Embedded JRE in VRTScscm package (Java GUI) on version 5.1 is affected by the security vulnerability released by Oracle CVE-2010-4476
The VERITAS Java GUI products use embedded Java Runtime software. When bugs are found in the embedded Java software, it is required that vendors like Oracle and IBM provide tools to update this 'embedded software'.
For CVE-2010-4476, it is required that Java GUI Java Runtime libraries are updated using tools provided by Oracle and IBM.
On the Windows, Solaris, HP-UX and Linux platforms, Oracle (Sun) has provided the fpupdater tool.
The fpupdater tool resolves CVE-2010-4476 by applying fixes to the 'rt.jar' files used by VERITAS Cluster Server Java Console Software. For more information visit
- Download "Java SE Floating Point Updater Tool" from the Oracle website:
This fix is appropriate for the Windows, Solaris, HP-UX and Linux platforms.
- Check that the Floating Point Updater (FPUpdater) version should be 1.0.
- Extract the zip file.
- Take fpupdater.jar and copy it to some temporary location.
[For VCS Java GUI]
Close all running instances of Java GUI.
Run following commands:
- Go to the temp directory where fpupdater.jar is present. From that directory run following command: <INSTALL DIR>\jre\bin\java -jar fpupdater.jar -u –v
For example, if you install Java GUI on default location the command would look like:
C:\Program Files\VERITAS\Cluster Manager\ jre\bin\java -jar fpupdater.jar -u –v
- Go to the temp directory where fpupdater.jar is present.
From that directory run following command:
# /opt/VRTSvcs/gui/jre/bin/java -jar fpupdater.jar -u –v
IBM AIX Solution:
This fix provided by IBM has been applied and verified by Symantec for the Java GUI on 5.1.
Determine the current version of JRE, so that the appropriate JRE patch can be downloaded:
- Run following command to get jre version used in Java GUI:
# /opt/ VRTSvcs/gui/jre/bin/java -version
- if jre version is 1.6.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94423_FIX_1.jar
- if jre version is 1.5.0 then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/IZ94331_FIX_1.jar
- if jre version is 1.4.x then download ftp://ftp.software.ibm.com/software/java/support/tools/updateinstaller/PM31983_FIX_1.jar
Download the update installer for Java tool from IBM ftpsite:
Instructions for applying the fix for jre version 1.6.0 on AIX Platform:
- Stop all running instances of Java GUI.
- Extract UpdateInstallerforJava.zip to some temporary location. After extraction it will have JavaUpdateInstaller.jar file.
- Copy downloaded patch file (example, IZ94423_FIX_1.jar) to same temporary location.
- Go to temporary directory and run command /opt/ VRTSvcs/gui/jre/bin/java -jar JavaUpdateInstaller.jar -install IZ94423_FIX_1.jar /opt/ VRTSvcs/gui ".
- After the installation is complete, it will show message like "IZ94423_FIX_1 has been successfully installed to SDK /opt/ VRTSvcs/gui”
Veritas Cluster Server Java Console (VCS Java GUI) : VRTScscm 5.1