A security vulnerability related to Remote Command Execution (RCE), caused by dynamic JSP file builds, has been identified in IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, 7.1.1 and IBM Spectrum Symphony 7.1.2, 7.2.0.2.
CVEID: CVE-2018-1595 DESCRIPTION: IBM Spectrum Symphony and Platform Symphony could allow an authenticated user to execute arbitrary commands due to improper handling of user supplied input.
CVSS Base Score: 8.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143622> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and 7.1.1
IBM Spectrum Symphony 7.1.2 and 7.2.0.2
These are the steps for the Linux and the steps for Windows are similar.
1. Log on to the master host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI
2. Log on to each management host in your cluster as the cluster administrator.
3. Delete the following files:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
$EGO_TOP/gui/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
For IBM Platform Symphony 7.1.1: $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/generaltable/getDeviceInfo.jsp For IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
$EGO_TOP/wlp/usr/servers/gui/apps/ego/<EGO_VERSION>/platform/generaltable/getDeviceInfo.jsp
$EGO_TOP/wlp/usr/servers/gui/apps/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
4. Delete all subdirectories and files from the following directories:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
> rm -rf $EGO_TOP/gui/work/*
For IBM Platform Symphony 7.1.1, IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
> rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
5. Clear your browser cache.
6. Start the WEBGUI service:
> egosh service start WEBGUI
Note: The above contents can also be found on IBM Fix Central: sym-6.1.1-build493462, sym-7.1-build486396, sym-7.1.1-build493457, sym-7.1.2-build493458, sym-7.2.0.2-build493459
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm spectrum symphony | eq | 7.1.2 | |
ibm spectrum symphony | eq | 7.2.0.2 |