Note
Before using this information and the product it supports, read the information in Notices.
This edition applies to Fix Pack 6 security for version 9, release 5, modification level 0 of HCL Dynamic Workload Console.
HCL Dynamic Workload Console version 9.5.0 Readme File for Fix Pack 6 Security
- Date
- Dec 16, 2022
- Fix Pack Name
- 9.5.0 fix pack 6 security -HCL-DWC-FP0006
- Product
- HCL Dynamic Workload Console version 9.5.0 fix pack 6 security
- General Description
- HCL Dynamic Workload Console Fix Pack 6 security for version 9.5.0
- Security pack
- HCL V9.5 Fix Pack 6 Security is a security update of V9.5 Fix Pack 6, released in June 2022. If you already installed V9.5 Fix Pack 6 and apply the security update, the version is the same as the previous one (9.5.0.06), but the build date is changed.
This readme file provides important information about Fix Pack 6 security for HCL Dynamic Workload Console version 9.5.0. Fix Pack 6 security
This readme file is the most current information for the fix pack and takes precedence over all other documentation for Dynamic Workload Console version 9.5.0 Fix Pack 6 security.
The most up-to-date version of this readme can be accessed at the following URL: Fix Pack readmes.
HCL Dynamic Workload Console version 9.5.0 Fix Pack 6 Security supports all product versions indicated in the Dynamic Workload Console Version 9.5 Release Notes.
For the most up-to-date information about supported operating systems, software and hardware requirements, see Dynamic Workload Console Detailed System Requirements.
Review the following sections thoroughly before installing or using this fix pack.
About this Fix Pack
This section contains information specific for this Fix Pack including what has been modified or introduced, what has been fixed, product versions or components to which the Fix Pack applies, and compatibility issues, if any.
This section includes the following subsections:
Features introduced with Fix Pack 6 Security
- Version 9.5 Fix Pack 6 Security delivers the following enhancements:
- Changed features and feature capabilities
- CVE-2022-31160
- CVE-2022-27664
- CVE-2022-32149
- CVE-2022-36033
- CVE-2022-42003
APARs and defects fixed in HCL Dynamic Workload Console Fix Pack 6 Security for version 9.5.0
This section lists APARs and internal defects resolved by Fix Pack 6.Security
| APAR | ABSTRACT |
|---|---|
| IJ43867 |
DWC PENETRATION CONDUCTED AND REMEDIATION REQUIRED |
| IJ44020 |
AUTHENTICATED XXE VULNERABILITY IN IBM TIVOLI WORKLOAD SCHEDULER |
| IJ36579 |
IT IS OBSERVED THAT APPLICATION IS VULNERABLE TO HOST HEADER INJECTION |
| IJ43726 |
CREDENTIALS AUTO UPDATE WITH LOGIN USER ID |
| IJ44019 |
IBM SDK, JAVA TECHNOLOGY EDITION QUARTERLY CPU - APR 2022 - INCLUDES ORACLE APRIL 2022 |
