Security Bulletin: Vulnerability in Apache Commons in IBM WebSphere Application Server affects Intelligent Operations Center and related products (CVE-2015-7450)

Summary

Remote execution vulnerability in Apache Commons Collections affects Intelligent Operations Center components WebSphere Application Server (WAS) or WAS Hypervisor Edition.

Vulnerability Details

CVE ID:****CVE-2015-7450

Description: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects editions of WebSphere Application Server and bundling products, and all versions and releases of IBM WebSphere Application Server in:

Versions 1.5 and 1.6, all sub-versions, of

• IBM Intelligent Operations Center
• IBM Intelligent Operations for Water
• IBM Intelligent Operations for Transportation
• IBM Intelligent City Planning and Operations

Versions 5.1 and all sub-versions of
IBM Intelligent Operations Center

Remediation/Fixes

If you have version 5.1 or later, see For Intelligent Operations Center 5.1.x below.

For Intelligent Operations Center (IOC), Intelligent Transportation, and Intelligent Water Versions 1.6 Standard or High Availability:
For High Availability, the same steps apply. Stop both Analytics servers and both Applications servers and perform the upgrade by using IBM Installation Manager on the second Analytics server and the second Applications server after you perform the upgrade on the primary Analytics server and the primary Applications server.

You must update WebSphere Application Server on all Analytics servers and all Applications servers.

Installation prerequisites for Analytics and Applications servers.

1. You must have a Passport Advantage ID and password.

2. Log in as root on each server.

3. All servers should have access to the internet for the following instructions.

If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section.

Download the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL:
**_https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en_**

The fix that you must download for WebSphere is located here:
_http://www-01.ibm.com/support/docview.wss?uid=swg21970575_
4) Either perform the update using a graphical user interface (GUI):

Log in to a GUI desktop on Linux.
The desktop can be either Gnome or KDE.
If a desktop is not installed, you can use these steps to install a desktop: a) Enter the command: **yum -y groupinstall "X Window System" Desktop** b) Modify the file **/etc/inittab** to contain the line: **id:5:initdefault:** c) Reboot the operating system.** Or**** perform the update by using a command prompt:**

If you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here: <https://www.ibm.com/support/knowledgecenter/SSEQTP_8.0.0/com.ibm.websphere.installation.base.doc/info/aes/ae/tins_install_fixes_dist_cl.html?lang=en&gt; Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures.
5) Either use IOCControl with the IOC Topology password to stop WebSphere on the Analytics servers and on the Applications servers, or stop WebSphere by using another method such as the IBM Integrated Console.

Upgrading WebSphere Application Server on the Analytics servers

To perform the upgrade, follow these steps:

1. Log on to each Analytics server through a terminal server:

Log on as user **ibmadmin** if possible.
If **ibmadmin** is unavailable,
log on as user **root** and enter the command: **perform "su - ibmadmin".**
2) Enter the command: **IOCControl -a stop -c ana -p "ioc topology password"** When theIOCControl command finishes, you should see output such as this:

**IBM COGNOS Enterprise node agent (anacognosnode) - [ off ] IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ off ] IBM COGNOS Enterprise gateway (anacognosgw) - [ off ] IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ off ] IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ off ]**
**IBM SPSS Modeler server (anaspss) - [ on ]**
3) Log on to the Analytics server as user **root** by using the Gnome desktop or the KDE desktop.

4. Configure the Installation Manager:

a) Start the Installation Manager through the GUI : Applications -> IBM Applications Installation Manager b) InFile -> Preferences … Passport Advantage, select**"Connect to Passport Advantage"ClickApplyand then clickOK.**
c) In File -> Preferences … Repository, clear the selection for every repository that begins with the string **"/tmp/ioc" or "/installMedia/*"**. These repositories are no longer relevant, and can be deleted. d) Select **"Search service repositories during installation and updates"**. ClickApplyand then clickOK.e) In **File -> Preferences --> Updates**, select **"Search for Installation Manager updates .."**. ClickApplyand then clickOK. The Installation Manager then looks for updates for the IBM Installation Manager Program itself.
f) Stop and restart the IBM Installation Manager.
5) Update the components on the Analytics server:

