You are on page 1of 14

Alliance Access, Alliance Entry, Alliance Web Platform

Server-Embedded

Security Update 2017-08

This document contains information for Security Update 2017-08, to be applied to Alliance Access, Alliance Entry and
Alliance Web Platform Server-Embedded.

08 September 2017
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Table of Contents

Table of Contents

Practical Information.........................................................................................................................................3

1 Security Update Overview...................................................................................................................... 4


1.1 Important Information about This Security Update.................................................................................. 4
1.2 Package Content..................................................................................................................................... 5

2 Installation and Configuration................................................................................................................6


2.1 Prerequisites............................................................................................................................................6
2.2 Alliance Access....................................................................................................................................... 7
2.3 Alliance Entry...........................................................................................................................................9
2.4 Alliance Web Platform........................................................................................................................... 10
2.5 Fallback Activities.................................................................................................................................. 12

3 Support...................................................................................................................................................13

Legal Notices................................................................................................................................................... 14

08 September 2017 2
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Practical Information

Practical Information
Installation is:
Based on customer's deployment policy
When no policy is available, SWIFT recommends:
CVSS 9.0+ applied within 1 month of release

Must be installed on: Alliance Access 7.1.23 or higher


Alliance Entry 7.1.23 or higher
Alliance Web Platform Server-Embedded 7.0.71 (February 2017
Security Update) or higher

Note This security update must not be installed on top of


Alliance Access 7.2.00, Alliance Entry 7.2.00, or
Alliance Web Platform Server-Embedded 7.2.00.
Release 7.2.00 includes this security update.

Product dependencies: None

08 September 2017 3
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Security Update Overview

1 Security Update Overview


General purpose
As part of the SWIFT Customer Security Programme, we are committed to further strengthening
SWIFT interfaces, tools and software in the light of evolving cyber threats. In this regard, SWIFT
provides security updates for SWIFTNet and Alliance products on a quarterly basis.

Installation deadline
In line with the SWIFT Customer Security Control Framework, SWIFT mandates the following:
A risk assessment process is in place to determine the most appropriate treatment of vendor
security updates. Risk assessment considerations may include: the vendor-reported criticality of
the update, user exposure and vulnerability, mitigating controls, and operational impact.
User-defined deployment timelines are established for applying updates based on criticality,
system type, and required update testing.
In the absence of established internal processes and timelines, SWIFT recommends the use of
Common Vulnerability Scoring System (CVSS) Version 3 as a guideline for criticality, with the
following update deployment targets:
- For vulnerabilities with a CVSS ranking of 9 and above, customers must install the security
update within 1 month of general availability.
- For vulnerabilities with a CVSS ranking of 7 to 9, customers must install the security update
within 2 months of general availability.
- For vulnerabilities with a CVSS ranking of less than 7, installation of the security update is
customer-defined.
SWIFT reserves the right to inform non-compliant users' supervisors of their failure to install the
latest mandatory SWIFT releases or updates in a timely manner and, in the case of non-supervised
users, their messaging counterparties. Non-compliance may also require SWIFT to suspend or
terminate customers' use of the related SWIFT services and products.
Please note that support for past software releases and updates automatically terminates after the
installation deadline (except for the limited support needed to help customers upgrade to the latest
mandatory releases).

1.1 Important Information about This Security Update


This security update is limited to the embedded third-party components used by Alliance Access,
Alliance Entry, Alliance Web Platform Server-Embedded. The security updates are expected to be
transparent to the applications' functionalities. SWIFT's regression testing did not show any impact.
The need for further regression testing at the customer side is, as such, driven by the customer's
internal testing policy.
This security update is cumulative and resolves vulnerabilities related to the following releases:
Alliance Access 7.1.23 and higher
This security update can be installed before or after Alliance Access 7.1.30 or 7.1.40.

