Security Bulletin: Open Source Commons FileUpload Apache Vulnerabilities (CVE-2016-1000031)

Summary

Open Source Commons FileUpload Apache Vulnerabilities addressed by IBM Tivoli Composite Application Manager Agent for Application Diagnostics

Vulnerability Details

CVEID: CVE-2016-1000031**
DESCRIPTION:** Apache Commons FileUpload, as used in IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/117957 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Tivoli Composite Application Manager for Application Diagnostics 7.1 and above

Remediation/Fixes

The recommended solution is to apply IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server 7.1 FixPack 4 IFix 2. The download link will be provided when it is available.

Workarounds and Mitigations

The following steps can be used to replace commons-fileupload-1.3.2.jar with commons-fileupload-1.3.3.jar in IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server:

1. Login to the host where IBM Tivoli Composite Application Manager for Application Diagnostics Managing Server Visualization Engine is installed (ITCAM for AD MSVE);

2. Go to WAS_HOME/profiles/<MSVE profile>/installedApps/<MSVE cell>/ITCAM_Application.ear/octigate.web-ws51.war/WEB-INF/lib, replace commons-fileupload-1.3.2.jar with commons-fileupload-1.3.3.jar provided in this security bulletin;

3. Restart MSVE’s WebSphere server instance.

commons-fileupload-1.3.3.jar