Question & Answer
Question
I received a security notification regarding a vulnerability on a port- how do I identify this process in order to address the vulnerability?
Answer
TARGET AUDIENCE:
Users seeking to identify LWI (Light Weight Web) Java processes and remove or disable them
OBJECTIVE:
The following steps will demonstrate how to identify the owning process, and, if the processes are either PCONSOLE or CAS, provide the appropriate references for disabling or removing the product.
OVERVIEW:
Administrators may receive port scanning notifications regarding a Java vulnerability on a port, and seek guidance to identify the process and address the vulnerability.
There can be many Java processes configured to run on AIX. Two common AIX processes often configured to start by default on AIX are:
- PCONSOLE for System Director (sysmgt.pconsole)
- Common Agent for System Director (cas.agent)
The following steps will demonstrate how to identify the owning process, and, if the processes are either PCONSOLE or CAS, provide the appropriate references for disabling or removing the product.
Note: This document addresses CAS and PCONSOLE as examples. Support for any other process should be provided by the respective owning product support team.
PROCEDURES:
I. IDENTIFICATION OF PROCESSES
1) Determine the socket control block address
| # netstat -Aan | grep 32916 f1000e0000674bb8 tcp 0 0 *.32916 *.* LISTEN # netstat -Aan | grep 5336 f1000e00007703b8 tcp 0 0 *.5336 *.* LISTEN |
2) Use the rmsock command (which will not remove the socket since it has a a file descriptor, but will provide the PID of the owning process)
| # rmsock f1000e0000674bb8 tcpcb The socket 0xf1000e0000674808 is being held by proccess 11993244 (java). # rmsock f1000e00007703b8 tcpcb The socket 0xf1000e0000770008 is being held by proccess 20381698 (java). |
3) Identify the process
| # ps -ef | grep 11993244 root 11993244 12189828 0 Apr 19 - 6:30 /var/opt/tivoli/ep/_jvm/jre/bin/java -Xmx384m -Xminf0.01 -Xmaxf0.4 -Dcom.ibm.jsse2.sp800-131=off -Dcom.ibm.jsse2.overrideDefaultProtocol=SSL_TLSv2 -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000 -Xbootclasspath/a:/var/opt/tivoli/ep/runtime/core/eclipse/plugins/com.ib m.rcp.base_6.2.3.20110824-0615/rcpbootcp.jar:/var/opt/tivoli/ep/lib/com. ibm.logging.icl_1.1.1.jar:/var/opt/tivoli/ep/lib/jaas2zos.jar:/var/opt/t ivoli/ep/lib/jaasmodule.jar:/var/opt/tivoli/ep/lib/lwidiag.jar:/var/opt/ tivoli/ep/lib/lwinative.jar:/var/opt/tivoli/ep/lib/lwinl.jar:/var/opt/ti voli/ep/lib/lwirolemap.jar:/var/opt/tivoli/ep/lib/lwisecurity.jar:/var/o pt/tivoli/ep/lib/lwitools.jar:/var/opt/tivoli/ep/lib/passutils.jar:../.. /runtime/agent/lib/cas-bootcp.jar -Xverify:none -cp eclipse/launch.jar:eclipse/startup.jar:/var/opt/tivoli/ep/runtime/core/e clipse/plugins/com.ibm.rcp.base_6.2.3.20110824-0615/launcher.jar com.ibm.lwi.LaunchLWI *** This process is the CAS agent process # ps -ef | grep 20381698 root 6881504 10223692 0 13:33:07 pts/0 0:00 grep 20381698 pconsole 20381698 17760310 0 13:26:54 - 0:16 /usr/java7_64/bin/java -Xmx512m -Xms20m -Xscmx10m -Xshareclasses -Xbootclasspath/p:/usr/java7_64/jre/lib/ibmjsseprovider2.jar -Dfile.encoding=UTF-8 -Xbootclasspath/a:/pconsole/lwi/runtime/core/eclipse/plugins/com.ibm.rcp.base_6.2.3.20110824-0615/rcpbootcp.jar:/pconsole/lwi/lib/ISCJaasModule.jar:/pconsole/lwi/lib/com.ibm.logging.icl_1.1.1.jar:/pconsole/lwi/lib/jaas2zos.jar:/pconsole/lwi/lib/jaasmodule.jar:/pconsole/lwi/lib/lwidiag.jar:/pconsole/lwi/lib/lwinative.jar:/pconsole/lwi/lib/lwinl.jar:/pconsole/lwi/lib/lwirolemap.jar:/pconsole/lwi/lib/lwisecurity.jar:/pconsole/lwi/lib/lwitools.jar:/pconsole/lwi/lib/passutils.jar -Xverify:none -cp eclipse/launch.jar:eclipse/startup.jar:/pconsole/lwi/runtime/core/eclipse/plugins/com.ibm.rcp.base_6.2.3.20110824-0615/launcher.jar com.ibm.lwi.LaunchLWI ***This process is the AIX PCNSOLE for System Director |
II. DISABLING OR REMOVING THE PROCESSES
A) CAS Agent:
The IBM Systems Director Product has been Withdrawn From Marketing. AIX 7.1 TL4 and later is not supported with ISD Server or Agent.
