Readme file for IBM(R) TRIRIGA(R) Application Platform 3.4.2.4 fix pack. Date: May 30, 2016 IBM Corporation Copyright(C) International Business Machines Corporation 2016. All rights reserved. US Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. =============================================================================================== Table of Contents =============================================================================================== 1. Introduction 2. Information resources 3. Installation instructions 4. Resolved issues 5. Notices =============================================================================================== 1. Introduction =============================================================================================== This fix pack updates the TRIRIGA Application Platform product. ----------------------------------------------------------------------------------------------- Prerequisites and supported products ----------------------------------------------------------------------------------------------- To install this fix pack, you must already have IBM TRIRIGA Application Platform 3.4.2 installed. =============================================================================================== 2. Information resources =============================================================================================== Knowledge center URL: http://www-01.ibm.com/support/knowledgecenter/SSHEB3_3.4.2/com.ibm.tap.doc_3.4.2/product_landing.html Description: Access the Knowledge Center to view the product documentation. Topics include product overviews; installation and configuration tasks; instructions for using, administering, and troubleshooting the product; and security information. Real Estate and Facilities Management community on Service Management Connect URL: https://www.ibm.com/developerworks/servicemanagement/rfm/ Description: Use Service Management Connect to access blogs, wikis, forums, and communities. In Service Management Connect you can review information such as best practices, performance and tuning, and product integrations. You can also collaborate with IBM experts and the broader user community. IBM TRIRIGA Application Platform support resources portal URL: http://www.ibm.com/support/entry/portal/overview/software/tivoli/ibm_tririga_application_platform Description: The IBM support resources portal provides access to tools and resources to keep your systems, software, and applications running smoothly. From the support resources portal you can find fixes, service requests, useful links and an enhanced search to help you find information quickly. =============================================================================================== 3. Installation instructions =============================================================================================== The fix pack file can be extracted into any directory. Before extracting and running the fix pack, back up the existing TRIRIGA files and make a backup copy of the database. NOTE: In the patch folder for the 3.4.2.4 fix pack, when the fix pack installer backs up the ibm-tririga.war file, the back-up .war file appears as the ibs-tririga.war.bak file. Follow these steps to apply this fix pack: 1 Ensure that no database configuration changes are pending. 2 Shut down all of your application and process servers. 3 Take a backup of the database and of the TRIRIGA install directory. 4 For IBM WebSphere Application Server, after the backup has been completed, restart WebSphere. 5 For Oracle WebLogic installations, the Oracle WebLogic Application Server must be started and running while the fix pack is applied. 6 Download the 3.4.2-TIV-TAP-FP004 file. 7 Unzip the file and run the patch executable file (fixpack_tririga_v3.4.2.4.exe or fixpack_tririga_v3.4.2.4.bin). 8 In the Introduction panel, click Next. 9 In license agreement, accept the terms and click Next. (if you do not accept the terms, the patch will exit) 10 Choose the directory where TRIRIGA is installed. For example: c:\ibm\tririga\ Or /opt/ibm/tririga/ 11 Review the information, and click Next. 12 The fix pack process will patch the WAR file, run any platform database fix pack scripts, and redeploy the WAR file in Liberty. 13 For Oracle WebLogic Application Server, delete all the cache, tmp, and .wlnotdelete directories that may contain files left over from the previous application/ear installation For example: C:\oracle\weblogic10\user_projects\domains\tririga10domain\servers\tririgaServer\cache C:\oracle\weblogic10\user_projects\domains\tririga10domain\servers\tririgaServer\tmp Or /opt/oracle/weblogic10/user_projects/domains/tririga10domain/servers/tririgaServer/cache /opt/oracle/weblogic10/user_projects/domains/tririga10domain/servers/tririgaServer/tmp 14 For Oracle WebLogic Application Server, the fix pack process will attempt to redeploy the WAR file into the managed Server. However because of conditions in the server environment outside of IBM TRIRIGA's control, it may be necessary to manually redeploy the WAR file. Restart the application server when the fix pack has completed, and check the build number in the IBM TRIRIGA Administrator Console. If the old .war file is still shown, redeploy the .war file following Oracle's instructions for deploying a .war application into the managed server. The WAR file is located in the root TRIRIGA install directory: For example: c:\ibm\tririga\tririga-ibs.war /opt/ibm/tririga/tririga-ibs.war 15 For IBM WebShere Application Sever Liberty Core profile, the WAR file should be deployed and the cache directories will be automatically removed. All that is required is to restart Liberty. 