Badlock Security Alert

What is Badlock?
Please see this article from Red Hat for an overview of the vulnerability.

How can I test my system to see if I’m vulnerable?
Run this script:

curl -s http://kb.eclipseinc.com/files/badlock-test.sh | sh

It will generate a report similar to the following if your system is vulnerable:

WARNING: The installed version of samba server (4.2.3-12.el7_2) is vulnerable to BADLOCK and should be upgraded! It is also enabled and/or running. Please update the package and restart the service.
See https://access.redhat.com/articles/2243351 and https://access.redhat.com/security/vulnerabilities/badlock for more information.

How do I patch my system?
Install Red Hat updates. If you don’t want to install all of the updates, you can optionally install only the samba updates:

yum update samba*
service smb restart

Bash Security Alert September 2014

Summary

A security vulnerability in the bash shell, the command-line shell used by the Linux operating system, could leave systems running those operating systems open to exploitation by specially crafted attacks.

Epicor’s Response

We have reviewed the Eclipse software and verified that none of our products are directly affected by this vulnerability.

Customer Action

While the Eclipse software is not directly affected by this vulnerability, we highly recommend that our customers take the following actions to safeguard their servers:

  1. Install the updated bash software update as soon as possible, using the command
    yum update bash
  2. Do not make the Linux server directly accessible on the Internet. Use a VPN to remotely access the server.
  3. Continue to install Red Hat software updates on a regular basis.

For more information, please read the following articles on Red Hat’s website:

FAQ

Q: Are web services that indirectly access the Linux database server affected?

A. No. Eclipse doesn’t use the affected Apache web server on Linux. Web services that use fastcgi (e.g. WOE, Web Integration) that run on the Windows IGATE server access the UniVerse SOCKET server, which isn’t affected. Web services that access JBoss on the database server (e.g. POD, JM) aren’t affected.

Q. The yum update tool is not working. Can I manually install the updated bash software?

A. Yes, you may use one of the alternative mirrors below:

For servers running RHEL 5:

rpm -Uvh http://f.cl.ly/items/0v0V430R0b3a3j3M4344/bash-3.2-33.el5_11.4.x86_64.rpm

For servers running RHEL 6:

rpm -Uvh http://f.cl.ly/items/3p083T2f1j3b191x423d/bash-4.1.2-15.el6_5.2.x86_64.rpm

Q. How do I test to see if my server is vulnerable?

A. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see the word “vulnerable” echoed back, then your system needs to be updated. If you only see “this is a test,” then your system has been patched.

Fax on Demand

Eclipse recommends Esker’s Fax on Demand service for outbound faxing from Eclipse. ((Incoming faxes to Eclipse are not supported. Please use the manual procedure for uploading logos and append documents.))

What is Fax on Demand?

Fax on Demand is an Internet-based faxing service that doesn’t require any modem hardware or fax lines. Your faxes are sent via the Internet to Esker’s data centers, where they are transmitted to the recipient.

What are the benefits to using Fax on Demand?

The primary benefits are:

  • No hardware requirements, which is perfect for virtual machines and DR scenarios
  • No maintenance required, because there is no hardware to fail or fax lines to troubleshoot
  • Higher quality and reliability, because Esker uses enterprise-grade fax technology, not analog modems
  • Better scalability, so batches of faxes don’t back up the queue for hours or days

How do I receive a quote for Fax on Demand?

To receive pricing, you will first need to email a report of your fax history to Chris Graves at Esker, so that they can estimate your fax volume and provide an appropriate quote. Here are instructions for generating and sending a report to yourself that you can then forward to Esker.

Generating a fax report on AIX

Run the following commands on your AIX server, replacing the example email address with yours:

vfxolog -F csv -h on -U vsifax > /esupport/olog-output.csv
uuencode /esupport/olog-output.csv olog-output.csv | mailx -s "`hostname` Fax Report" email@company.com

Generating a fax report on Linux

Run the following commands on your Linux server, replacing the example email address with yours:

vfxolog -F csv -h on -U vsifax > /esupport/olog-output.csv
echo "" | mutt -a /esupport/olog-output.csv -s "`hostname` Fax Report" -- email@company.com

How do I enable Fax on Demand?

Please follow these instructions for enabling your new Fax on Demand account.

Java security message when launching Solar

When running Solar on an Eclipse release prior to 8.7.7.05 with Java 7 Update 40, users will be presented with a security warning similar to the following:

Security Warning

To continue launching Solar, the user should select the option, I accept the risk and want to run this app. This must be done every time Solar is launched.

Here’s an explanation of the change from the Java website:

Why don’t I see the option to select “Do not show this again for this app” in the security dialog for an unsigned application?
Starting with Java 7 Update 40, the option to select “Do not show this again for this app” is no longer available. Unlike previous versions a user cannot suppress the security dialog for an unsigned application and will have to select the option, “I accept the risk and want to run this app”, each time to run the unsigned application.

The Eclipse development team will be making changes to the way future versions of Solar are signed to prevent this security dialog from appearing.

For more information, please see the Java website: http://www.java.com/en/download/help/appsecuritydialogs.xml

Change Solar Icon Account Name

During the installation of Solar on a workstation, an icon is placed on the desktop. By default, the icon will be name “Solar Eclipse – eclipse”, referencing a default account name of “eclipse”.

If you install an additional copy of Solar from another account using the same default name, the icon will be over-written.

If you would like to change this account name to something more descriptive (i.e. “train”), please follow these steps:

Log onto the Eclipse server as root.

Change to the Eclipse account’s home directory (i.e. /u2/eclipse), and then into the modules-conf subdirectory. For example:

cd /u2/eclipse/modules-conf

Edit the solar-account.properties file, changing the default account name of “eclipse” to the new name (i.e. “train”). For example:

vi modules-conf

After making the changes, the example configuration would look similar to:

account.train.hostname=localhost
account.train.hostport=22222

Save and close the file. You will need to restart the JBoss application server to apply the changes (please see these instructions for Linux and AIX).