Environment
Verastream Host Integrator version 7.7 or earlier
Verastream Process Designer R6 or earlier
Verastream Process Designer R6 or earlier
Situation
Apache Commons Collections (ACC) library version 3.2.1 contains a vulnerability that allows a remote attacker to execute arbitrary code on an unpatched machine that uses JMX. This technical note explains how to update the ACC files to address this vulnerability.
Note: For more information about this vulnerability, see https://support.microfocus.com/security/.
Resolution
The steps depend on your Verastream product.
Verastream Host Integrator
Use the following steps to update your VHI installation with the patched ACC files:
- Go to https://commons.apache.org/proper/commons-collections/download_collections.cgi and download the version 3.2.2 binaries (either .zip or .tar.gz).
- Uncompress the .zip or .tar.gz file to extract the commons-collections-3.2.2.jar file.
- Stop the Verastream Management Server service.
- Repeat the following steps for all of the following directories:
<install-dir>\Attachmate\Verastream\ManagementServer\services\directory\lib
<install-dir>\Attachmate\Verastream\ManagementServer\services\taskscheduler\lib
<install-dir>\Attachmate\Verastream\ManagementServer\services\taskscheduler\lib
- Locate the existing commons-collections-3.2.1.jar and rename it to a different file extension (such as commons-collections-3.2.1.jar.backup).
- Copy the 3.2.2 file from step 2 above.
- Start the Verastream Management Server service.
Verastream Process Designer
Use the following steps to update your VHI installation with the patched ACC files:
- Go to https://commons.apache.org/proper/commons-collections/download_collections.cgi and download the version 3.2.2 binaries (either .zip or .tar.gz).
- Uncompress the .zip or .tar.gz file to extract the commons-collections-3.2.2.jar file.
- Stop the Verastream Process Server service.
- Repeat the following steps for all of the following directories:
<install-dir>\Attachmate\Verastream\ProcessServer\services\composite\runtime\WEB-INF\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\composite\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\wscontainer\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\composite\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\wscontainer\lib
- Locate the existing commons-collections-3.2.1.jar and rename it to a different file extension (such as commons-collections-3.2.1.jar.backup).
- Copy the 3.2.2 file from step 2 above.
- Start the Verastream Process Server service.