Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)

Summary

Multiple security vulnerabilities have been reported for Apache Struts that is used by IBM Business Process Manager and WebSphere Lombardi Edition.

Vulnerability Details

CVEID: CVE-2016-1181**
DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-1182**
DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages.
CVSS Base Score: 4.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2015-0899**
DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

• • WebSphere Lombardi Edition V7.2.0.0 - V7.2.0.5
• IBM Business Process Manager all editions V7.5.0.0 - V7.5.1.2
• IBM Business Process Manager all editions V8.0.0.0 - V8.0.1.3
• IBM Business Process Manager all editions V8.5.0.0 - V8.5.7.0 prior to cumulative fix 2016.09

Remediation/Fixes

Install IBM Business Process Manager interim fix JR56285 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version.

• IBM Business Process Manager Advanced
• IBM Business Process Manager Standard
• IBM Business Process Manager Express

As WebSphere Lombardi Edition and IBM Business Process Manager V7.5 are out of general support, customers with a support extension contract can contact IBM support to request the fix for download.

IBM Business Process Manager and WebSphere Lombardi Edition build upon IBM WebSphere Application Server that also uses Apache Struts. Refer to the Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182) for details on fixes for WebSphere Application Server.
IBM Business Process Manager V8.5.7.0 cumulative fix 2016.09 includes IBM WebSphere Application Server V8.5.5.10, thus does not require additional fixes for this vulnerability.

Workarounds and Mitigations

None