Steps to apply iFix ibm-apiconnect-v10.0.8.x-ifix-13195 for Security Vulnerability: Authentication bypass in IBM API Connect

Objective

Steps:

• Download the fix from Fix Central as per https://www.ibm.com/support/pages/node/7255149
• Extract the files. It will contain two files -  Readme.md and ibm-apiconnect-<version>-ifix.13195.tar.gz
• Apply the fix based on your form factor and your API Connect version. 
  
   

apim: 36f6071b08c4a23cd8fb8e0db6c7f39c21b28669e3878cf5d839b3e68884750d
juhu: 1c497febcf53b7917f29fdb212493b02f4f68ef6a57e9a5d81b548fc15e9ea76

10.0.8.2-ifix1

apim: 449d75a988bbd3040043f6605dd5c3042543795a0dbc6b80169be017f7206103
juhu: 626090f00cfea4312fdca69114ad899873c9de564b45783f35943ec546b9099b

10.0.8.2-ifix2

apim: b35196d6f0e81c1a8d165b259691cef668418307754c7a441b987eff59381e61
juhu: 75fa77fe0b61e85d3c809c9d36106ffee2ff558b7da6e60cccc9768af18c2830

10.0.8.3

apim: 48dd7cb9a787a303d485af2f4c0f3c18fc9cce36e6f845c0f4b15650312d6838
juhu: 83935499ec379a9d27d10089827e43c0c665475c36072620bed975261bf37a7a

10.0.8.4
 

apim: 9fc54fbda7bcf42386d12e380856d6dbc35a113462c47bf318f3bc13822d6f6c
juhu: cd11a2a126278dd9c5eb51305970195a2c97f8417c90671a04fcd9efbf228bc0

10.0.8.5
 

apim: 664e1df3226d681b562da3d480cccd7b5931503d7e8970a4cc9aae67bf9cce37
juhu: c412b82f5cbb066f35f6073ab4f89069f0a17eb202b9222a11dd3aaab5de32a2

 10.0.11.0 
apim: 7d33c65b2e3f78165920b51e68620f5ddb551940f972c7d81cbbe97fed28c8c7
juhu: 9ea00abd372f2837764ff40074b1f7c7570021daca40efb6957cf341e0d3c786
 

Steps to apply the fix

Image archive upload and extraction

For each node of the Management subsystem that needs to be patched:

1. Upload the `ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz` file using 

scp ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz apicadm@<hostname>:~

where `<hostname>` should be replaced with the host name or IP of the node

2. ssh into the node and become root with 

sudo -i

3. Unpack the images to each of the management nodes
cd /var/lib/apiconnect-subsystem/registry/
tar xf /home/apicadm/bm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz

4. This should result in creation of the following path for version 10.0.8.5. The path will change based on version :

/var/lib/apiconnect-subsystem/registry/laifix-images/apim/10.0.8.5-ifix.13195-13
/var/lib/apiconnect-subsystem/registry/laifix-images/juhu/10.0.8.5-ifix.13195-13

5. Then restart the appliance-manager on each node with 

systemctl restart appliance-manager

Image override

 1. Create or update an `extra-values-file.yml` for the management subsystem that needs to be patched, with content

spec:
  template:
  - name: apim
    containers:
    - name: apim
      image: 127.0.0.1:8675/laifix-images/apim@sha256:664e1df3226d681b562da3d480cccd7b5931503d7e8970a4cc9aae67bf9cce37
  - name: juhu
    containers:
    - name: juhu
      image: 127.0.0.1:8675/laifix-images/juhu@sha256:c412b82f5cbb066f35f6073ab4f89069f0a17eb202b9222a11dd3aaab5de32a2

2. If the file was not already configured for the subsystem, run the command:

apicup subsys set [MANAGEMENT-SUBSYS-NAME] extra-values-file [exta-values-file]

3. Proceed to propagate the project update to all the nodes in the management  subsystem cluster:

apicup subsys install [MANAGEMENT-SUBSYS-NAME]

4. Verify the health-check comes back clean

apicup subsys health-check [MANAGEMENT-SUBSYS-NAME]

Verification:

On cluster look at pods and compare image digests to those that are shown above

> **Important Note**: When upgrading to next release/fixpack, must remove these image overrides.


