SCA Release Notes

This page has not been liked. Updated 6/8/16, 11:18 PM by cglimsonTags:

This page contains the SCA release notes.

 

IBM BigFix Compliance version 1.8.33 (Patch 1)  - Released on 9 June 2016

This patch release covers the following fixes, and updates:

  • Fixed APARs:
    • APAR IV71727 All of the vulnerabilities within the Analytics console differ from the BigFix console.
    • APAR IV83438 Security APAR, Multiple RubyonRails vulnerabilities in IBM BigFix Compliance
    • APAR IV84159 BigFix 9.2.6 Incorrect view of checks in the Groups view in SCA
    • APAR IV84868 New vulnerability to Windows system checks are not available in SCA
    • APAR IV85040 SCA Import failed due to null values
  • Resolved advisories
    • IBM JRE 8.0.3.0
      • Advisory ID: 5254: IBM SDK, Java Technology Edition Quarterly CPU - Apr 2016 - Includes Oracle Apr 2016 CPU + 3 IBM CVEs
      • Advisory ID: 5154: CODE BLUE [SE-2012-01] Broken security fix in IBM Java
    • InstallAnywhere Hotfix IOJ-1756928
      • Advisory ID: 4782: InstallShield and InstallAnywhere generates installation executables which are vulnerable to an DLL-planting vulnerability

 

Published site version:

SCM Reporting site, version 99.

 

Actions to take:

If you are using IBM BigFix Compliance 1.7.55 or earlier versions:

1. Gather the SCM Reporting site, version 99.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Under the IBM BigFix Compliance Install/Upgrade menu tree item, select the IBM BigFix Compliance 1.8 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your IBM BigFix Compliance deployment.

4. Update the data schema. To do this, log in to the IBM BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

Note: BigFix Compliance version 1.5.78 is the minimum version required to upgrade to BigFix Compliance 1.8.

 

If you have not yet installed IBM BigFix Compliance or SCA, refer to these steps for first time installations.

1. In the License Dashboard in the IBM BigFix console, enable the SCM Reporting site.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Select the Fixlet named IBM BigFix Compliance 1.8 First-time Install Fixlet under the IBM BigFix Compliance Install/Upgrade menu tree node.

4. Follow the Fixlet instructions and take the associated action to install your BigFix Compliance deployment.

 

IBM BigFix Compliance version 1.8.16  - Released on 31 March 2016

This release covers the following features, fixes, and updates: 

  • Support for BigFix Platform 9.5
  • Update to IBM Java 8.0.2.11
  • Update to IBM WebSphere Application Server 8.5.5.9 Liberty Profile
  • Update to Ruby on Rails 3.2.22.2
  • Fixes:
    •  APAR IV80537 - SCA 1.7.38 has poor web console performance, with response times up to 5 minutes
    • APAR IV79706 - Unable to use current active directory usernames when migrating to LDAP authentication and upgrading SCA to version 1.6



Published site version:

SCM Reporting site, version 98.



Actions to take:

If you are using IBM BigFix Compliance 1.7.55 or earlier versions:

1. Gather the SCM Reporting site, version 98.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Under the IBM BigFix Compliance Install/Upgrade menu tree item, select the IBM BigFix Compliance 1.8 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your IBM BigFix Compliance deployment.

4. Update the data schema. To do this, log in to the IBM BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

Note: BigFix Compliance version 1.5.78 is the minimum version required to upgrade to BigFix Compliance 1.8.



If you have not yet installed IBM BigFix Compliance or SCA, refer to these steps for first time installations.

1. In the License Dashboard in the IBM BigFix console, enable the SCM Reporting site.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Select the Fixlet named IBM BigFix Compliance 1.8 First-time Install Fixlet under the IBM BigFix Compliance Install/Upgrade menu tree node.

4. Follow the Fixlet instructions and take the associated action to install your BigFix Compliance deployment.

 

IBM BigFix Compliance version 1.7.55 (Patch 1) - Released on 19 November 2015

This patch release covers an APAR fix and addresses security vulnerability to CVE-2015-2017.

  • Fixed APAR IV75080 - Application files are viewable in the browser via "WEB-INF./"
  • Addressed susceptibility to the following security vulnerability: CVE-2015-2017 - HTTP response splitting attack in WebSphere Application Server

Published site version:

SCM Reporting site, version 97.

 

Actions to take:

If you are using IBM BigFix Compliance 1.7.38 or earlier:

1. Gather the SCM Reporting site, version 97.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Under the IBM BigFix Compliance Install/Upgrade menu tree item, select the IBM BigFix Compliance 1.7 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your IBM BigFix Compliance deployment.

