JVM security patches for IBM Lotus Domino 8.x servers

Refer to technote #1616652 for detailed information on the related JVM security vulnerability.

Fix availability & download information

Domino 8.5.3 thru 8.5.3 Fix Pack 2 Interim Fix 1; 8.5.2.x; 8.5.1.x

IMPORTANT NOTE: The fix is included in Domino 8.5.3 Fix Pack 3. Do not attempt to apply the interim patches linked below to 8.5.3 Fix Pack 3.

Platform	Fix Central download link & file name
AIX	85x_Server_AIX32_JVM_Security_Patch_11212012.tar
AIX64	85x_Server_AIX64_JVM_Security_Patch_11212012.tar
Linux	85x_Server_Linux_JVM_Security_Patch_11212012.tar
Solaris	85x_Server_Sol_JVM_Security_Patch_11212012.tar
W32	85x_Server_W32_JVM_Security_Patch_11212012.exe
W64	85x_Server_W64_JVM_Security_Patch_11212012.exe
zLinux	85x_Server_zLinux_JVM_Security_Patch_11212012.tar

Note the following:

• The patches linked above, which work with 8.5.1.x through 8.5.3 Fix Pack 2 Interim Fix 1, were posted to Fix Central on 21 November 2012.
  • If a Fix Pack was installed, the prior JVM update would not uninstall on W32 or W64. This new version corrects that. If you installed the previously available JVM patch, there is no need to take any action. Future Fix Packs and Maintenance Releases will install correctly.

• The patch will work with 8.5.0.x, but has had minimal testing. IBM recommends customers on 8.5.0.x move to a more current release.

Domino 8.0.2.x & 8.0.1.x
Limited availability via Interim Fix. To inquire about availability, open a service request with IBM Support and reference SPR KLYH8ZVQ37.

Additional information

• You can run the executable from any directory. By default, you will not receive a prompt that install was successful. To force a prompt to appear upon install script completion, set the environment variable JVMPATCHER_UIMODE=1

Note the following caveat: If you run the installer in silent mode from Command Prompt (with the -s switch), the prompt will appear if the environment variable is set even though it is running in silent mode.

• The patch will not interfere with existing Interim Fixes (hotfixes), Fix Packs, or Maintenance Releases, and it will not revise the Domino version string.
• The server patch can be run a second time to uninstall.

Options to confirm fix is installed

OPTION 1: Issue "java -version" command
-- In Command Prompt, navigate to \<Domino Program Directory>\jvm\bin
-- Issue the command java -version (On Linux, use ./java -version)
-- The output should appear as follows:

java version "1.6.0" Java(TM) SE Runtime Environment (build pwi3260sr12ifix-20121108_01(SR12+IV31417)) IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr12-20121 024_126067 (JIT enabled, AOT enabled) J9VM - 20121024_126067 JIT  - r9_20120914_26057 GC   - 20120928_AA) JCL  - 20121108_01

Note: If you do not issue "java -version" from within the \<Domino Program Directory>\jvm\bin directory, the system JVM version will be returned instead of the Domino JVM version.


OPTION 2: Issue "Show JVM" command
-- At the Domino server console, issue the command Show JVM
-- The output should appear as follows:

> show jvm [0B6C:0002-1B5C] 11/13/2012 02:04:14 PM  JVM: Java Virtual Machine initialized. [0B6C:0002-1B5C] 11/13/2012 02:04:14 PM  JVM version: JRE 1.6.0 IBM J9 2.4 Windows XP x86-32 jvmwi3260sr12-20121024_126067 (JIT enabled, AOT enabled) J9VM - 20121024_126067 JIT  - r9_20120914_26057 GC   - 20120928_AA