08 September 2017 4
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Security Update Overview

If installed before 7.1.30, Security Update 2017-08 must be installed again on 7.1.30 (this does
not apply to 7.1.40).
Alliance Entry 7.1.23 and higher
This security update can be installed before or after Alliance Entry 7.1.30 or 7.1.40.
If installed before 7.1.30, Security Update 2017-08 must be installed again on 7.1.30 (this does
not apply to 7.1.40).
Alliance Web Platform Server-Embedded 7.0.71 and higher

Note This security update must not be installed on top of Alliance Access 7.2.00, Alliance
Entry 7.2.00, or Alliance Web Platform Server-Embedded 7.2.00. Release 7.2.00
includes this security update.

1.2 Package Content


This security update resolves the vulnerabilities listed below. For information about the Common
Vulnerability Scoring System (CVSS), see Knowledge Base tip 5021460.

Description CVE

CVSS: 9.0 Java SE -


This update resolves several critical vulnerabilities in the embedded Java SE
(Oracle Critical Patch Update - July 2017), with the highest one having a Common
Vulnerability Scoring System (CVSSv3) score of 9.0 out of 10.

08 September 2017 5
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

2 Installation and Configuration


2.1 Prerequisites
Alliance Access and Alliance Entry
Before installing the update:
1. It is recommended to take a system backup, with the database stopped.
2. Make sure that the temporary folder has at least 1 GB of free space (folder is TMP or TEMP on
Windows, TMPDIR (if defined), or /var/tmp on AIX, Red Hat Enterprise Linux, and Oracle
Solaris, or the folder specified in the -tempdir option).
3. Make sure the installation directory of Alliance Access or Alliance Entry has at least 10 GB of
free space.
Note The required disk space in the installation directory of Alliance Access or Alliance
Entry varies, depending on the configuration. To cover all situations SWIFT
decided to set the disk space requirement to 10 GB.
If you cannot accommodate 10 GB of free disk space, contact SWIFT Support for
further assistance.
4. Ensure that Alliance Access/Entry is shut down.
5. If Alliance Access is running on Red Hat Enterprise Linux, then the following packages must
have been installed as root:
glibc.i686
libstdc++.i686
zlib.i686
libidn.i686
krb5-libs.i686
To check the packages, enter the following command:
yum info <package_name>

If any packages are not installed, enter the following command (for each package missing):
yum install <package_name>

Alliance Web Platform Server-Embedded


Before installing the security update on Alliance Web Platform Server-Embedded, make sure that
the following prerequisites are met.
1. It is recommended to take a database backup (swp_backup command).
2. Make sure that the temporary folder has at least 1 GB of free space (folder is TMP or TEMP on
Windows, TMPDIR (if defined), or /var/tmp on AIX, Red Hat Enterprise Linux, and Oracle
Solaris, or the folder specified in the -tempdir option).
3. Make sure the installation directory of Alliance Web Platform Server-Embedded has at least 10
GB of free space.

08 September 2017 6
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

Note The required disk space in the installation directory varies, depending on the
configuration. To cover all situations SWIFT decided to set the disk space
requirement to 10 GB.
If you cannot accommodate 10 GB of free disk space, contact SWIFT Support for
further assistance.
4. If Alliance Web Platform Server-Embedded is running on Red Hat Enterprise Linux, then the
following packages must have been installed as root:
glibc.i686
libstdc++.i686
zlib.i686
libidn.i686
krb5-libs.i686
To check the packages, enter the following command:
yum info <package_name>

If any packages are not installed, enter the following command (for each package missing):
yum install <package_name>

2.2 Alliance Access

2.2.1 Installation on AIX and Solaris


Before you begin
1. The installer must be launched by the Alliance Access owner account.
2. Alliance Access must be stopped.

Procedure
1. Download the security update to a temporary folder (for example, /tmp)
2. Log in as Alliance System Administrator.
3. If you are working remotely, then export the display to your local machine by typing: export
DISPLAY=<IPaddressComputer>:0.0 where <IPaddressComputer> must be replaced
by the IP address for the computer where the upgrade windows will be displayed.
4. In an Xterm of the Alliance System Administration window, navigate to the temporary folder
where you copied the Security Update 2017-08 software: cd /tmp
5. Run the executable:
./secupd-2017-08-install
If the instance to be updated cannot be located, then add the -location argument to point to
the root path of that instance.
6. If you run the installation in silent mode, execute the command as follows:
./secupd-2017-08-install -silent <path to file silent.properties>

08 September 2017 7
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

Note The <path to file silent.properties> can be found under the


installation software on the temporary folder, where it was copied (/tmp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace /Alliance/Access with the path of the Alliance Access software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=/Alliance/Access

2.2.2 Installation on Linux


Before you begin
1. The installer must be launched by the Alliance Access owner account.
2. Alliance Access must be stopped.