- See the announcement: http://www-01.ibm.com/support/docview.wss?uid=nas7452a24e9851ad53f86257f8f004bce0b
- See the following for IBM Systems Director Common Agent on AIX Options for Removing, Disabling, or Upgrading/Installing:
http://www-01.ibm.com/support/docview.wss?uid=nas750ca43279670cb1e86257bcd006a3621
**AIX 7.1 TL3 SP7 and below is supported for both ISD server and agent through your entitled Director support.
B) PCONSOLE
If you don't use System Director pconsole, it is safe (and recommended) to uninstall this fileset and any sysmgmt.pconsole dependencies.
- See the following to Disable or Remove pconsole and/or WebSM filesets:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024531
If you do use PCONSOLE, ensure you have the latest pconsole which uses a supported version of Java.
- See The Java on AIX End of Service: AIX Fileset Reference:
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025869
**PCONSOLE is supported through your entitled AIX support
REFERENCES:
- System Director Withdrawn from Market
- Removing or Disabling System Director Common Agent
- Removing or Disabling PCONSOLE
- Java on AIX End of Service: AIX Fileset Reference
http://www-01.ibm.com/support/docview.wss?uid=nas7452a24e9851ad53f86257f8f004bce0b
http://www-01.ibm.com/support/docview.wss?uid=nas750ca43279670cb1e86257bcd006a3621
http://www-01.ibm.com/support/docview.wss?uid=isg3T1024531
http://www-01.ibm.com/support/docview.wss?uid=isg3T1025869
JAVAIX WWMISC
SUPPORT:
If additional assistance is required after completing all of the instructions provided in this document, please follow the step-by-step instructions below to contact IBM to open a service request (PMR) for software under warranty or with an active and valid support contract. The technical support specialist assigned to your support call will confirm that you have completed these steps.
a. Document and/or take screen shots of all symptoms, errors, and/or messages that might have occurred
b. Capture any logs or data relevant to the situation
c. Contact IBM to open a support call (PMR):
- For electronic support, please visit the web page:
- For telephone support, please visit the web page:
- Please visit the IBM Support Portal web page for additional resources:
https://www-947.ibm.com/support/servicerequest/newServiceRequest.action
http://www.ibm.com/planetwide
https://www-947.ibm.com/support/entry/myportal/support
d. Provide a good description of your issue and reference this technote
e. Upload all of the details and data to your support call (PMR):
Please visit this web page for instructions: https://www.secure.ecurep.ibm.com/app/upload
FEEDBACK:
Quality documentation is important to IBM and its customers. If you have feedback specific to this article, please send an detailed message to the email address:
- aix_feedback@wwpdl.vnet.ibm.com
- This email address is monitored for feedback purposes only.
- No support for any IBM products or services will be provided through this email.
- To receive support, please follow the step-by-step instructions in the above "SUPPORT" section.
Was this topic helpful?
Document Information
Modified date:
15 September 2021
UID
isg3T1027835