16 For WebSphere Application Server, the WAR file will be redeployed and started automatically. If it fails to deploy, you can try to manually. The WAR file is located in the root TRIRIGA install directory: For example: c:\ibm\tririga\ibm-tririga.war /opt/ibm/tririga/ibm-tririga.war 17 For Oracle WebLogic Application Server, the fix pack process attempts to restart the managed server. You might need to manually restart the application server. ========================================================================================================== 4. Resolved issues ========================================================================================================== ---------------------------------------------------------------------------------------------------------- The following issues were resolved in this fix pack. ---------------------------------------------------------------------------------------------------------- ---------------- Security Issues: ---------------- IBM does not intend to provide vulnerability details that could enable someone to craft an exploit. IBM uses the Common Vulnerability Scoring System (CVSS) as a standard for communicating the impact of security vulnerabilities in IBM products and solutions. CVSS is an industry open standard for assessing the severity or impact of computer system security vulnerabilities. This standard attempts to establish a numeric measure that represents how much concern or attention the vulnerability warrants. The resulting CVSS score is based on an assessment of a series of metrics. The CVSS Base Score represents the intrinsic and fundamental characteristics of the vulnerability that are typically constant over time and across user environments. For more information, see http://www-03.ibm.com/security/secure-engineering/bulletins.html ---------------------------------------------------------------------------------------------------------- The following security issues were resolved in the TRIRIGA Application Platform 3.4.2.4 fix pack ---------------------------------------------------------------------------------------------------------- --- CVEID: CVE-2016-0374 TITLE: Privilege escalation vulnerability CVSS Base Score: 8.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112236 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) --- CVEID: CVE-2016-0362 TITLE: Unintended Proxy or Intermediary CVSS Base Score: 4.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111932 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) --- CVEID: CVE-2016-0387 TITLE: Cross-site Scripting Vulnerability DESCRIPTION: CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112505 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) --- CVEID: CVE-2016-0386 TITLE: Cross Site Request Forgery Vulnerability CVSS Base Score: 8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112360 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H) --- CVEID: CVE-2016-2883 TITLE: Cross-site Scripting Vulnerability CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112862 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) ---------------------------------------------------------------------------------------------------------- General Issues: ---------------------------------------------------------------------------------------------------------- Update your upload file exclusions properties in TRIRIGAWEB.properties to not allow .html, .htm, and .js files to be uploaded. The default value is .exe. Edit your TRIRIGAWEB.properties and add .html, .htm, .js files to prevent html content from being uploaded onto the server. For example, COMPANY_FILE_UPLOAD_EXCLUDE_EXTENSIONS=.exe, .html, .htm, .js IMPORT_CONTENT_EXCLUDE_EXTENSIONS=.exe, .html, .htm, .js --- APAR #: IV83539 Defect: 219841 Description: An existing list or a list that is imported with object migration now displays the correct value in the Language field when you open the list for edit. A list that is imported is in the target environment's base language regardless of the language of the list in the source. --- APAR #: Defect: 221541 Description: Users that have full security access to the scorecard manager can now create and edit scorecards. --- APAR #: Defect: 221749 Description: If the WF_NOTIFICATION_EMAIL_ID_FROM_DISPLAY_LABEL property is not present in TRIRIGAWEB.properties, email notifications will now send. --- APAR #: IV83117 Defect: 223064 Description: You can add a property that is called the TINYMCE_HTML_EDITOR_ENABLED property to TRIRIGAWEB.properties file. The TINYMCE_HTML_EDITOR_ENABLED property determines whether the HTML Editor button displays in the notes field of a form. The value of the property is set to true by default and displays the button in notes field. --- APAR #: IV83460 Defect: 224855 Description: File types that cannot be previewed in the Print Preview tab of a document record are no longer downloaded automatically. --- APAR #: IV79168 Defect: 223205 Description: Queries now obey the filters that you define on all pages. --- APAR #: IV83782 Defect: 223434 Description: The My Bookmarks window closes after a Bookmark Item has been selected. --- APAR #: IV83317 Defect: 223626 Description: For non-US English-language TRIRIGA CAD Integrator/Publisher users, clicking the Show More Results action now shows additional data. --- APAR #: IV84613 Defect: 223767 Description: The System module appears in the Select Modules drop-down lists within the Data Map tab of Integration Objects when the staging tables exist. --- APAR #: IV84158 Defect: 223770 Description: In the