9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
A security vulnerability relating to remote code execution CVE-2016-1000031 has been reported against Apache Commons FileUpload DiskFileItem File Manipulation, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Commons FileUpload version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony. Commons FileUpload 1.3.3 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.
CVEID: CVE-2016-1000031
DESCRIPTION: A vulnerability in IBM Spectrum Symphony and IBM Platform Symphony could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of FileUpload library. A attacker could exploit this vulnerability to execute arbitrary code under the context of the current process.
**CVSS V3 Base Score:**7.5 HIGH
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (legend)
CVSS V3 Impact Score: 5.9
CVSS V3 Exploitability Score: 3.9
IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and** 7.1.1**,andIBM Spectrum Symphony** 7.1.2** and7.2. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document.****For Windows, use the Linux steps as a reference and find the correct path for patching.
None
Ā· For IBM Platform Symphony 6.1.1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/1.2.8/lib/commons-fileupload-.jar /tmp/guibackup
> mv $EGO_TOP/perf/1.2.8/lib/commons-fileupload-.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/1.2.8/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/1.2.8/lib/
1.5 On each management host, clean up the GUI work directory:
> rm -rf $EGO_TOP/gui/work/*
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI plc purger
Ā· For IBM Platform Symphony 7.1 Fix Pack 1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.1/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/gui/soam/7.1/symgui/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.1/lib/commons-fileupload-*.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.1/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.1/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/soam/7.1/symgui/WEB-INF/lib/
1.5 On each management host, clean up the GUI work directory:
> rm -rf $EGO_TOP/gui/work/*
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI plc purger
Ā· For IBM Platform Symphony 7.1.1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI ascd REST plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.3/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-.jar
> rm $EGO_TOP/wlp/usr/servers/rest/apps/soam/7.1.1/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> rm $EGO_TOP/asc/1.1.1/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.3/lib/commons-fileupload-*.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.3/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.3/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/soam/7.1.1/deploymentrest/WEB-INF/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/asc/1.1.1/lib/
1.5 On each management host, clean up the GUI work directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI REST ascd plc purger
Ā· For IBM Spectrum Symphony 7.1.2, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI REST plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.4/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.4/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.4/lib/commons-fileupload-*.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.4/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.4/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.4/deploymentrest/WEB-INF/lib/
1.5 On each management host, clean up the GUI work directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI REST plc purger
Ā· For IBM Spectrum Symphony 7.1.2 multi cluster, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mv $EGO_TOP/wlp/usr/servers/gui/apps/2.0/lib/commons-fileupload-*.jar /tmp/guibackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/gui/apps/2.0/lib/
1.5 On each management host, clean up the GUI work directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI
Ā· For IBM Spectrum Symphony 7.1.2 and IBM Spectrum Conductor with Spark 2.2 multi-head cluster, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI REST plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.5/lib/commons-fileupload-*.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/commons-fileupload-*.jar
> mv $EGO_TOP/perf/3.5/lib/commons-fileupload-*.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.5/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.5/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/
1.5 On each management host, clean up the GUI work directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI REST plc purger
Ā· For IBM Spectrum Symphony 7.2, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:
1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:
<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz>
1.2 Stop the following services:
> egosh service stop WEBGUI REST plc purger
1.3 For backup purposes, move the following files, which will be replaced by new files:
> mkdir -p /tmp/guibackup/
> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.6/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.6/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.6/lib/commons-fileupload-*.jar /tmp/perfbackup/
1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:
> tar zxf commons-fileupload-1.3.3-bin.tar.gz
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.6/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.6/lib/
> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.6/deploymentrest/WEB-INF/lib/
1.5 On each management host, clean up the GUI work directories:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.
1.6 Launch a web browser and clear your browser cache.
1.7 Start the following services:
> egosh service start WEBGUI REST plc purger
CPE | Name | Operator | Version |
---|---|---|---|
platform symphony | eq | 6.1.1 | |
platform symphony | eq | 7.1.0 | |
platform symphony | eq | 7.1.1 |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P