a) Start the Installation Manager through the GUI: Applications -> IBM Applications Installation Manager b) Select ``**'Update'**.
c) Select **'Next'** repeatedly until you are prompted for an IBM ID and password. On the next screen, where you are prompted for a Master Password, click **'Cancel'**. d) If you are prompted to perform an update to a new version of Installation Manager, click **'Yes'** to perform the upgrade, and then click **'OK'** to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select **"Update"** again.
g) If you are prompted to attach to the IBM WebSphere Application Server Repository, select **'Yes'**. h) Enter your IBM ID and password.
i) On the “Update Packages” screen, in the Package Group Name column, select “IBM WebSphere Application Server Network Deployment V8.0”, and click **'Next'**. Do not select “IBM SPSS Collaboration and Deployment Services 7.0”, and do not select “Update all packages with recommended updates and recommended fixes”. IOC is incompatible with the upgrade to SPSS.j) Select all available fixes for “WebSphere Application Server Network Deployment”. You must apply the Apache Commons fix8.0.0.0-WS-WAS-IFPI52103. Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
If necessary, re-run IBM Installation Manager, select **"Update Packages for IBM WebSphere Application Server Network Deployment V8.0"**, and then select **"All available fixes for WebSphere Application Server Network Deployment"**.
Apply all outstanding WebSphere Application Server updates.
6) Log in at a terminal prompt as user **ibmadmin**.

7. Start the Analytics server by entering the command: **IOCControl -a start -c ana -p ibmioc16** Wait for these lines to appear in the output: **IBM COGNOS Enterprise node agent (anacognosnode) - [ on ]** ** IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ on ] IBM COGNOS Enterprise gateway (anacognosgw) - [ on ] IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ on ] IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ on ]**
** IBM SPSS Modeler server (anaspss) - [ on ]**
8. To verify that the fixpacks and ifixes are installed on WebSphere Application Server, perform the following steps:
   a) Log on to a terminal session as user **root**.
   b) Enter the commands: **cd /opt/IBM/WebSphere/AppServer/bin**
**./versionInfo.sh -fixpacks**
**./versionInfo.sh -ifixdetail** For more information on the **versionInfo.sh** command, see:http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en
   The upgrade to WebSphere Application Server on the Analytics server is now complete.

Upgrading WebSphere Application Server on the Applications servers

To perform the upgrade, follow these steps:

1. Log on to the Analytics server through a terminal server.

Log on as user **ibmadmin** if possible.
If **ibmadmin** is unavailable,
log on as user **root** and enter the command: **perform "su - ibmadmin".**
2) Enter the command: **IOCControl -a stop -c app -p "topology password"**
When the IOCControl command finishes, you should see output such as this: ** IBM WebSphere Application Server Network Deployment (appdmgr) - [ off ] IBM Business Monitor node agent (appbmonnode) - [ off ] IBM Business Monitor server (appbmonserv) - [ off ] IBM Lotus Sametime Proxy node agent (appstproxynode) - [ off ] IBM Lotus Sametime Proxy server (appstproxyserv) - [ off ] IBM Worklight node agent (appwrkltnode) - [ off ] IBM Worklight server (appwrkltserv) - [ off ] IBM WebSphere Portal Enable node agent (appwpenode) - [ off ] IBM WebSphere Portal Enable server (appwpeserv) - [ off ] IOP SVC tool node agent (appiopnode) - [ off ] IOP SVC tool server (appiopserv) - [ off ] IBM HTTP Server administration server - web server (webihsadm) - [ off ]**
** IBM HTTP Server web server - web server (webihsserv) - [ off ]**

