[BESAdmin-Announcements] more information on critical vulnerability patch for IBM Endpoint Manager released on May 20

Announcements for BES Administrators besadmin-announcements at bigmail.bigfix.com
Wed May 21 18:22:13 PDT 2014 


Several patches for IBM Endpoint Manager were released on May 20 to fix a
serious security vulnerability that would allow attackers to access files
on affected systems. We will be releasing the technical details of this
vulnerability on a future date once all of our customers have had
sufficient time to upgrade their systems.

The warning messages in the Console were not as detailed as they should
have been. We have updated those messages and provided more details in the
fixlet messages that the warnings link to. In addition, we will add
functionality to allow administrators to limit which operators see those
messages.

Here the versions of the Endpoint Manager Platform that are vulnerable and
the components involved:

9.1 -- all versions up to the patch (9.1.1088.0) -- Root Server, Web
Reports, and Server API
9.0 -- all versions up to the patch (9.0.853.0)  -- Root Server, Web
Reports, and Server API
8.2 -- all versions up to the patch (8.2.1445.0) -- Web Reports and Server
API
8.1 -- all versions up to the patch (8.1.1653.0) -- Web Reports and Server
API

Due to challenges in easily upgrading earlier versions of 8.1 and 8.2, the
patches only work on the latest patch versions of 8.1 and 8.2:

* Upgrading server components to 8.2.1445.0 is only applicable from
8.2.1409.0
** If you have an earlier version of Web Reports or the Platform API for
8.2, first upgrade to version 8.2.1409.0 and then upgrade to version
8.2.1445.0.
* Upgrading server components to 8.1.1653.0 is only applicable from
8.1.1634.0
** If you have an earlier version of Web Reports or the Platform API for
8.1, first upgrade to version 8.1.1634.0 and then upgrade to version
8.1.1653.0.

These extra steps are needed for patching the earlier 8.x versions because
these patches are simply upgrades of the binaries. Earlier releases have
different database versions and upgrading from them directly could lead to
database compatibility problems.

There is no installation folder update for this release. If upgrading via
Fixlet on 9.1/9.0, the Installation Generator setups will be automatically
updated. When upgrading manually you can obtain the setups from
http://support.bigfix.com/bes/install/downloadbes.html and replace the
corresponding setup.exe with the component installer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://bigmail.bigfix.com/pipermail/besadmin-announcements/attachments/20140521/0746d8ab/attachment.html>

More information about the Besadmin-announcements mailing list