IBM1ACE28547BE3389A3B4A597C3931287B4604180F5F58DB6750D0FA0C4F985E29Security Bulletin:Multiple vulnerabilities in IBM JRE affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC(CVE-2016-4003)
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 that is used by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus CVE-2016-0636 and three additional vulnerabilities.
Vulnerability Details
CVE-ID: CVE-2016-4003
Description: Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/111514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Affected Products and Versions
Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1
Remediation/Fixes
See workaround
Workarounds and Mitigations
IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 should be replaced.
Platform Cluster Manager 4.2.x & Platform HPC 4.2.x
1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
pcmadmin service stop --group ALL
5. On management node, extract new JRE files and replace some old folders with new ones.
tar -zxvf ibm-java-jre-7.0-9.40-linux-x86_64.tgz# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/
6. On management node, start GUI and PERF services
pcmadmin service start --group ALL
7. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.
Platform Cluster Manager 4.1.x & Platform HPC 4.1.x
1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
5. HA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all
6. On management node, extract new JRE files and replace some old folders with new ones.
tar -zxvf ibm-java-jre-6.0-16.26-linux-x86_64.tgz# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/
7. On management node, start GUI and PERF services
HA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all
| CPE | Name | Operator | Version |
|---|---|---|---|
| platform hpc for system x | eq | 4.1 | |
| platform hpc for system x | eq | 4.1.1 | |
| platform hpc for system x | eq | 4.2 |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C