OCP / CP4I Installation:

Prerequisite

- `skopeo` should be available (v1.2.2 or more recent), see Installing skopeo

- the OCP registry should be exposed using DefaultRoute with:

oc patch configs.imageregistry.operator.openshift.io/cluster --patch '{"spec":{"defaultRoute":true}}' --type=merge

(see Exposing the registry), it is not necessary to use perform the "podman login" step)

- the REGISTRY_HOST environment variable should be set to the OCP registry:

REGISTRY_HOST=$(oc get route default-route -n openshift-image-registry --template='{{ .spec.host }}')

- the APIC_PROJECT environment variable should be set to the project/namespace where the API Connect product to be patched is installed

Image archive extraction and skopeo copy to user registry

1. Extract the images from `ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz` with the command:

tar xf ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz

2. For each image perform a `skopeo copy ...` of the image to your registry with commands such as:

skopeo copy --dest-tls-verify=false --dest-registry-token=$(oc whoami -t) dir:./laifix-images/apim/10.0.8.5-ifix.13195-13 docker://$REGISTRY_HOST/$APIC_PROJECT/apim:10.0.8.5-ifix.13195-13

skopeo copy --dest-tls-verify=false --dest-registry-token=$(oc whoami -t) dir:./laifix-images/juhu/10.0.8.5-ifix.13195-13 docker://$REGISTRY_HOST/$APIC_PROJECT/juhu:10.0.8.5-ifix.13195-13

Image override

1. For CP4I edit your "API Connect Cluster" CR to add the following template override (replace $APIC_PROJECT with your value):

spec:
  template:
  - name: mgmt-apim
    containers:
    - name: apim
      image: image-registry.openshift-image-registry.svc:5000/$APIC_PROJECT/apim@sha256:664e1df3226d681b562da3d480cccd7b5931503d7e8970a4cc9aae67bf9cce37
  - name: mgmt-juhu
    containers:
    - name: juhu
      image: image-registry.openshift-image-registry.svc:5000/$APIC_PROJECT/juhu@sha256:c412b82f5cbb066f35f6073ab4f89069f0a17eb202b9222a11dd3aaab5de32a2

2. If you are not using an "API Connect Cluster" CR in OCP, then edit your Management Cluster CR to add the following template override (replace $APIC_PROJECT with your value):

spec:
  template:
  - name: apim
    containers:
    - name: apim
      image: image-registry.openshift-image-registry.svc:5000/$APIC_PROJECT/apim@sha256:664e1df3226d681b562da3d480cccd7b5931503d7e8970a4cc9aae67bf9cce37
  - name: juhu
    containers:
    - name: juhu
      image: image-registry.openshift-image-registry.svc:5000/$APIC_PROJECT/juhu@sha256:c412b82f5cbb066f35f6073ab4f89069f0a17eb202b9222a11dd3aaab5de32a2

Verification

On cluster look at pods and compare image digests to those that are shown above

> **Important Note**: When upgrading to next release/fixpack, must remove these image overrides.

Kubernetes:

Prerequisite

`skopeo` should be available (v1.2.2 or more recent), see Installing skopeo

Image archive extraction and skopeo copy to user registry

1. Extract the images from `ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz` with the command:

tar xf ibm-apiconnect-v10.0.8.5-ifix.13195-images.tar.gz

2. For each image perform a `skopeo copy ...` of the image to your registry with commands such as:

skopeo copy dir:./laifix-images/apim/10.0.8.5-ifix.13195-13 docker://<registry>/laifix-images/apim:10.0.8.5-ifix.13195-13

skopeo copy dir:./laifix-images/juhu/10.0.8.5-ifix.13195-13 docker://<registry>/laifix-images/juhu:10.0.8.5-ifix.13195-13

Please refer to skopeo documentation on configuring credentials as needed for your destination registry

Image override

1. Edit your Management subsystem CR

spec:
  template:
  - name: apim
    containers:
    - name: apim
      image: <registry>/laifix-images/apim@sha256:664e1df3226d681b562da3d480cccd7b5931503d7e8970a4cc9aae67bf9cce37
  - name: juhu
    containers:
    - name: juhu
      image: <registry>/laifix-images/juhu@sha256:c412b82f5cbb066f35f6073ab4f89069f0a17eb202b9222a11dd3aaab5de32a2

Verification

On cluster look at pods and compare image digests to those that are shown above

> **Important Note**: When upgrading to next release/fixpack, must remove these image overrides.