Security Bulletin: Rational Insight - Apache Struts used by WebSphere Application Server 6.1 and 7 (CVE-2014-0114)

Summary

There is a classloader manipulation vulnerability in the Apache Struts that is used by the IBM WebSphere Application Server 6.1 and 7.0.

Vulnerability Details

| Subscribe to My Notifications to be notified of important product support alerts like this.

• Follow this link for more information (requires login with your IBM ID)
  —|—

The Apache Struts version 1.x used by the Administrative Console in WebSphere Application Server (WAS) version 6.1.0.0-6.1.0.47 and 7.0.0.0-7.0.0.29 may be vulnerable to a class loader manipulation. If you are running the Rational Insight report server or the Rational Insight Data Services on these versions of WAS, it is strongly recommended that you apply the WAS interim fix described below.

Note: Rational Insight does not use Apache Struts and is not directly affected by this vulnerability. This vulnerability also does not affect IBM WebSphere Application Server version 8.0.x.x or 8.5.x.x.

CVE ID: CVE-2014-0114

**Description:**Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes.

CVSS Base Score: 7.5 **CVSS Temporal Score:**See <https://exchange.xforce.ibmcloud.com/vulnerabilities/92889&gt; for the current score *CVSS Environmental Score:**Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Rational Insight 1.0, 1.0.0.1, 1.0.0.2, 1.0.1, 1.0.1 iFix1, 1.0.1.1, 1.1, 1.1.1, 1.1.1.1, 1.1.1.2 and 1.1.1.3

Remediation/Fixes

Follow the steps detailed in Security Bulletin 1672316: Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114.

Workarounds and Mitigations

None