ------------------------------ When using Central Responses to send emails, you may see all of the text in the email sent as a single line instead of preserving the newline formatting. This update allows SiteProtector to properly preserve the newlines in Central Response emails. Issue ID 407708 / APAR IV13085 ------------------------------ When using the analysis view and setting columns to custom widths, the custom widths may be lost after refreshing the view. This update allows SiteProtector to properly save the column widths in the analysis view even after refreshing the view. ========================================= To resolve this, follow the steps to replace files in the APPLYING THE UPDATE section carefully. Be sure to read any notes on individual fixes. MD5 for the files included in this update: - edcf3d13a1bcae89dd6a73b3bfedb8e8 SiteProtector.jar - e3a328afc10ae6859f548b81aaaa1538 web.xml Build Number: 2.9.0.3.3 COMPATIBILITY ===================================================================== This update is applicable only to: - SiteProtector 2.9.0.3 NOTE: Do NOT apply this update to a SiteProtector 2.9 system. You should apply the core xpu first as it contains additional fixes and necessary files. The version can be viewed in the console by looking at the SiteProtector Core component's version on the agent tab. The version should read 2.9.0.3 -- NOT 2.9 or 2.9.0.1 or any other version. If the version is lower, you MUST apply the Core xpus first. APPLYING THE UPDATE ===================================================================== To apply the update: Step 0 - Ensure your SiteProtector Core version is 2.9.0.3. Do NOT apply this update to any other Core version or you will miss additional fixes and files. Step 1 - Close out all SiteProtector consoles. Step 2 - On the Application Server, stop the three SiteProtector services: SiteProtector Application Server Service SiteProtector Sensor Controller Service SiteProtector Web Server Step 3 - Put the SiteProtector.jar file in the following location on all Consoles. Be sure to backup the original files first. \Program Files\ISS\SiteProtector\Console\bin\ Step 4 - Put the SiteProtector.jar file in the following locations on the Application Server. Be sure to backup the original files first. Warning: Never place back up files in the deployment directories. \Program Files\ISS\SiteProtector\Application Server\bin\ \Program Files\ISS\SiteProtector\Application Server\deployed-apps\iss\SiteProtector.ear\lib\ Step 5 - Put the web.xml file in the following location on the Application Server. Be sure to backup the original file first. Warning: Never place back up files in the deployment directories. \ISS\SiteProtector\Application Server\deployed-apps\iss\SiteProtector.ear\webconsole.war\WEB-INF\web.xml Step 5 - On the Application Server, start the three SiteProtector services back up: SiteProtector Application Server Service SiteProtector Sensor Controller Service SiteProtector Web Server Note: When backing up files it is recommended to use a directory that's separate from the SiteProtector directory structure. If you feel the need to remove the patch at a later date, the original files can be restored using the same process. GETTING THE LATEST DOCUMENTATION ===================================================================== For the latest version of the SiteProtector Readme file, go to the IBM Security download center: https://webapp.iss.net/myiss/login.jsp?action=download For the latest version of the product documentation, go to the IBM Security Product Information Center: http://publib.boulder.ibm.com/infocenter/sprotect/v2r8m0/index.jsp CONTACT IBM SUPPORT WORLDWIDE ===================================================================== IBM Security offers a variety of contact options. To view these options, please visit the IBM Support Portal: http://www.ibm.com/support/entry/portal INFORMATION REQUIRED FOR REPORTING PRODUCT ISSUES ===================================================================== If you encounter a problem with this product, please make notes that are as detailed as possible about the following: - Component and Build versions - Specific failure symptoms or undesirable behavior This information helps us reproduce the problem and resolve it as quickly as possible. FILES INCLUDED ===================================================================== - SiteProtector.jar - web.xml ===================================================================== =====================================================================