4. Update the data schema. To do this, log in to the IBM BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

Note: BigFix Compliance version 1.5.78 is the minimum version required to upgrade to BigFix Compliance 1.7.

 

If you have not yet installed IBM BigFix Compliance or SCA, refer to these steps for first time installations.

1. In the License Dashboard in the IBM BigFix console, enable the SCM Reporting site.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

3. Select the Fixlet named IBM BigFix Compliance 1.7 First-time Install Fixlet under the IBM BigFix Compliance Install/Upgrade menu tree node.

4. Follow the Fixlet instructions and take the associated action to install your BigFix Compliance deployment.

 

 

IBM BigFix Compliance 1.7.30 - Released on 2 October 2015

Additional References: User Guide | Setup Guide

The release note of IBM BigFix Compliance version 1.7.30, formerly called IBM Endpoint Manager for Security and Compliance Analytics (SCA).  

This release covers the following features, fixes, and updates: 

  • Single Sign-On user authentication using SAML 2.0
  • Single Sign-On user authentication using LTPA Token
  • Added REST API Token revocation
  • Update to IBM Java 8.0.1.10
  • Update to IBM WebSphere Application Server 8.5.5.7 Liberty Profile
  • Fixes and enhancements:
    • IV77343 - LDAP user can't login SCA
    • IV77429: The context is around click jacking

Published site version:

SCM Reporting site, version 91.

Actions to take:

If you are using IBM BigFix Compliance 1.6.139 or earlier versions:

  1. Gather the SCM Reporting site, version 91.
  2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.
  3. Under the IBM BigFix Compliance Install/Upgrade menu tree item, select the IBM BigFix Compliance 1.7 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your IBM BigFix Compliance deployment.
  4. Update the data schema. To do this, log in to the IBM BigFix Compliance web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

Note: BigFix Compliance version 1.5.78 is the minimum version required to upgrade to BigFix Compliance 1.7.30.

If you have not yet installed IBM BigFix Compliance or SCA, refer to these steps for first time installations.

  1. In the License Dashboard in the IBM BigFix console, enable the SCM Reporting site.
  2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.
  3. Select the Fixlet named IBM BigFix Compliance 1.7 First-time Install Fixlet under the IBM BigFix Compliance Install/Upgrade menu tree node.
  4. Follow the Fixlet instructions and take the associated action to install your BigFix Compliance deployment.

 

SCA 1.6.139 - Released on 22 July 2015

Additional References: Setup Guide | User Guide

This patch release covers the following fixes and updates:

  • Fixed the following:
    • Bug 67793: The dropdown to edit user groups now has a scrollbar if the list is too long and goes beyond the screen limit.
    • Bug 56776: OpenLDAP settings now use posixAccount and posixGroup as the default name/values for the user and group filters.
    • Bug 67012: Sibling computer groups with the same name are not allowed.
    • Bug 43621 Checks with multiple parameters that are without default values should all show <none> in the DSS desired value column.
    • Bug 59404 Boolean int, string values for metadata attribute 'hidden' are now allowed.
    • RTC 28715: Users are now prevented from extracting datasource passwords via JSON.
  • Moved to Rails 3.2.22.
  • Reverted to using single monolithic transaction for ETL.
  • Updated to IBM Java 7.1.3.1.

Action to take:

If you are using SCA 1.6.133:

  1. Gather the SCM Reporting site, version 88.
  2. Under the SCA Install/Upgrade menu tree item, select the TEM SCA 1.6 Upgrade Fixlet, which automatically installs and upgrades to the new patch. Follow the Fixlet instructions and take the associated action to upgrade your SCA deployment.
  3. Update the data schema. To do this, log in to the TEMA web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

If you have not yet installed SCA 1.6.133, refer to the Installation Instructions section for first time installations.

 

Published site version:

SCM Reporting site, version 88.

 

Installation Instructions:

To download IBM Endpoint Manager Analytics, perform the following steps:

1. In the IBM Endpoint Manager console, add the SCM Reporting masthead.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.

 

For first time installations:

1. Select the TEM SCA 1.6 First-time Install Fixlet under the SCA Install/Upgrade menu tree.

2. Take the associated action and follow the installation steps in the description of the Fixlet.

 

To upgrade existing installations:

You must update the data schema if you are upgrading your version of Security and Compliance Analytics. From the server hosting Security and Compliance Analytics, access the web interface and click Upgrade Schema.

Note: Version 1.4 is the minimum version that is required to upgrade to Security and Compliance Analytics 1.6.