3. Log on to the Applications server as **root** by using the Gnome desktop or the KDE desktop.

4. Configure the Installation Manager:

a) Start the Installation Manager through the GUI: Applications -> IBM Applications Installation Manager b) InFile -> Preferences … Passport Advantage, select**“Connect to Passport Advantage”.ClickApplyand then clickOK.**
c) In File -> Preferences … Repository, clear the selection for every repository that begins with the string **"/tmp/ioc"** or **"/installMedia/*"**. These repositories are no longer relevant, and can be deleted. d) Select **"Search service repositories during installation and updates"**. ClickApplyand then clickOK.e) In **File -> Preferences --> Updates**, select **"Search for Installation Manager updates .."**. ClickApplyand then clickOK. The Installation Manager then looks for updates for the IBM Installation Manager Program itself.
f) Stop and restart the IBM Installation Manager.
5) Update the components on the Applications server: a) Start the Installation Manager through the GUI: **Applications -> IBM Applications Installation Manager** b) Select **'Update'**.
c) Select **'Next'** repeatedly until you are prompted for an IBM ID and password. On the next screen, that prompts for a Master Password, click **'Cancel'**. d) If you are prompted to perform an update to a new version of Installation Manager, click **'Yes'** to perform the upgrade, and then click **'OK'** to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select **"Update"** again.
f) If you are prompted to attach to the IBM WebSphere Application Server Repository, select **'Yes'**. g) Enter your IBM ID and password.
h) On the “Update Packages” screen, in the Package Group Name column, select “IBM WebSphere Application Server Network Deployment V8.0” and click **'Next'**. **Do not select “IBM SPSS Collaboration and Deployment Services 7.0”, and do not select “Update all packages with recommended updates and recommended fixes”. IOC is incompatible with the upgrade to SPSS.**i) Select all available fixes for “WebSphere Application Server Network Deployment”. You must apply the Apache Commons fix **8.0.0.0-WS-WAS-IFPI52103**. Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
If necessary, re-run IBM Installation Manager, select **"Update Packages for IBM WebSphere Application Server Network Deployment V8.0"** and then select **"All available fixes for WebSphere Application Server Network Deployment"**. Apply all outstanding WebSphere Application Server updates.
6) Log on to a terminal prompt as user **ibmadmin**.

7. Start the Applications server by entering the command:

**IOCControl -a start -c app -p**``**"ioc topology password"** Wait for these lines to appear in the output:
** IBM WebSphere Application Server Network Deployment (appdmgr) - [ on ]**
** IBM Business Monitor node agent (appbmonnode) - [ on ] IBM Business Monitor server (appbmonserv) - [ on ] IBM Lotus Sametime Proxy node agent (appstproxynode) - [ on ] IBM Lotus Sametime Proxy server (appstproxyserv) - [ on ] IBM Worklight node agent (appwrkltnode) - [ on ]**
** IBM Worklight server (appwrkltserv) - [ on ]**
** IBM WebSphere Portal Enable node agent (appwpenode) - [ on ]**
** IBM WebSphere Portal Enable server (appwpeserv) - [ on]**
** IOP SVC tool node agent (appiopnode) - [ on ] IOP SVC tool server (appiopserv) - [ on ] IBM HTTP Server administration server - web server (webihsadm) - [ on ]**
** IBM HTTP Server web server - web server (webihsserv) - [ on ]**
8) To verify that the fix packs and interim fixes are installed on WebSphere Application Server, perform the following steps: a) Log on to a terminal session as user **root**.
b) Enter the commands: **cd /opt/IBM/WebSphere/AppServer/bin**
**./versionInfo.sh -fixpacks**
**./versionInfo.sh -ifixdetail** For more information on the **versionInfo.sh** command, see:http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en
The upgrade to WebSphere Application Server on the Applications server is now complete.

For Intelligent Operations Center 5.1.x:

Installation prerequisites for Analytics and Applications servers.

1. You must have a Passport Advantage ID and password.

2. Log in as user **root** on each server.

3. All servers should have access to the internet for the following instructions. If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section.

