Security Bulletin: Vulnerability in Apache Commons BeanUtils affect IBM Spectrum LSF Suite and Spectrum LSF Application Center

Summary

There is vulnerability in Apache Commons BeanUtils used by IBM Spectrum LSF Suite and Spectrum LSF Application Center.

Vulnerability Details

CVEID: CVE-2019-10086
DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/166353&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Spectrum LSF Suite 10.2, Spectrum LSF Application Center 10.2

Remediation/Fixes

Spectrum LSF Suite

Spectrum LSF Application Center

| 10.2 | None |

1. Download Apache Commons BeanUtils v1.9.4 from: <http://commons.apache.org/proper/commons-beanutils/download_beanutils.cgi&gt;. (The following steps use x86_64 as an example.)
2. Copy the package into the Application Center host.
3. On the Application Center host, stop pmc and plc services.
4. On the Application Center host, extract new files and replace old files with commons-beanutils-1.9.4.jar in the following directories:

$PERF_TOP/1.2/lib/commons-beanutils.jar

$GUI_TOP/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-beanutils-1.9.2.jar

5. Delete all files under $GUI_TOP/work/platform/workarea.
6. On the Application Center host, start plc and pmc services on demand.

Workarounds and Mitigations

N/A