1.    Select the TEM SCA 1.6 Upgrade Fixlet under the SCA Install/Upgrade menu tree item.

2.    Follow the Fixlet instructions and take the associated action to upgrade your TEM SCA deployment.

Note: If you are upgrading from SCA 1.6.133, no additional installation and configuration steps are required. Otherwise, log in to the TEMA web interface from the host server and proceed with configuration. Upgrading the data schema is expected and it will take sometime to complete.

 

 

SCA 1.6.133 - Released on 18 May 2015

Additional References: Setup Guide | User Guide

This release covers the following enhancements and fixes:

  • Enhanced flexibility of computer groups associations. Using this feature, you can now make changes and assign users to complex computer groups without affecting the integrity of the compliance data that are reported.
  • Migration from Jetty to IBM Websphere
  • Support for Transport Layer Security (TLS) 1.2 for HTTPS connections that are configured for TLS 1.2
  • Updated Security and Compliance Analytics installer
  • Expanded support for Windows 2012 R2 and Microsoft SQL 2014
  • End of support for versions of IBM Endpoint Manager earlier than 9.0
  • Support of operating systems with 64-bit versions only
  • Performance improvements when importing
  • Updated interface
  • Provided fixes and addressed the following:
  • 66946: (SCA) The PDF export failed and has an SSLHandshakeErrorTracker error
  • 62840: (TEMA) Unable to login AD with following style [DOMAIN]\[USER]
  • 66817: (TEMA) The User Provisioning search returns an error with Secure Global Catalog Services
  • 64844: (TEMA)  Missing translation keys for TEMA SCA 1.5 features
  • 56424: (TEMA) Delete and add datasource should trigger a pending Import icon
  • 66892: (SCA) Unable to accept RSA private key with password (HTTPS configuration)
  • 67503: (TEMA) Import schedule does not acceptt 'PM' in Japanese or Korean locale
  • 58523: (TEMA) Mail Settings: The Save button shows 'Saving...' when sending test email
  • 66548: (SCA) SCM reporting wizard fails and has errors when synchronizing (PMR 7800442000, APAR IV71450)
  • 66004: (SCA) The filter on SCA 'Check Result' doesn't work if enabled in 'State column in 'Configure View'  (PMR 53999999760, APAR IV69022
  • 63425: (SCA) SCA Import failing with Java::JavaLang::OutofMemoryError: Java heap space error (PMR 54880, 442,000; 06877,67C,760)
  • 61417: (SCA) Initial ETLfailed at SCM::Sentinel with SQL error in insert duplication key error (PMR 72384,442,000; 82539,442,000; 76771,499,000; 05086,100,838; 28453,070,724)
  • 66165: (SCA) Security and Compliance Analytics dashboard does not support Win server 2012 R2 (PMR 78306,499,000; 79361,420,631; 49633,004,000; 91067,661,706, APAR IV69341)
  • 65339, 66166, 66622: (SCA) Flexera software installer is not compatible with Win 2012 R2 (PMR 78309499000)
  • 62517: (SCA) Error: 500 5.5.1 Command unrecognized: ">" when attempting to send SCA report via email. (PMR[C]85540,057,649)

Installation Instructions:

To download IBM Endpoint Manager Analytics, perform the following steps:

1. In the IBM Endpoint Manager console, add the SCM Reporting masthead.

2. In the Security Configuration domain in the console, open the Configuration Management navigation tree.



For first time installations:

1. Select the TEM SCA 1.6 First-time Install Fixlet under the SCA Install/Upgrade menu tree.

2. Take the associated action and follow the installation steps in the description of the Fixlet.



To upgrade existing installations:

You must update the data schema if you are upgrading your version of Security and Compliance Analytics. From the server hosting Security and Compliance Analytics, access the web interface and click Upgrade Schema.

Note: Version 1.4 is the minimum version required to upgrade to Security and Compliance Analytics 1.6.

1.    Select the TEM SCA 1.6 Upgrade Fixlet under the SCA Install/Upgrade menu tree item.

2.    Follow the Fixlet instructions and take the associated action to upgrade your IEM SCA deployment.



 

SCA 1.5.92 - Released 9 April 2015

Additional References: Setup Guide | User Guide

This patch release provides fixes that address the following vulnerabilities:

This patch also provides fixes for 66004: The filters on Check Result are no longer ignored when the state column is selected and the top level criteria is set to 'ANY’.



Limitations:

Following the application of this patch, you must reset jetty.xml if you upgraded SCA from HTTPS protocol. This resolves an issue in generating PDFs introduced by the disabling of SSLv3.