| IJ43699 |
XSS EXPLOITATION IS OCCURRING ON THE LOGIN PAGE |
| DEFECT | ABSTRACT |
|---|---|
| WA-110627 |
[APPSCAN-IAST] : 9.5FP6 SECURITY : CRYPTOGRAPHY.POORENTROPY |
| WA-110251 |
[APPSCAN-IAST] : 9.5FP6 SECURITY : PATHTRAVERSAL |
| WA-110243 |
[APPSCAN-IAST] : 9.5FP6 SECURITY : CRYPTOGRAPHY.INSECUREALGORITHM |
| WA-110242 |
[APPSCAN-IAST] : 9.5FP6 SECURITY : CRYPTOGRAPHY.INSECUREALGORITHM |
| WA-110185 |
[APPSCAN STANDARD] COOKIE WITH INSECURE OR IMPROPER OR MISSING SAME SITE ATTRIBUTE |
| WA-104021 |
[APPSCAN STANDARD] MISSING OR INSECURE "X-XSS-PROTECTION" HEADER WITH PARTICULAR URL |
| WA-103880 |
[APPSCAN STANDARD] MISSING OR INSECURE "SCRIPT-SRC" POLICY IN "CONTENT-SECURITY-POLICY" HEADER |
| WA-103203 |
[APPSCAN STANDARD] MISSING OR INSECURE HTTP STRICT-TRANSPORT-SECURITY HEADER |
| WA-103201 |
[APPSCAN STANDARD] MISSING OR INSECURE "X-CONTENT-TYPE-OPTIONS" HEADER |
| WA-103200 |
[APPSCAN STANDARD] MISSING "CONTENT-SECURITY-POLICY" HEADER |
| WA-110085 |
XSS IN JOB DEFINITION DESCRIPTION FIELD - LIST WORKLOAD DEFINITION |
| WA-107825 |
9.5 FP6 - DWCINST , --SKIPCHECKPREREQ IN PROPERTY FILE MUST BE SPECIFIED IN UPPERCASE |
| WA-111328 |
ADD AIX 7.3 ON CHECK PREREQ |
| WA-111295 |
PREDEFINED REPORT : DELETE POPUP IS NOT CLOSING AFTER CLICK ON OKAY |
| WA-111253 |
IN MONITOR WORKLOAD, WHEN WE FILTER WITH JOB SECOND TIME. IT IS NOT SHOWING ENGINE, DEFAULT. WHICH WE SELECTED FIRST TIME |
| WA-111265 |
WHEN WE OPEN DEFINITION THROUGH VIEW PRODUCTION PLAN THEN IT IS SHOWING BLANK |
| WA-110979 |
RERUN, PRIORITY, PROPERTIES BUTTONS ARE NOT WORKING IN MONITOR WORKLOAD |
| WA-110977 |
ENGINE CONNECTION SUCCESSFUL BUT WHEN OPEN WORKLOAD DEFINITION PAGE, IT'S SHOWING ERROR |
| WA-110831 |
PERSONALIZED REPORTS PAGE IS SHOWING BLANK |
| WA-111244 |
WORKSTATION WORKLOAD SUMMARY REPORT IS NOT SAVING WHEN WE R TRYING TO GIVE THIS AS DESCRIPTION " #$@(*&)3245879SDFGHJ:;AKFLHALFKAFALKFAFHASLFSAFHSALKFHALFAHFALKFHALKFHSAFOITQYTQOIYTQOIYQOWIYROQI ", EVEN IT IS NOT THROWING ANY ERROR/WARNING MESSAGE ALSO |
| WA-111297 |
PREDEFINED REPORT: IF USER PROVIDE ANY JOB NAME WHILE CREATING JOB RUN HISTORY THEN WHILE EDITING GETTING ERROR FOR NOT VALID CHARACTER FOR FRENCH LANGUAGE |
Known limitations and workarounds
The following are software limitations and workarounds that affect Dynamic Workload Console version 9.5.0 Fix Pack 6 Security. For a list of known problems and limitations documented for the V9.5 General Availability release, refer to the Release Notes.
9.5 Fix Pack 6 Security
- WebSphere Liberty minimum required version
- the minimum required WebSphere Liberty version to successfully install the fixpack is 22.0.0.3
Fix Pack structure
This section describes the structure of the images contained in this Fix Pack.
