Security Bulletin: Vulnerability in Apache Commons FileUpload DiskFileItem File Manipulation affects IBM Platform Symphony, IBM Spectrum Symphony (CVE-2016-1000031)

Summary

A security vulnerability relating to remote code execution CVE-2016-1000031 has been reported against Apache Commons FileUpload DiskFileItem File Manipulation, which IBM Platform Symphony uses as a framework for its WEBGUI service. The Commons FileUpload version that is vulnerable to these issues is included in several past versions of IBM Platform Symphony. Commons FileUpload 1.3.3 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.

Vulnerability Details

CVEID: CVE-2016-1000031

DESCRIPTION: A vulnerability in IBM Spectrum Symphony and IBM Platform Symphony could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of FileUpload library. A attacker could exploit this vulnerability to execute arbitrary code under the context of the current process.

**CVSS V3 Base Score:**7.5 HIGH

CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (legend)

CVSS V3 Impact Score: 5.9

CVSS V3 Exploitability Score: 3.9

Affected Products and Versions

IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and** 7.1.1**,andIBM Spectrum Symphony** 7.1.2** and7.2. All OS editions, including Linux and Windows, are affected. The remediation steps for Linux are provided in this document.****For Windows, use the Linux steps as a reference and find the correct path for patching.

Remediation/Fixes

None

Workarounds and Mitigations

· For IBM Platform Symphony 6.1.1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/1.2.8/lib/commons-fileupload-.jar /tmp/guibackup
> mv $EGO_TOP/perf/1.2.8/lib/commons-fileupload-.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/1.2.8/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/1.2.8/lib/

1.5 On each management host, clean up the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI plc purger

· For IBM Platform Symphony 7.1 Fix Pack 1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.1/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/gui/soam/7.1/symgui/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.1/lib/commons-fileupload-*.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.1/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.1/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/soam/7.1/symgui/WEB-INF/lib/

1.5 On each management host, clean up the GUI work directory:

> rm -rf $EGO_TOP/gui/work/*

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI plc purger

· For IBM Platform Symphony 7.1.1, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI ascd REST plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.3/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/commons-fileupload-.jar
> rm $EGO_TOP/wlp/usr/servers/rest/apps/soam/7.1.1/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> rm $EGO_TOP/asc/1.1.1/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.3/lib/commons-fileupload-*.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.3/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.3/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/WEB-INF/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/soam/7.1.1/deploymentrest/WEB-INF/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/asc/1.1.1/lib/

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI REST ascd plc purger

· For IBM Spectrum Symphony 7.1.2, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI REST plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.4/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.4/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.4/lib/commons-fileupload-*.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.4/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.4/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.4/deploymentrest/WEB-INF/lib/

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI REST plc purger

· For IBM Spectrum Symphony 7.1.2 multi cluster, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/2.0/lib/commons-fileupload-*.jar /tmp/guibackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/gui/apps/2.0/lib/

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI

· For IBM Spectrum Symphony 7.1.2 and IBM Spectrum Conductor with Spark 2.2 multi-head cluster, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI REST plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/

> mv $EGO_TOP/gui/3.5/lib/commons-fileupload-*.jar /tmp/guibackup

> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/commons-fileupload-*.jar

> mv $EGO_TOP/perf/3.5/lib/commons-fileupload-*.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.5/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.5/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI REST plc purger

· For IBM Spectrum Symphony 7.2, follow these steps to upgrade to Commons FileUpload v1.3.3 on Linux hosts:

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

<http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz&gt;

1.2 Stop the following services:

> egosh service stop WEBGUI REST plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/guibackup/

> mkdir -p /tmp/perfbackup/
> mv $EGO_TOP/gui/3.6/lib/commons-fileupload-.jar /tmp/guibackup
> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.6/deploymentrest/WEB-INF/lib/commons-fileupload-.jar
> mv $EGO_TOP/perf/3.6/lib/commons-fileupload-*.jar /tmp/perfbackup/

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.6/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.6/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.6/deploymentrest/WEB-INF/lib/

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured theWLP_OUTPUT_DIRparameter andAPPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI REST plc purger