Procedure
1. Download the security update to a temporary folder (for example, /tmp)
2. Log in as Alliance System Administrator.
3. If you are working remotely, then export the display to your local machine by typing:
export DISPLAY=<IPaddressComputer>:0.0
where <IPaddressComputer> must be replaced by the IP address for the computer where
the upgrade windows will be displayed.
4. In an Xterm of the Alliance System Administration window, navigate to the temporary folder
where you copied the Alliance Security Update 2017-08 software: cd /tmp
5. Run the executable:
./secupd-2017-08-install
If the instance to be updated cannot be located, then add the -location argument to point to
the root path of that instance.
6. If you run the installation in silent mode, execute the command as follows:
./secupd-2017-08-install -silent <path to file silent.properties>
Note The <path to file silent.properties> can be found under the
installation software on the temporary folder, where it was copied (/tmp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace /Alliance/Access with the path of the Alliance Access software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=/Alliance/Access

08 September 2017 8
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

2.2.3 Installation on Windows


Before you begin
1. The installer must be launched by the Alliance Access owner account.
2. Alliance Access must be stopped.

Procedure
1. Download the security update to a temporary folder (for example, C:\Temp)
2. Log in as Alliance System Administrator.
3. In a Command Prompt of the Alliance System Administration application, navigate to the
temporary folder: cd C:\Temp
4. Run the executable:
secupd-2017-08-install.exe
If the instance to be updated cannot be located, then add the -location argument to point to
the root path of that instance.
5. If you run the installation in silent mode, execute the command as follows:
secupd-2017-08-install.exe -silent <path to file silent.properties>
where <root> is the path of the Alliance Access software.
Note The <path to file silent.properties> can be found under the
installation software on the temporary folder, where it was copied (C:\Temp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace C\:\\Alliance\\Access with the path of the Alliance Access
software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=C\:\\Alliance\\Access

2.3 Alliance Entry


Before you begin
1. The installer must be launched by the Alliance Entry owner account.
2. Alliance Entry must be stopped.

Procedure
1. Download the security update to a temporary folder (for example, C:\Temp)
2. Log in as Alliance System Administrator.
3. In a Command Prompt of the Alliance System Administration application, navigate to the
temporary folder: cd C:\Temp
4. Run the executable:

08 September 2017 9
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

secupd-2017-08-install.exe
If the instance to be updated cannot be located, then add the -location argument to point to
the root path of that instance.
5. If you run the installation in silent mode, execute the command as follows:
secupd-2017-08-install.exe -silent <path to file silent.properties>
Note The <path to file silent.properties> can be found under the
installation software on the temporary folder, where it was copied (C:\Temp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace C\:\\Alliance\\Entry with the path of the Alliance Entry software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=C\:\\Alliance\\Entry

2.4 Alliance Web Platform

2.4.1 Installation on AIX and Solaris


Before you begin
1. The installer must be launched by the Alliance Web Platform Server-Embedded owner account.
2. The installer requires a free port within the range 9135 to 9234.

Procedure
1. Download the security update to a temporary folder (for example, /tmp)
2. If you are working remotely, then export the display to your local machine by typing: export
DISPLAY=<IPaddressComputer>:0.0 where <IPaddressComputer> must be replaced
by the IP address for the computer where the upgrade windows will be displayed.
3. Run the following executable from the /tmp folder with the following arguments:
./secupd-2017-08-install
4. If you run the installation in silent mode, execute the command as follows:
./secupd-2017-08-install -silent <path to file silent.properties>

08 September 2017 10
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

Note The <path to file silent.properties> can be found under the


installation software on the temporary folder, where it was copied (/tmp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace /Alliance/WebPlatform with the path of the Alliance Web Platform
software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=/Alliance/WebPlatform

2.4.2 Installation on Linux


Before you begin
1. The installer must be launched by the Alliance Web Platform Server-Embedded owner account.
2. The installer requires a free port within the range 9135 to 9234.