Fix Pack files available for HCL Workload Automation by using HCL License Portal
Following is the structure of the Fix Pack on Flexnet:
| Name | Description |
|---|---|
| DWC_9506_Security2022_Readme | Readme file with download instructions |
| HWA_9506_Security2022_WEBSPHERE_LIBERTY | WebSphere Liberty application server |
| Name | Description |
|---|---|
| HWA_9506_Security2022_AIX_AGENT | HCL Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for AIX |
| Name | Description |
|---|---|
| HWA_9506_Security2022_IBM_I_AGENT | HCL Workload Automation Agent V9.5.0.6 for IBM i |
| Name | Description |
|---|---|
| HCL Workload Automation 9.5 LINUX | LINUX distribution |
| HWA_9506_Security2022_DWC_LINUX_X86_64 | Workload Automation Dynamic Workload Console V9.5.0.6 for LINUX |
| HWA_9506_Security2022_LNX_PPC64LE_AGENT | HCL Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for Linux on POWER (little endian) |
| HWA_9506_Security2022_LNX_S390_AGENT | HCL Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for Linux on System z9 and System z |
| HWA_9506_Security2022_LNX_X86_64_AGENT | Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for Linux on x86-64 |
| Name | Description |
|---|---|
| HCL Workload Automation 9.5 LINUX | LINUX distribution |
| HWA_9506_Security2022_Console_Container | Dynamic Workload Console V9.5.0.6 for LINUX on Docker |
| HWA_9506_Security2022_Console_Container_LINUX390 | Dynamic Workload Console V9.5.0.6 for LINUX on Docker |
| HWA_9506_Security2022_Agent_Dynamic_Container | Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for Linux on x86-64 on Docker |
| HWA_9506_Security2022_Agent_Dynamic_Container_LINUX390 | Workload Automation Agent 9.5.0.6, Remote CLI and Workload Automation for Applications for Linux on System z9 and System z on Docker |
| Name | Description |
|---|---|
| HCL Workload Automation 9.5 WINDOWS | WINDOWS distribution |
| HWA_9506_Security2022_DWC_WINDOWS_X86_64 | Dynamic Workload Console V9.5.0.6 for WINDOWS |
| HWA_9506_Security2022_WIN_X86_64_AGENT | HCL Workload Automation Agent V9.5.0.6, Remote CLI and Workload Automation for Applications for Windows x64 |
| Name | Description |
|---|---|
| HCL Workload Automation V9.5 z/OS | z/OS distribution |
| HWA_9506_Security2022_DWC_ZSYSTEM | HWA z/OS Dynamic Workload Console |
| Name | Description |
|---|---|
| HCL Workload Automation V9.5 | z/OS distribution |
| HWA_9506_OpenShift_Server_UI_Agent.zip | HWA Dynamic Workload Console, Agent and Server |
Installing the Fix Pack
This section describes how to apply Fix Pack 6 Security to Dynamic Workload Console.
- The Dynamic Workload Console is active.
- No user is connected to the Dynamic Workload Console to prevent the data related to their working session from being lost.
Installation notes
Read this section thoroughly before installing this Fix Pack.
- Before installing the Fix Pack, ensure you have installed the required prerequisite software. To obtain the latest information about software requirements for HCL Workload Automation, see https://help.hcltechsw.com/workloadautomation/v95/distrDDguides.html.
-
- Supported WebSphere Application Server Liberty Base versions
- The minimum required WebSphere Liberty version to successfully install the fixpack is 22.0.0.3 or later.
- On UNIX systems only: Before installing either the Dynamic Workload Console version 9.5 or this Fix Pack, make sure that
umask is set to 022. To verify that umask is set to the correct value, from a
command prompt, run the umask command. If the value is different from 022, modify it
by running the command:
umask 022 - If you plan to connect the Dynamic Workload Console version 9.5
Fix Pack 1 to a z/OS engine, ensure the following APAR for the z/OS platform is installed if you
plan to use the two new columns in the DB2 reports (SUBSYSTEM NAME and WORKSTATON TYPE):
- PH12689
- Support for multiple controller for DB2 reporting and new keywords added to JOBREC statement.
Interoperability notes
Dynamic Workload Console version 9.5.0 Fix Pack 6 Security supports all product versions indicated in the Dynamic Workload Console version 9.5 Release Notes which can be accessed at the following link: Dynamic Workload Console Version 9.5 Release Notes.
