Badlock Security Alert

What is Badlock?
Please see this article from Red Hat for an overview of the vulnerability.

How can I test my system to see if I’m vulnerable?
Run this script:

curl -s http://kb.eclipseinc.com/files/badlock-test.sh | sh

It will generate a report similar to the following if your system is vulnerable:

WARNING: The installed version of samba server (4.2.3-12.el7_2) is vulnerable to BADLOCK and should be upgraded! It is also enabled and/or running. Please update the package and restart the service.
See https://access.redhat.com/articles/2243351 and https://access.redhat.com/security/vulnerabilities/badlock for more information.

How do I patch my system?
Install Red Hat updates. If you don’t want to install all of the updates, you can optionally install only the samba updates:

yum update samba*
service smb restart

Bash Security Alert September 2014

Summary

A security vulnerability in the bash shell, the command-line shell used by the Linux operating system, could leave systems running those operating systems open to exploitation by specially crafted attacks.

Epicor’s Response

We have reviewed the Eclipse software and verified that none of our products are directly affected by this vulnerability.

Customer Action

While the Eclipse software is not directly affected by this vulnerability, we highly recommend that our customers take the following actions to safeguard their servers:

  1. Install the updated bash software update as soon as possible, using the command
    yum update bash
  2. Do not make the Linux server directly accessible on the Internet. Use a VPN to remotely access the server.
  3. Continue to install Red Hat software updates on a regular basis.

For more information, please read the following articles on Red Hat’s website:

FAQ

Q: Are web services that indirectly access the Linux database server affected?

A. No. Eclipse doesn’t use the affected Apache web server on Linux. Web services that use fastcgi (e.g. WOE, Web Integration) that run on the Windows IGATE server access the UniVerse SOCKET server, which isn’t affected. Web services that access JBoss on the database server (e.g. POD, JM) aren’t affected.

Q. The yum update tool is not working. Can I manually install the updated bash software?

A. Yes, you may use one of the alternative mirrors below:

For servers running RHEL 5:

rpm -Uvh http://f.cl.ly/items/0v0V430R0b3a3j3M4344/bash-3.2-33.el5_11.4.x86_64.rpm

For servers running RHEL 6:

rpm -Uvh http://f.cl.ly/items/3p083T2f1j3b191x423d/bash-4.1.2-15.el6_5.2.x86_64.rpm

Q. How do I test to see if my server is vulnerable?

A. Run this command:

env x='() { :;}; echo vulnerable' bash -c 'echo this is a test'

If you see the word “vulnerable” echoed back, then your system needs to be updated. If you only see “this is a test,” then your system has been patched.

New Relic Monitoring

There are many monitoring solutions available, and many of them work well with Eclipse servers, but we recommend the New Relic monitoring solution for customers interested in setting up monitoring quickly and easily.

We’ve prepared the following guide to help customers implement New Relic monitoring on their Eclipse servers, but Eclipse does not provide technical support for New Relic. If you have any questions, please contact New Relic support directly.

Sign up for a New Relic account

Before you can install the New Relic software, you’ll need to sign up for an account. They have a free option for customers that need basic monitoring and 24 hours of historical data, or you can upgrade to one of the more advanced tiers.

To sign up for an account, go to the New Relic website and follow the instructions.

Install the server monitoring agents

The server monitoring agents will track things like processor utilization and disk usage.

Linux

Enable the New Relic repository:

rpm -Uvh http://download.newrelic.com/pub/newrelic/el5/i386/newrelic-repo-5-3.noarch.rpm

Install New Relic’s server monitoring daemon:

yum install newrelic-sysmond

Configure the daemon with your license key (which you can obtain the Account Settings page):

nrsysmond-config --set license_key=27c16493aa50f89546b3caed34e3ee81880ab786

Start the daemon:

/etc/init.d/newrelic-sysmond start

Windows

Download the installer appropriate for your system:

Double click the installer file and follow the prompts to start the installation — generally you can click “Next” and the installer will try to pick smart defaults for you.

Enter your New Relic license key (which you can obtain the Account Settings page) when prompted, and click “OK”.

Install the application server agent

Note: installing the application server agent requires restarting JBoss, which will be disruptive to Solar and Job Management users.

Go to the Applications page and click Add more.

