Updating ACC Files in Verastream

  • Document ID:7021301
  • Creation Date:11-Dec-2015
  • Modified Date:12-Mar-2018
    • Micro Focus Products:
      Verastream Host Integrator (VHI)
      Verastream Process Designer (VPD)

Environment

Verastream Host Integrator version 7.7 or earlier
Verastream Process Designer R6 or earlier

Situation

Apache Commons Collections (ACC) library version 3.2.1 contains a vulnerability that allows a remote attacker to execute arbitrary code on an unpatched machine that uses JMX. This technical note explains how to update the ACC files to address this vulnerability.

Note: For more information about this vulnerability, see https://support.microfocus.com/security/.

Resolution

The steps depend on your Verastream product.

Verastream Host Integrator

Use the following steps to update your VHI installation with the patched ACC files:

  1. Go to https://commons.apache.org/proper/commons-collections/download_collections.cgi and download the version 3.2.2 binaries (either .zip or .tar.gz).
  2. Uncompress the .zip or .tar.gz file to extract the commons-collections-3.2.2.jar file.
  3. Stop the Verastream Management Server service.
  4. Repeat the following steps for all of the following directories:
<install-dir>\Attachmate\Verastream\ManagementServer\services\directory\lib
<install-dir>\Attachmate\Verastream\ManagementServer\services\taskscheduler\lib
    1. Locate the existing commons-collections-3.2.1.jar and rename it to a different file extension (such as commons-collections-3.2.1.jar.backup).
    2. Copy the 3.2.2 file from step 2 above.
  1. Start the Verastream Management Server service.

Verastream Process Designer

Use the following steps to update your VHI installation with the patched ACC files:

  1. Go to https://commons.apache.org/proper/commons-collections/download_collections.cgi and download the version 3.2.2 binaries (either .zip or .tar.gz).
  2. Uncompress the .zip or .tar.gz file to extract the commons-collections-3.2.2.jar file.
  3. Stop the Verastream Process Server service.
  4. Repeat the following steps for all of the following directories:
<install-dir>\Attachmate\Verastream\ProcessServer\services\composite\runtime\WEB-INF\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\composite\lib
<install-dir>\Attachmate\Verastream\ProcessServer\services\wscontainer\lib
    1. Locate the existing commons-collections-3.2.1.jar and rename it to a different file extension (such as commons-collections-3.2.1.jar.backup).
    2. Copy the 3.2.2 file from step 2 above.
  1. Start the Verastream Process Server service.

Additional Information

Legacy KB ID

This document was originally published as Attachmate Technical Note 10162.