To reset jetty.xml, perform the following steps upon completion of the patch upgrade:





1. Log in to the SCA web console.

2. Go to Management > Server Settings.

3. Click Save to ensure that jetty.xml gets updated.

4. Click Restart Service to apply the change.



Note:

If jetty.xml is reset before the upgrade, the changes made on jetty.xml will not apply any fixes.



Published site

SCM Reporting site, version 81.

(Site versions included for air-gap customers)



Download and Installation instructions:

To download IBM Endpoint Manager Analytics, perform the following steps:

1.    In the IBM Endpoint Manager console, add the SCM Reporting masthead.

2.    In the Security Configuration domain in the console, open the Configuration Management navigation tree.



For first time installations:

3.    Click the Security and Compliance Analytics dashboard.

4.   From the list of supported endpoints, select the target server and click Deploy Installer. An action opens that downloads the SCA software into a Tivoli Endpoint Manager Analytics folder inside the client folder on that server. For example, c:\Program Files\BigFix Enterprise\BES Installers\TEMA).



Note: If you are using the x86 version of a Windows operating system, the path to the install location will be c:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA.

For upgrading an existing installation:

3.   Under the Upgrade menu tree node, select the Fixlet named TEM SCA Upgrade (<latest available version of SCA>).

4.   Follow the Fixlet instructions and take the associated action to upgrade your TEM SCA deployment.

 

SCA 1.5.78 - Released 8 October 2014

Additional References: Setup Guide | User Guide

This release covers the following fixes and vulnerability updates:

  • Feature to configure report definitions across TEMA instances through REST API
  • Enhancements to report viewing:
    • Automatic exclusion of non-relevant template checklists from a user's SCA reports
    • Exclusion of Action sites as a checklist
    • Exclusion of checklist that have no SCM content
    • Inclusion of only the checklists that are subscribed to a user's viewable computers in the reports
    • Setup up default views for report resources
    • Set up a default home page
  • Credentials obfuscation for database users
  • Exclusion of Action sites as a checklist (Fix for Bug# 59667)
  • Support for LDAP Active Directory global catalog
  • Support for the following:
  • Microsoft SQL versions 2012
  • Microsoft SQL versions 2014
  • Windows SQL Server 2012
  • Provided fixes and addressed the following:
    • 53648:  SCA Reporting does not report the UNIX Vulnerability History (PMR 59603,499,000)
    • 57316:  Import of SCM in TEMA 1.3.33 fails because of OOM (PMR 10560,999,744, 05996,019,866)
    • 59667:  A site without an SCM check is shown in TEMA SCA (39094,842,758)
    • 60868:  Ability to select which checks to import. In TEMA SCA 1.5, no checklist is shown in the TEMA Analytics UI if there is 0 computer subscribed to the site (91187,019,866).
    • 61631:  Upgrading to SCA 1.4 fails with a 'duplicate key' error. The site name contains special characters that TEMA SCA treated as the same character ([C]09006,379,000).
    • 62328:   Error when trying to delete old data source out of TEMA SCA datasources view (27703,442,000).
    • 62489: Error indicating that there's not enough memory error when the user attempts to add DB2 database as a datasource in TEMA SCA configuration. SCA 1.5 fixed the memory limitation error. (53320,442,000, [C]05875,49R,000).
    • 62875, 64870: When exporting SCA to .CSV file, the line feed as a field separator is not recogized. (47136,694,760).
    • 63285: Error when attempting to connect TEMA SCA to datasource (81167,122,000).
    • 63962: ETL Failed over DB2 TEM DB 9.1.x (03058,442,000)
    • 30316: Computers that are marked as deleted with BESComputerRemover still appear in TEMA
    • 46477: Slow Report Page load performance over a large check result set
    • 55527: TEMA does not handle IEM that being used by SCA and SUA with different BES schema extension requirements
    • 57769: DB2: ETL fails against DB2 with Windows external site in a localized deployment
    • 61372: TEMA fails to initialize after install due to an error caused by JRuby upgrade.
    • 61415: The About menu does not work.
    • 61669: SCA fresh installation fails with exception on production due to an error caused by Jruby upgrade.
    • 61730: Scheduled report emails fail to send after upgrade to 1.4.35.
    • 62387: Computer Property Values fail to populate if computers are updated mid-ETL
    • 62391: Datasource sequence is calculated at ETL start
    • 62725: Hard deleted computer fix should only target the most recent computer SCD rows
    • 63059: The TEMA installer does not open the HTTPS URL when upgraded
    • 63181: SCA 1.5 service name & description needs update in the installer.
    • 63291: SCA does not accept RSA keys (HTTPS configuration).
    • 63369: Check on saved report returns the following error: undefined method `locale=' for #<ReportSubscription @values={}>.
    • 63493: The TEMA SCA upgrade failed when DB auth for IEM/TEMA has the correct SQL Auth with sysadmin but not the DBOwner.
    • 63495: TEMA SCA UI doesn't display well on IE after the upgrade
    • 63522: SCA 1.4.46: An error returns when Check or Check result reports is selected.
    • 63565: Wrong ssl port (LDAP) for active directory
    • 63627: TEMA is prompted to reconfigure database connection but fails to reconnect after a new database is provided
    • 63634: TEMA fresh install fails and has a page error when the Operator provides an incorrect database credential
    • 63744: Failed TEMA service restart after port changes were made
    • 63871: The scheduled report with PDF is not sent
    • 64059: Memory leak over continuous ETL (with JRuby)