Choose the “Java” language

Click “Reveal your license key”

Click “Download New Relic Java agent”

Transfer the .zip file to the application server’s JBoss directory (e.g. /u2/eclipse/modules/jboss) via the method of your choice (e.g. FTP, SCP)

Log into the server as root, then extract and install the agent:

cd /u2/eclipse/modules/jboss
unzip newrelic*.zip

Set permissions:

chown -R jboss:jboss newrelic

Backup the current JBoss configuration:

cp /u2/eclipse/modules-conf/jboss.conf /u2/eclipse/modules-conf/jboss.conf.`date +%Y%m%d.%H%M%S`

Change the name of the application (the name that will be displayed on the New Relic web interface) from “My Application” to something more descriptive (e.g. companyname-Solar)

Add a line for New Relic to the end of the JBoss configuration file:

vim /u2/eclipse/modules-conf/jboss.conf
JAVA_OPTS="$JAVA_OPTS -javaagent:/u2/eclipse/modules/jboss/newrelic/newrelic.jar"

Restart JBoss

service eclipse-jboss halt
service eclipse-jboss start

Uninstalling New Relic

To uninstall the application server agent:

vim /u2/eclipse/modules-conf/jboss.conf

Remove the following line:

JAVA_OPTS="$JAVA_OPTS -javaagent:/u2/eclipse/modules/jboss/newrelic/newrelic.jar"

Restart JBoss to undeploy the agent.

Remove the New Relic agent files:

rm -rf /u2/eclipse/modules/jboss/newrelic

To remove the Linux server monitoring agent:

yum remove newrelic-sysmond

Fax on Demand

Eclipse recommends Esker’s Fax on Demand service for outbound faxing from Eclipse. ((Incoming faxes to Eclipse are not supported. Please use the manual procedure for uploading logos and append documents.))

What is Fax on Demand?

Fax on Demand is an Internet-based faxing service that doesn’t require any modem hardware or fax lines. Your faxes are sent via the Internet to Esker’s data centers, where they are transmitted to the recipient.

What are the benefits to using Fax on Demand?

The primary benefits are:

  • No hardware requirements, which is perfect for virtual machines and DR scenarios
  • No maintenance required, because there is no hardware to fail or fax lines to troubleshoot
  • Higher quality and reliability, because Esker uses enterprise-grade fax technology, not analog modems
  • Better scalability, so batches of faxes don’t back up the queue for hours or days

How do I receive a quote for Fax on Demand?

To receive pricing, you will first need to email a report of your fax history to Chris Graves at Esker, so that they can estimate your fax volume and provide an appropriate quote. Here are instructions for generating and sending a report to yourself that you can then forward to Esker.

Generating a fax report on AIX

Run the following commands on your AIX server, replacing the example email address with yours:

vfxolog -F csv -h on -U vsifax > /esupport/olog-output.csv
uuencode /esupport/olog-output.csv olog-output.csv | mailx -s "`hostname` Fax Report" email@company.com

Generating a fax report on Linux

Run the following commands on your Linux server, replacing the example email address with yours:

vfxolog -F csv -h on -U vsifax > /esupport/olog-output.csv
echo "" | mutt -a /esupport/olog-output.csv -s "`hostname` Fax Report" -- email@company.com

How do I enable Fax on Demand?

Please follow these instructions for enabling your new Fax on Demand account.

Java security message when launching Solar

When running Solar on an Eclipse release prior to 8.7.7.05 with Java 7 Update 40, users will be presented with a security warning similar to the following:

Security Warning

To continue launching Solar, the user should select the option, I accept the risk and want to run this app. This must be done every time Solar is launched.

Here’s an explanation of the change from the Java website:

Why don’t I see the option to select “Do not show this again for this app” in the security dialog for an unsigned application?
Starting with Java 7 Update 40, the option to select “Do not show this again for this app” is no longer available. Unlike previous versions a user cannot suppress the security dialog for an unsigned application and will have to select the option, “I accept the risk and want to run this app”, each time to run the unsigned application.

The Eclipse development team will be making changes to the way future versions of Solar are signed to prevent this security dialog from appearing.

For more information, please see the Java website: http://www.java.com/en/download/help/appsecuritydialogs.xml