README VERSION               : 1.1
README CREATION DATE         : 2026-03-31
PATCH-ID                     : vom-HF0912 
PATCH NAME                   : InfoScale Operations Manager Patch 9.1.2
BASE PACKAGE NAME            : VRTSfmh
BASE PACKAGE VERSION         : 9.1.0
SUPERSEDED PATCHES           : vom-HF0911
REQUIRED PATCHES             : NONE
INCOMPATIBLE PATCHES         : NONE
SUPPORTED PADV               : rhel9_x86_64,rhel10_x86_64,sles15_x86_64,w2k19X64,w2k22X64,w2k25X64 
(P-PLATFORM , A-ARCHITECTURE , D-DISTRIBUTION , V-VERSION)
PATCH CATEGORY               :  MH
PATCH CRITICALITY            : OPTIONAL
HAS KERNEL COMPONENT         : NO
ID                           : NONE
REBOOT REQUIRED              : NO
REQUIRE APPLICATION DOWNTIME : NO

PATCH INSTALLATION INSTRUCTIONS:
--------------------------------
IMPORTANT NOTE : Please take a backup of the database using the instructions given in the Admin guide before installing this patch.
 
This Patch is applicable for InfoScale Operations Manage 9.1 Management Server and Managed Hosts both.
 
1. Download the file vom-9.1.2.sfa
2. Launch a browser and login to the InfoScale Operations Manage management server.
3. Navigate to Settings ->                      Deployment Icon.
4. Upload the patch to the InfoScale Operations Manage CMS using the Upload Solutions button.
The patch vom-9.1.1 should be visible in the Hot Fixes tree node.
5. Install this patch on Management Server using the following instructions:
- Go to Settings ->                       Deployment ->                     Hot Fixes ->                       Veritas Infoscale Operations Manager Managed Host.
- Click on Hot Fixes Tab. Click on Applicable Hosts Tab.
- Right click on Management Server Name and click on Install
6. After the patch is installed successfully on Management Server, you can follow the same steps to install patch on applicable Managed Hosts.

PATCH UNINSTALLATION INSTRUCTIONS:
----------------------------------
NONE

SPECIAL INSTRUCTIONS:
-----------------------------
NONE

SUMMARY OF FIXED ISSUES:
-----------------------------------------


 PATCH ID:vom-HF0912

4195240 (4195238)  Security Vulnerabilities fixes 
4195355 (4195353)  Pen Test Issue fixes 
4195358 (4195356)  Enhanced security for IOM Web API commands. 
4195605 (4195604)  Deprecation of the Licensing management tab within the InfoScale Operations Manager console. 

 PATCH ID:vom-HF0911

4194288 (4194287)  Security Vulnerabilities fixes 
4194355 (4194354)  Security patch to upgrade legacy SSL/TLS cipher suites to modern ECDHE-based standards for IOM Web Server. 

SUMMARY OF KNOWN ISSUES:
-----------------------------------------
NONE 



KNOWN ISSUES : 
--------------
NONE

FIXED INCIDENTS: 
----------------


 PATCH ID:vom-HF0912

 * INCIDENT NO:4195240	 TRACKING ID:4195238

SYMPTOM: Third party component vulnerability reported. 

DESCRIPTION: Following third party component has been upgraded:

--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name	Upgraded Version(9.1.2)	           COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------

tomcat          9.0.115                                     APPLICABLE FOR VIOM MANAGEMENT SERVER ONLY.

log4j           2.25.3                                      APPLICABLE FOR VIOM MANAGEMENT SERVER ONLY.

-------------------------------------------------------------------------------------------------------------------------------------------------- 

RESOLUTION: Fixed the affected endpoint. 

 * INCIDENT NO:4195355	 TRACKING ID:4195353

SYMPTOM: Pen test issues reported. 

DESCRIPTION: Following are the pen test issues have been fixed:

1: Cross-site Scripting (Reflected) - CWE-79

2: Cross-site Scripting (Stored) - CWE-79

3: Cross-site Scripting (Stored) - CWE-79

4: Cross-Site Request Forgery (CSRF)  CWE-352

5: Open Redirect (Reflected) - CWE-601

6: Cross-site Scripting (Reflected) - CWE-79

7: Incorrect Permission Assignment for Critical Resource - CWE-732

8: Blind SQL Injection 

RESOLUTION: Fixed the affected endpoint. 

 * INCIDENT NO:4195358	 TRACKING ID:4195356

SYMPTOM: CSRF issues reported in IOM web api. 

DESCRIPTION: InfoScale Operations Manager 9.1.2 provides enhanced security by preventing Cross-Site Request Forgery in the Web API. Please refer to the tech note below for more information.

https://www.veritas.com/content/support/en_US/doc/iom_patch_9.1.2 

RESOLUTION: Fixed the affected endpoint. 

 * INCIDENT NO:4195605	 TRACKING ID:4195604

SYMPTOM: Users will no longer find the "Licensing" tab or associated license management options within the InfoScale Operations Manager (IOM) user interface. 

DESCRIPTION: Direct management of InfoScale licenses through the InfoScale Operations Manager console has been discontinued. To ensure continued compliance and license oversight, administrators must transition to the alternative methods outlined in the technical documentation.

For full details and transition steps, please refer to the official tech note:

https://www.veritas.com/content/support/en_US/doc/iom_patch_9.1.2 

RESOLUTION: Administrators must transition to using the License Management Server (LMS) to manage all InfoScale entitlements. To maintain compliance and visibility, ensure that your InfoScale environment is correctly configured to report to the LMS. 

 PATCH ID:vom-HF0911

 * INCIDENT NO:4194288	 TRACKING ID:4194287

SYMPTOM: Third party component vulnerability reported. 

DESCRIPTION: Following third party component has been upgraded:
--------------------------------------------------------------------------------------------------------------------------------------------------
Component Name	     Upgraded Version(9.1.1)	              COMMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------
Tomcat                    9.0.113                         APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
PostgreSQL               14.20                           APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
Jakarta Mail              1.6.8                           APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
Jakarta XML Binding API   4.0.4                           APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
Apache Commons Logging    1.3.5                           APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
JSON (org.json)           20250517                        APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
Java                      11.0.30.7.1                     APPLICABLE FOR Arctera InfoScale Operations Manager MANAGEMENT SERVER ONLY.
-------------------------------------------------------------------------------------------------------------------------------------------------- 

RESOLUTION: Fixed the affected endpoint. 

 * INCIDENT NO:4194355	 TRACKING ID:4194354

SYMPTOM: Connections to the IOM Web Server are currently using deprecated, "static" RSA key exchange ciphers. This results in poor security ratings, lack of Perfect Forward Secrecy (PFS), and potential compatibility issues with modern, secure web browsers that flag older ciphers as "Insecure." 

DESCRIPTION: The IOM Web Server has been upgraded to support Elliptic Curve Diffie-Hellman Ephemeral (ECDHE). In the previous configuration, if the servers private key was ever compromised, an attacker could decrypt all historical traffic recorded from that server.

By moving to ECDHE, the server and client negotiate a unique, temporary session key that is never sent over the wire and is discarded immediately after the session ends. This ensures that even a future compromise of the server's master key cannot be used to decrypt past communications. 

RESOLUTION: Customers must apply the provided patch to update the server.xml configuration file for latest ECDHE ciphers. 

INCIDENTS FROM OLD PATCHES:
---------------------------
NONE