Lucene search

K
ibmIBMA0C17B7FA23DBF1DC4FACFA7A00FFB9DEE0554664F67073C8C966AAD62F6C865
HistorySep 28, 2020 - 7:57 a.m.

Security Bulletin: Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions) is affected by a vulnerable Apache Commons Beanutils in WebSphere Application Server

2020-09-2807:57:33
www.ibm.com
19

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

Abstract

This Fix Readme includes instructions to upgrading the Apache Commons Beanutils jar to v1.9.4 for Atlas eDiscovery Process Management(6.0.1.x and 6.0.2.x versions)

Content

PSIRT details: PRID: PVR0203016, Advisory ADV0020809 - Apache Commons Beanutils Vulnerability
CVEID: CVE-2019-10086
CVSS Base Score: 5.3

Description: Apache Commons Beanutils may allow a remote attacker to gain unauthorized access to the system, due to a failure to suppress the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.

For more details on the security fix, please refer to the below link:

<https://www.ibm.com/support/pages/node/5693133&gt;

Fix:
This fix is applicable for IBM Policy Atlas Suite version 6.0.1.x and 6.0.2.x
The commons-beanutils.jar must be upgraded from v1.9.2 to v1.9.4 in Policy Atlas and Atlas Extensions applications. For this ear files must be expanded before replacing the jar file and then compressed and deployed.

To apply the fix for Policy Atlas application, follow the steps mentioned below:

  1. Backup the ear PolicyAtlas.ear.
  2. Extract the ear file to PolicyAtlas folder.
  3. Extract PolicyAtlas\web.war to web folder.
  4. Navigate to the PolicyAtlas\web\WEB-INF\lib folder.
  5. Replace the commons-beanutils.jar file with the one provided at the end of this document.
  6. Compress the contents of the PolicyAtlas\web folder and name it as web.war.
  7. Compress the META-INF and web.war files.
  8. Rename the zip file as PolicyAtlas.ear.
  9. Deploy the Ear file.

To apply the fix for Atlas Extensions application, follow the steps mentioned below:

  1. Backup the AtlasExtensions.ear file.
  2. Extract the ear file to AtlasExtension folder.
  3. Extract AtlasExtensions\AtlasExtensions.war to AtlasExtensions folder.
  4. Navigate to the AtlasExtensions\AtlasExtensions\WEB-INF\lib folder.
  5. Replace the commons-beanutils.jar file with the one provided at the end of this document.
  6. Compress the contents of the AtlasExtensions\AtlasExtensions folder and name it as AtlasExtensions.war.
  7. Compress the META-INF and AtlasExtensions.war files.
  8. Rename the zip file as AtlasExtensions.ear.
  9. Deploy the Ear file.

**Attachment:**Use this Apache Commons Beanutils jar

commons-beanutils.jar

[{“Line of Business”:{“code”:“”,“label”:“”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Product”:{“code”:“SSXPJK”,“label”:“Atlas Policy Suite”},“ARM Category”:[],“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“All Version(s)”}]

7.3 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P