Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114

Summary

There is a classloader manipulation vulnerability in the Apache Struts 1 that is used by IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor Edition and IBM WebSphere Extended Deployment Compute Grid.

Vulnerability Details

CVEID: CVE-2014-0114
Description: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. Struts 1 is used by IBM WebSphere Application Server and IBM WebSphere Extended Deployment Compute grid.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

This problem affects the following versions of the WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:

· Version 7
· Version 6.1

This is not an issue with Version 8.0 or 8.5 of IBM WebSphere Application Server or IBM WebSphere Application Server Hypervisor Edition:

This problem affects the Modern Batch Feature Pack on WebSphere Application Server Version 7.

This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 6.1 or Version 7

Remediation/Fixes

The Apache Struts used by the Administrative Console in WebSphere Application Server and batch processing in IBM Compute Grid may be vulnerable to a class loader manipulation. IBM recommends installing recommended fixes as outlined below.

If your Java Web Application is using Apache Struts version 1.x that is available in WebSphere Application Server’s optional libraries, you also may be vulnerable. You will need to verify if your application is affected. WebSphere Application Server Version 7.0 deprecated the inclusion of version 1.x of Struts in 2008. We recommend that you upgrade your Struts 1 from Apache to include a version of Struts that has this fixed. Your application should be thoroughly tested to verify that it does not have any issues. Please refer to the Apache site for information and download: Apache Struts Web site. (struts.apache.org) For more information on migrating from Struts 1 to Struts 2, please refer to the Apache Struts Migration Guide at
<http://struts.apache.org/docs/migration-guide.html&gt;

If this mitigation will not work for you, please contact IBM Support.
Please note: IBM does not plan on shipping any fix for Struts 1.x as the fix is only available at the current levels of Apache Struts which can only be obtained from the Apache Struts website.

Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.1. If you have copied the optional Struts packages to your shared library for your applications to use, you will need to take the following actions prior to moving to 7.0.0.43, 8.0.0.13, 8.5.5.11 or 9.0.0.1.

- Upgrade your applications to use a current level of Struts
- Include a copy of the Struts 1.x package from Apache that contains the fix as part of your ear file development.

**
FIXES** for WebSphere Application Server and batch processing in IBM Compute Grid:
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links to Fix Central are provided below:

APARs
PI17190****for the Administrative Console
PI17420****for Administering batch jobs in Compute Grid

**Fix:**Apply a Fix Pack or PTF containing the above APARs, as noted below:

For affected IBM WebSphere Application Server:

**
For V7.0.0.0 through 7.0.0.31:**

• Apply Interim Fix PI17190
  --OR–

• Apply Fix Pack 7.0.0.33 or later.
  ** **For V6.1.0.0 through 6.1.0.47:

• Apply Interim Fix PI17190

For affected Modern Batch Feature Pack on WebSphere Application Server Version 7: **
For V1.0.0.0 through 1.0.0.5:**

• Contact IBM Support for the Interim Fix

For affected IBM WebSphere Application Server Extended Deployment Compute Grid:

For Compute Grid V8.0.0.0 through 8.0.0.3 on WebSphere Application Server Version 8 or WebSphere Application Server Version 7

• Apply Interim Fixes PI17420
  --OR–

• Apply Compute Grid Fix Pack 8.0.0.4 or later.
  **
  For Compute Grid V6.1 on WebSphere Application Server Version 6.1 or 7.0:**

• Contact IBM Support for the Interim Fix