 

SCA 1.4.46 - Released February 27, 2014

This patch release covers the following fixes and vulnerability updates:

  • Fixed the following upgrade issues:

              60536: User provisioning returns an exception error that indicates that the time limit has been exceeded

              61631 : Upgrade to SCA 1.4 fails with 'duplicate key' error

              60662 : Upgrade to TEMA SCA 1.4.35 brought the following error: HTTP ERROR: 503 SERVICE_UNAVAILABLE

               61730 : Upgrade to TEMA SCA 1.4.35 made scheduled report emails fail

  • Addressed  TEMA susceptibility to various Java vulnerabilities (CVE-2013-4491, 61368 and 61363). For detailed vulnerability updates, see

    http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_November_2013

 

SCA 1.4.35 - Released November 21, 2013

This patch release covers the following enhancements and fixes:

  • Added a feature to allow multiple scheduled imports on a daily interval.
  • Added a feature in the check report page to show the check description value.
  • Fixed the issue where the measured value column in the CVS export file shows blank data when opened in Excel. The issue was caused by the data wrap in the second line. (PMR: [C]82040,122,000)
  • Fixed the issue where the SCA fails to export PDF files when the user is viewing multiple records (PMR: [C]11852,999,744)
  • Fixed the upgrade issue that occurs during a database schema update when an NT service user name is not being validated due to a case mismatch. SCA attempts to match the DB owner user name with that of the SCA user name accessing the database. (PMR: [C]65387,L6Q,000; [C]55310,499,000)
  • Fixed the following LDAP issues:
    • 60536: User provisioning returns an exception error that indicates that the time limit has been exceeded
    • 60507: User provisioning takes long time and returns an exception error that indicates that the size limit has been exceeded
    • 60505: LDAP test connection takes a long time over large TDS LDAP repositories and test results indicate that the size limit has been exceeded
    • 59825: LDAP authentication does not work for Tivoli Directory Server (TDS)

 

SCA 1.4.29 - Released October 11, 2013

This maintenance patch release supports the upgrade path from TEMA SCA 1.3.33 to 1.4.29. Users who already have TEMA 1.4.28 do not require upgrades.

 

SCA Patch 1.4.28 - Released October 2, 2013

  • Fixed the issue of SCA not exporting the data correctly to CSV. The CVS export generation time was optimized. (PMR: [C]20178,442,000)
  • Fixed the TEMA SCA 1.4 issue of failed upgrades during the update of the database schema. The fix resolved the upgrade error for the historically deleted Vulnerability checklist. (PMR: 65387,L6Q,000; 55310,499,000)



Actions to take 

To download IBM Endpoint Manager Analytics, perform the following steps:

1.    In the IBM Endpoint Manager console, add the SCM Reporting masthead.

2.    In the Security Configuration domain in the console, open the Configuration Management navigation tree.



For first time installations:

3.    Click the Security and Compliance Analytics dashboard.

4.   From the list of supported endpoints, select the target server and click Deploy Installer. An action opens that downloads the SCA software into a Tivoli Endpoint Manager Analytics folder inside the Tivoli Endpoint Manager client folder on that server. For example, c:\Program Files\BigFix Enterprise\BES Installers\TEMA).



Note: If you are using the x86 version of a Windows operating system, the path to the install location will be c:\Program Files (x86)\BigFix Enterprise\BES Installers\TEMA.



For upgrading an existing installations:

3.   Under the Upgrade menu tree node, select the Fixlet named TEM SCA Upgrade (<version>), where <version> is the latest available version of SCA and is listed above.

4.   Follow the Fixlet instructions and take the associated action to upgrade your TEM SCA deployment.