tc Server Plug-in Known Vulnerabilities and Issues
Components of tc Server Plug-in
SpringSource tc Server Plug-in (for SpringSource AMS / Hyperic HQ) is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.
| Component | Security advisories |
|---|---|
| Dojo | Dojo security advisories |
| Spring Framework | Spring Framework security advisories |
tc Server Plug-in is built using the following versions of these components:
| tc Server Plug-in version | Dojo version | Spring Framework version |
|---|---|---|
| 1.0.0.RELEASE | 1.3.2 | 2.5.6.A & 3.0.0.RC1 |
| 1.1.0.RELEASE | 1.3.2 | 2.5.6.A & 3.0.0.RC1 |
| 1.1.0.SR01 | 1.3.2 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.0.RELEASE | 1.3.2 | 2.5.6.A & 3.0.0.RELEASE |
| 2.0.1.RELEASE | 1.3.3 | 2.5.6.A & 3.0.0.RELEASE |
| 2.0.2.RELEASE | 1.3.3 | 2.5.6.A & 3.0.0.RELEASE |
| 2.0.2.SR02 | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.3.RELEASE | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.4.RELEASE | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.5.RELEASE | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.5.SR01 | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
| 2.0.6.RELEASE | 1.3.3 | 2.5.6.A & 3.0.3.RELEASE |
The Dojo vulnerabilities in the tc Server plug-in versions 1.0.0 and 1.1.0 may be mitigated by deleting the following file from the AMS Server installation:
$AMS_INSTALL_DIR/hq-engine/server/default/deploy/tomcatserverconfig.war/dojo/resources/iframe_history.html. This file has been removed in tc Server Plug-in 2.0.0 onwards.
To upgrade the tc Server plug-in in an existing AMS Server:
1. Stop the AMS Server.
2. Delete the directories from the old version of the plugin:
$AMS_INSTALL_DIR/hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tcserverclient
$AMS_INSTALL_DIR/hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tomcatappmgmt
$AMS_INSTALL_DIR/hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tomcatserverconfig
$AMS_INSTALL_DIR/hq-engine/server/default/deploy/tomcatserverconfig.war
where $AMS_INSTALL_DIR refers to the main AMS Server installation directory, such as /home/ams/server-2.0.0.SR04
For example:
prompt$ cd /home/ams/server-2.0.0.SR04
prompt$ rm -r hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tcserverclient
prompt$ rm -r hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tomcatappmgmt
prompt$ rm -r hq-engine/server/default/deploy/hq.ear/hq.war/hqu/tomcatserverconfig
prompt$ rm -r hq-engine/server/default/deploy/tomcatserverconfig.war
3. Unzip the contents of the ZIP file into the following directory:
$AMS_INSTALL_DIR/hq-engine/server/default/deploy
where $AMS_INSTALL_DIR refers to the main AMS Server installation directory, such as /home/ams/server-2.0.0.SR04
For example, if you downloaded the tc Server plugin file into the /home/Downloads directory
prompt$ cd /home/ams/server-2.0.0-SR04/hq-engine/server/default/deploy
prompt$ unzip /home/Downloads/springsource-tc-server-hq-plugin-server-1.1.0.SR01.zip
4. Start the AMS Server.
Known Vulnerabilities in tc Server Plug-in
There are no known vulnerabilities in the tc Server Plug-in over and above those known to exist in the components of the tc Server Plug-in.