Installation methods
- You can install directly the Dynamic Workload Console General Availability version 9.5 together with the latest fix pack level, as described in Installing from the CLI in Planning and Installation Guide.
- You can update the Dynamic Workload Console from General Availability version 9.5 to the latest fix pack level, as described in Updating the Dynamic Workload Console to the latest Fix Pack level in Planning and Installation Guide.
- You can upgrade the Dynamic Workload Console from version 9.3 or later to General Availability version 9.5 and then update to the latest fix pack level, as described in the following topics in Planning and Installation Guide:
-
You can install the Dynamic Workload Console version 9.5 Fix Pack 6 Security as fresh install for more information. For further information, see .
If necessary, you can also return to a previous product version level, as described in Returning the Dynamic Workload Console to a previous product version level in Planning and Installation Guide.
Configuring your master domain manager in SSL mode
- Install the master domain manager or upgrade your current master domain manager to version 9.5.0.6 Security pack
- Replace the values of the following parameters in the
localopts file with the following values:
- nm SSL full port = 31113
- SSL key =TWA_home/TWS/ssl/OpenSSL/TWSClient.key
- SSL certificate = TWA_home/TWS/ssl/OpenSSL/TWSClient.cer
- SSL key pwd = TWA_home/TWS/ssl/OpenSSL/password.sth
- SSL CA certificate = TWA_home/TWS/ssl/OpenSSL/TWSTrustCertificates.cer
- SSL random seed =TWA_home/TWS/ssl/OpenSSL/TWS.rnd
- SSL Encryption Cipher = TLSv1.2
- Modify the master domain manager
and broker using the composer mod command, as
follows:
CCPUNAME your_master_domain_manager_workstation DESCRIPTION "MANAGER CPU" OS UNIX NODE localhost TCPADDR 31111 SECUREADDR 31113 DOMAIN MASTERDM FOR MAESTRO TYPE MANAGER AUTOLINK ON BEHINDFIREWALL OFF SECURITYLEVEL FORCE_ENABLED FULLSTATUS ON ENDCPUNAME your_broker_workstation DESCRIPTION "This workstation was automatically created." OS OTHER NODE localhost TCPADDR 41114 SECUREADDR 41114 DOMAIN MASTERDM FOR MAESTRO TYPE BROKER AUTOLINK ON BEHINDFIREWALL OFF SECURITYLEVEL FORCE_ENABLED FULLSTATUS OFF END - Modify the Broker.Workstation.PortSSL parameter in the
BrokerWorkstation.properties file from
false to true.
The Broker.Workstation.PortSSL parameter specifies the port used by the broker server to listen to the incoming traffic (equivalent to the Netman port) in SSL mode. It is first assigned at installation time. This port number must always be the same for all the broker servers that you define in your HCL Workload Automation network (one with the master domain manager and one with every backup master domain manager you install) to ensure consistency when you switch masters.
- Stop and start WebSphere Application Server Liberty Base, as described in Application server - starting and stopping.
- Stop and start all HCL Workload Automation processes.
- Run
Jnextplan -for 0000
Disk space requirements
Before starting the Fix Pack installation, ensure that you have the following space available in the file system. The values indicated in the table show the disk space required by the Dynamic Workload Console alone. For the disk space required by other components, see the relevant documentation.
For the most up-to-date information about disk space and memory requirements, see the hardware requirements at the following URL: see https://help.hcltechsw.com/workloadautomation/v95/Release_Notes_for_HCL_Workload_Scheduler_Dynamic_Workload_Console.htm.
| Operating System | Installation directory | Temporary directory |
|---|---|---|
| AIX® | 2 GB | 800 MB |
| Linux s390x | 2 GB | 800 MB |
| Linux x86-64 | 2 GB | 800 MB |
| Windows 64 | 2,5 GB | 1 GB |
/usr file system.If the installation fails because of lack of free disk space, you must stop the installation, free space on your disk, and start the installation again.