Download the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL:
**_https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en_**

The fix that you must download for WebSphere is located here:
_http://www-01.ibm.com/support/docview.wss?uid=swg21970575_

4. **Either perform the update using a****graphical user interface (**GUI):

Log in to a GUI desktop on Linux.
The desktop can be either Gnome or KDE.
If a desktop is not installed, you can use these steps to install a desktop: a) Enter the command: **yum -y groupinstall "X Window System" Desktop** b) Modify the file **/etc/inittab** to contain the line: **id:5:initdefault:** c) Reboot the operating system.** Or perform the update by using a command prompt:**

If you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here: <https://www.ibm.com/support/knowledgecenter/SSEQTP_8.0.0/com.ibm.websphere.installation.base.doc/info/aes/ae/tins_install_fixes_dist_cl.html?lang=en&gt; Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures.
Detailed Steps to perform the upgrade:

1. Stop the Liberty server that runs on the Applications server.

a) Log on to the Applications server as root.
b) Enter the commands: **cd /opt/ibm/ioc51install/sample**
**./maint.sh** c) Under the title **"Control an IOC single-server instance"**, select **"4b) Stop Liberty <**``**_server_**``**>"**.
2) Log on to the Applications server as **root** by using the Gnome desktop or the KDE desktop.

3. Either_ _perform the update using a GUI:

Update the components on the Applications server, including Liberty: a) Start the Installation Manager through the GUI: Applications -> IBM Applications Installation Manager b) Select **'Update'**.
c) Select **'Next'** repeatedly until you are prompted for an IBM ID and password.
d) If you are prompted to perform an update to a new version of Installation Manager, click **'Yes'** to perform the upgrade and then click **'OK'** to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select **"Update"** again.
f) On the "Configuration for IBM WebSphere Application Server Liberty Network Deployment 8.5.5.7" panel, select **"Launch Asset Selection Wizard"**.
g) Select **"Update all packages with recommended updates and recommended fixes"**
h) Enter your IBM ID and password.
i) Accept the terms of the license agreement, and click **'Finish'**.
j) On the “Update Packages” screen, in the Package Group Name column, select “IBM WebSphere Application Server Network Deployment V8.0” and click **'Next'**. Do not select “IBM SPSS Collaboration and Deployment Services 7.0”, and do not select “Update all packages with recommended updates and recommended fixes”. IOC is incompatible with the upgrade to SPSS.k) Select all available fixes for “WebSphere Application Server Network Deployment”. You must apply the Apache Commons fix8.0.0.0-WS-WAS-IFPI52103. Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server to see this fix.
If necessary, re-run IBM Installation Manager, select **"Update Packages for IBM WebSphere Application Server Network Deployment V8.0"** and then select **"All available fixes for WebSphere Application Server Network Deployment"**.
Apply all outstanding WebSphere Application Server updates.
When you have applied all the WebSphere Application Server fixes, proceed to the next step.
Or perform the update using a command line:

a) Download the **8.5.5.7-WS-WLP-DistOnly-IFPI52103**``**.zip** file to a local system.
b) Upload the compressed file to the **/tmp** file system on the Application Server.
c) Log on to a terminal session as the root user.
d) Execute these two commands to perform the installation: **cd /opt/IBM/InstallationManager/eclipse/tools**

**/imcl install 8.5.5.7-WS-WLP-DistOnly-IFPI52103** ** -installationDirectory /opt/IBM/WebSphere/wlp -repositories**
** /tmp/8.5.5.7-ws-wlp-distonly-ifpi52103.zip**
These commands install 8.5.5.7-WS-WLP-DistOnly-IFPI52103_8.5.5007.20151114_2058 to the /opt/IBM/WebSphere/wlp directory.
e) To validate the installation perform the command: **./imcl listInstalledPackages -long**
4) Start the Liberty server with the commands:

**cd /opt/ibm/ioc51install/sample**
**./maint.sh** 5) Under the title **"Control an IOC single-server instance"**,

select **"4a) Start Liberty <**``**_server_**``**>"**.

Workarounds and Mitigations

None