Procedure
1. Download the security update to a temporary folder (for example, /tmp)
2. If you are working remotely, then export the display to your local machine by typing: export
DISPLAY=<IPaddressComputer>:0.0 where <IPaddressComputer> must be replaced
by the IP address for the computer where the upgrade windows will be displayed.
3. Run the following executable from the /tmp folder with the following arguments:
./secupd-2017-08-install
4. If you run the installation in silent mode, execute the command as follows:
./secupd-2017-08-install -silent <path to file silent.properties>
Note The <path to file silent.properties> can be found under the
installation software on the temporary folder, where it was copied (/tmp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace /Alliance/WebPlatform with the path of the Alliance Web Platform
software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=/Alliance/WebPlatform

2.4.3 Installation on Windows


Before you begin
1. The installer must be launched by the Alliance Web Platform Server-Embedded owner account.
2. The installer requires a free port within the range 9135 to 9234.

08 September 2017 11
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Installation and Configuration

Procedure
1. Download the security update to a temporary folder (for example, C:\Temp)
2. Run the following executable from the C:\Temp folder with the following argument:
secupd-2017-08-install.exe
3. If you run the installation in silent mode, execute the command as follows:
secupd-2017-08-install.exe -silent <path to file silent.properties>
Note The <path to file silent.properties> can be found under the
installation software on the temporary folder, where it was copied (/tmp). The
following lines in the file must be edited before launching the installation:
## Uncomment to specify your agreement with licensing terms
Mandatory.Accept.LicensingTerms=Agree
Replace C\:\\Alliance\WebPlatform with the path of the Alliance Web
Platform software
## Installation root directory (mandatory)

## Modify the value if not using the default value


application.installLocation=C\:\\Alliance\WebPlatform

2.5 Fallback Activities


Alliance Access and Alliance Entry
The security update cannot be removed.
If you experience problems while upgrading, then restore the system backup that was taken before
the upgrade was attempted.

Alliance Web Platform Server-Embedded


If you experience problems while installing this security update, then you must:
1. Re-install the previous release (for example, 7.0.70).
2. Re-install any updates made to the previous release (for example, 7.0.71), including security
updates.
3. Restore the database from the backup taken before the installation of Security Update 2017-08
was attempted (swp_restore command).

08 September 2017 12
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Support

3 Support
Support for SWIFT customers
By default, SWIFT Support is the single point of contact to report all problems and queries that
relate to SWIFT services and products. Support is available to all SWIFT customers.
Individuals within a customer organisation must register to use the Support service.
For more information about the different services that SWIFT offers as part of the support
packages and the procedure to order support, see Comparison of support packages on swift.com.

Related information

For more information about Support services, see the service description related to the applicable
support package:
Support documentation

08 September 2017 13
Alliance Access, Alliance Entry, Alliance Web Platform Server-
Embedded
Security Update 2017-08 Legal Notices

Legal Notices
Copyright
SWIFT 2017. All rights reserved.

Restricted Distribution
Do not distribute this publication outside your organisation unless your subscription or order
expressly grants you that right, in which case ensure you comply with any other applicable
conditions.

Disclaimer
The information in this publication may change from time to time. You must always refer to the
latest available version.

Translations
The English version of SWIFT documentation is the only official and binding version.

Trademarks
SWIFT is the trade name of S.W.I.F.T. SCRL. The following are registered trademarks of SWIFT:
the SWIFT logo, SWIFT, SWIFTNet, Accord, Sibos, 3SKey, Innotribe, the Standards Forum logo,
MyStandards, and SWIFT Institute. Other product, service, or company names in this publication
are trade names, trademarks, or registered trademarks of their respective owners.

08 September 2017 14