Documentation updates for HCL Dynamic Workload Console Fix Pack 6 Security, version 9.5.0
Any additions or changes to the documentation as a result of this Fix Pack have been integrated into the online product documentation available in HCL Workload Automation documentation.
Contacting HCL Software Support
Refer to the HCL Workload Automation Support page: https://www.hcltech.com/products-and-platforms#support
Notices
This information was developed for products and services offered in the US. This material might be available from HCL in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it.
HCL may not offer the products, services, or features discussed in this document in other countries. Consult your local HCL representative for information on the products and services currently available in your area. Any reference to an HCL product, program, or service is not intended to state or imply that only that HCL product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any HCL intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-HCL product, program, or service.
HCL may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
For license inquiries regarding double-byte character set (DBCS) information, contact the HCL Intellectual Property Department in your country or send inquiries, in writing, to:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
HCL TECHNOLOGIES LTD. PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you.
This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. HCL may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice.
Any references in this information to non-HCL websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this HCL product and use of those websites is at your own risk.
HCL may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you.
Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact:
HCL
330 Potrero Ave.
Sunnyvale, CA 94085
USA
Attention: Office of the General Counsel
Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee.
The licensed program described in this document and all licensed material available for it are provided by HCL under terms of the HCL Customer Agreement, HCL International Program License Agreement or any equivalent agreement between us.
The performance data discussed herein is presented as derived under specific operating conditions. Actual results may vary.
Information concerning non-HCL products was obtained from the suppliers of those products, their published announcements or other publicly available sources. HCL has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-HCL products. Questions on the capabilities of non-HCL products should be addressed to the suppliers of those products.
This information is for planning purposes only. The information herein is subject to change before the products described become available.
This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental.
COPYRIGHT LICENSE:
This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to HCL, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. HCL, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. HCL shall not be liable for any damages arising out of your use of the sample programs.
© (HCL) (2022).
Portions of this code are derived from HCL Sample Programs.
© Copyright HCL Ltd. _2022_.
Trademarks
HCL, and other HCL graphics, logos, and service names including "hcltech.com" are trademarks of HCL. Except as specifically permitted herein, these Trademarks may not be used without the prior written permission from HCL. All other trademarks not owned by HCL that appear on this website are the property of their respective owners, who may or may not be affiliated with, connected to, or sponsored by HCL.
Adobe™, the Adobe logo, PostScript™, and the PostScript logo are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States, and/or other countries.
IT Infrastructure Library™ is a Registered Trade Mark of AXELOS Limited.
Linear Tape-Open™, LTO™, the LTO Logo, Ultrium™, and the Ultrium logo are trademarks of HP, IBM® Corp. and Quantum in the U.S. and other countries.
Intel™, Intel logo, Intel Inside™, Intel Inside logo, Intel Centrino™, Intel Centrino logo, Celeron™, Intel Xeon™, Intel SpeedStep™, Itanium™, and Pentium™ are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries.
Linux™ is a registered trademark of Linus Torvalds in the United States, other countries, or both.
Microsoft™, Windows, Windows NT™, and the Windows logo are trademarks of Microsoft Corporation in the United States, other countries, or both.
 |
Java™ and all Java-based trademarks and logos are trademarks or registered trademarks of Oracle and/or its affiliates. |
Cell Broadband Engine™ is a trademark of Sony Computer Entertainment, Inc. in the United States, other countries, or both and is used under license therefrom.
ITIL™ is a Registered Trade Mark of AXELOS Limited.
UNIX™ is a registered trademark of The Open Group in the United States and other countries.
Terms and conditions for product documentation
Permissions for the use of these publications are granted subject to the following terms and conditions.
Applicability
These terms and conditions are in addition to any terms of use for the HCL website.
Personal use
You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative work of these publications, or any portion thereof, without the express consent of HCL.
Commercial use
You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of HCL.
Rights
Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein.
HCL reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by HCL, the above instructions are not being properly followed.
You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations.
HCL MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE.