Security Bulletin: Code execution vulnerability in IBM WebSphere Application Server affects FastBack for Workstations Central Administration Console (CVE-2016-5983)

Summary

There is a code execution vulnerability in IBM WebSphere Application Server that affects FastBack for Workstations Central Administration Console.

Vulnerability Details

CVEID: CVE-2016-5983**
DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

FastBack for Workstations Central Administration Console (CAC) 7.1 and 6.3.

Remediation/Fixes

FastBack for Workstations CAC 7.1
The fix for FastBack for Workstations CAC 7.1 will be to apply the Liberty interim fix pack PI62375.

In order to obtain the PI62375 fix, refer to the WAS security bulletin:
http://www.ibm.com/support/docview.wss?uid=swg21990060
Click on the link for Liberty interim fix pack PI62375. Click the FC (Fix Central) link to download the 8559-wlp-archive-IFPI62375. Once downloaded, there will be a Readme.txt file and the 8559-wlp-archive-IFPI62375.jar file.

To apply the interim fix, do the following:|

1. Stop the TSM FastBack for Workstations Central Administration Console service (CAC_Service)
2. Open an elevated command window and direct it to the location of the iFix jar
3. Run the command: java -jar 8559-wlp-archive-IFPI62375.jar --installLocation “C:\Program Files\Tivoli\TSM\CAC\wlp” (Default install location shown)

The following launch options are available for the jar:

--installLocation [LibertyRootDir] by default the jar will look for a “wlp” directory in its current location. If your Liberty profile install location is different than “wlp” and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path.

--suppressInfo hides all messages other than confirming the patch has completed or error messages.

4. Start TSM FastBack for Workstations Central Administration Console service (CAC_Service) and the fix will become active in your runtime environment.

FastBack for Workstations CAC 6.3** **The fix for FastBack for Workstations CAC 6.3 will be to update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 and then apply the WAS interim fix pack PI70737.

Update embedded eWAS to 7.0.0.41
To update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 click on the following link:
http://www.ibm.com/support/docview.wss?uid=swg21981056
and then download 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak

To update the embedded eWAS, do the following:

1. If not already at the CAC 6.3.1.1 version upgrade to this version.
2. Stop the Tivoli Service: Tivoli Integrated Portal - V2.2_TIPProfile_Port_16310
3. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\IBM\Tivoli\Tipv2_fbws\WebSphereUpdateInstallerV7) apply the 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak file downloaded earlier

Apply WAS interim fix pack PI70737
In order to obtain the PI70737 fix, refer to the WAS security bulletin:_
_http://www.ibm.com/support/docview.wss?uid=swg21990060
Click on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI70737. Click the HTTP download link for 7.0.0.41-WS-WAS-IFPI70737 . Once downloaded, there will be a Readme.txt file and a 7.0.0.41-ws-was-ifpi70737.pak file.

To apply the interim fix after having upgraded to WAS 7.0.0.41, do the following:

1. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\IBM\Tivoli\Tipv2_fbws\WebSphereUpdateInstallerV7) apply the 7.0.0.41-ws-was-ifpi70737.pak file downloaded earlier
2. Restart the Tivoli Service or reboot the machine

Workarounds and Mitigations

None