Reservation Outlook Addin, Room Availability and Room Calendars display when you view or create a TRIRIGA appointment. --- APAR #: IV84157 Defect: 223908 Description: Incoming Mail Agent now uses the System user to process all incoming mails. --- APAR #: Defect: 224179 Description: The security token generation logic was enhanced to help protect against CSRF attacks. --- APAR #: IV84064 Defect: 224417 Description: An issue was resolved where a populated notes field was cleared after opening, selecting, or saving a modal page, and then saving the parent record. Now, the notes field saves all content. --- APAR #: IV83660 Defect: 220397 Description: Excel exports from reports with sums now display the total row. --- APAR #: IV84538 Defect: 225053 Description: Dependent lists will now allow a value selection when the parent list is read only within an editable query. --- APAR #: IV84867 Defect: 225099 Description: Resolved an Offlining populate issue involving single record smart section fields referenced by a selector tag. Incorrect values were being populated in what were expected to be blank cells on the Excel spreadsheet, if the single record smart section on at least one of the records returned by the selector contained no values. --- APAR #: IV84367 Defect: 225369 Description: A portal section that displays a report with group by now renders correctly. --- APAR #: IV84808 Defect: 225370 Description: Increased the storage of the workflow ID number to handle large numbers when adding synchronous workflows to the queue. --- APAR #: IV85103 Defect: 226138 Description: Cross-site scripting attacks can no longer be run through image uploads. --- APAR #: IV83660 Defect: 220397 Description: Excel exports from reports with sums now display the total row. --- ==================================================================================================== 5. Notices ==================================================================================================== This information was developed for products and services offered in the US. This material might be available from IBM in other languages. However, you may be required to own a copy of the product or product version in that language in order to access it. IBM may not offer the products, services, or features discussed in this document in other countries. Consult your local IBM representative for information on the products and services currently available in your area. Any reference to an IBM product, program, or service is not intended to state or imply that only that IBM product, program, or service may be used. Any functionally equivalent product, program, or service that does not infringe any IBM intellectual property right may be used instead. However, it is the user's responsibility to evaluate and verify the operation of any non-IBM product, program, or service. IBM may have patents or pending patent applications covering subject matter described in this document. The furnishing of this document does not grant you any license to these patents. You can send license inquiries, in writing, to: IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY 10504-1785 US For license inquiries regarding double-byte character set (DBCS) information, contact the IBM Intellectual Property Department in your country or send inquiries, in writing, to: Intellectual Property Licensing Legal and Intellectual Property Law IBM Japan Ltd. 19-21, Nihonbashi-Hakozakicho, Chuo-ku Tokyo 103-8510, Japan INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THIS PUBLICATION "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Some jurisdictions do not allow disclaimer of express or implied warranties in certain transactions, therefore, this statement may not apply to you. This information could include technical inaccuracies or typographical errors. Changes are periodically made to the information herein; these changes will be incorporated in new editions of the publication. IBM may make improvements and/or changes in the product(s) and/or the program(s) described in this publication at any time without notice. Any references in this information to non-IBM websites are provided for convenience only and do not in any manner serve as an endorsement of those websites. The materials at those websites are not part of the materials for this IBM product and use of those websites is at your own risk. IBM may use or distribute any of the information you provide in any way it believes appropriate without incurring any obligation to you. Licensees of this program who wish to have information about it for the purpose of enabling: (i) the exchange of information between independently created programs and other programs (including this one) and (ii) the mutual use of the information which has been exchanged, should contact: IBM Director of Licensing IBM Corporation North Castle Drive, MD-NC119 Armonk, NY 10504-1785 US Such information may be available, subject to appropriate terms and conditions, including in some cases, payment of a fee. The licensed program described in this document and all licensed material available for it are provided by IBM under terms of the IBM Customer Agreement, IBM International Program License Agreement or any equivalent agreement between us. The performance data discussed herein is presented as derived under specific operating conditions. Actual results may vary. The client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. The performance data and client examples cited are presented for illustrative purposes only. Actual performance results may vary depending on specific configurations and operating conditions. Information concerning non-IBM products was obtained from the suppliers of those products, their published announcements or other publicly available sources. IBM has not tested those products and cannot confirm the accuracy of performance, compatibility or any other claims related to non-IBM products. Questions on the capabilities of non-IBM products should be addressed to the suppliers of those products. Statements regarding IBM's future direction or intent are subject to change or withdrawal without notice, and represent goals and objectives only. All IBM prices shown are IBM's suggested retail prices, are current and are subject to change without notice. Dealer prices may vary. This information is for planning purposes only. The information herein is subject to change before the products described become available. This information contains examples of data and reports used in daily business operations. To illustrate them as completely as possible, the examples include the names of individuals, companies, brands, and products. All of these names are fictitious and any similarity to actual people or business enterprises is entirely coincidental. COPYRIGHT LICENSE: This information contains sample application programs in source language, which illustrate programming techniques on various operating platforms. You may copy, modify, and distribute these sample programs in any form without payment to IBM, for the purposes of developing, using, marketing or distributing application programs conforming to the application programming interface for the operating platform for which the sample programs are written. These examples have not been thoroughly tested under all conditions. IBM, therefore, cannot guarantee or imply reliability, serviceability, or function of these programs. The sample programs are provided "AS IS", without warranty of any kind. IBM shall not be liable for any damages arising out of your use of the sample programs. Each copy or any portion of these sample programs or any derivative work must include a (c) (your company name) (year). Portions of this code are derived from IBM Corp. Sample Programs. (c) Copyright IBM Corp. _enter the year or years_. Trademarks IBM, the IBM logo, and ibm.com are trademarks or registered trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml. Terms and Conditions For Product Documentation Permissions for the use of these publications are granted subject to the following terms and conditions. Applicability These terms and conditions are in addition to any terms of use for the IBM website. Personal Use You may reproduce these publications for your personal, noncommercial use provided that all proprietary notices are preserved. You may not distribute, display or make derivative work of these publications, or any portion thereof, without the express consent of IBM. Commercial Use You may reproduce, distribute and display these publications solely within your enterprise provided that all proprietary notices are preserved. You may not make derivative works of these publications, or reproduce, distribute or display these publications or any portion thereof outside your enterprise, without the express consent of IBM. Rights Except as expressly granted in this permission, no other permissions, licenses or rights are granted, either express or implied, to the publications or any information, data, software or other intellectual property contained therein. IBM reserves the right to withdraw the permissions granted herein whenever, in its discretion, the use of the publications is detrimental to its interest or, as determined by IBM, the above instructions are not being properly followed. You may not download, export or re-export this information except in full compliance with all applicable laws and regulations, including all United States export laws and regulations. IBM MAKES NO GUARANTEE ABOUT THE CONTENT OF THESE PUBLICATIONS. THE PUBLICATIONS ARE PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO IMPLIED WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT, AND FITNESS FOR A PARTICULAR PURPOSE. Privacy Policy Considerations IBM Software products, including software as service solutions, (Software Offerings) may use cookies or other technologies to collect product usage information, to help improve the end user experience, to tailor interactions with the end user or for other purposes. In many cases no personally identifiable information is collected by the Software Offerings. Some of our Software Offerings can help enable you to collect personally identifiable information. If this Software Offering uses cookies to collect personally identifiable information, specific information about this offerings use of cookies is set forth below. This Software Offering does not use cookies or other technologies to collect personally identifiable information. If the configurations deployed for this Software Offering provide you as customer the ability to collect personally identifiable information from end users via cookies and other technologies, you should seek your own legal advice about any laws applicable to such data collection, including any requirements for notice and consent. For more information about the use of various technologies, including cookies, for these purposes, see IBMs Privacy Policy at www.ibm.com/privacy and IBMs Online Privacy Statement at www.ibm.com/privacy/details in the section entitled Cookies, Web Beacons and Other Technologies and the IBM Software Products and Software-as-a-Service Privacy Statement at www.ibm.com/software/info/product-privacy/.