Security Bulletin: Vulnerability in Apache Commons affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7450)

Summary

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Integration Tester in Rational Test Workbench, Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server (see CVE-2015-7450).

Vulnerability Details

CVEID: CVE-2015-7450 DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Rational Integration Tester component in Rational Test Workbench,** Rational Test Control Panelcomponent in Rational Test Workbench and Rational Test Virtualization Server, andRIT Agent**in Rational Test Virtualization Server and Rational Performance Test Server versions:

All versions from 8.0 up to and including8.7.1

Remediation/Fixes

The fixes for the CVE(s) mentioned above have been incorporated into an interim fix available on Fix Central (<http://www-933.ibm.com/support/fixcentral/&gt;).

Please follow the appropriate component instructions below:

Note: OS X Instructions are provided for version 8.7.1 only

**Rational Test Control Panel (RTCP)******component in Rational Test Workbench (RTW) and Rational Test Virtualization Server (RTVS)
1. Download the fix from Fix Central and unzip it to extract the library commons-collections-3.2.2.jar
2. Stop the server
3. For versions 8.0 to 8.5.0.x
o Delete the existing library ‘commons-collections-3.2.1.jar’ in RationalTestControlPanel/ webapps/RTCP/WEB-INF/lib and replace it with ‘commons-collections-3.2.2.jar’
4. For versions 8.5.1.x to 8.7.1
o Delete the existing library ‘commons-collections-3.2.1.jar’ in RationalTestControlPanel/usr/servers/RTCPServer/apps/RTCP.war/WEB-INF/lib and replace it with ‘commons-collections-3.2.2.jar’
5. Start the server

Note: The default install location for RTCP is opt/IBM/RationalTestControlPanel on AIX, Linux and Solaris, /Applications/IBM/RationalTestControlPanel on OS X (8.7.1 only) and C:\Program Files\IBM\RationalTestControlPanel on Windows.

**Rational Integration Tester (RIT)**component in Rational Test Workbench (RTW)

1. Download the fix from Fix Central and unzip it to a directory.

For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.

For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.

2. Close any running instances of Rational Integration Tester (and RIT Agent if installed on the same machine).

3. Locate the IBMIMShared directory.

4. Copy the appropriate file into the IBMIMShared\plugins directory.

5. Locate the “bundles.info” file. By default, the location of this file is:

_{_Installation Directory for RIT}\configuration\org.eclipse.equinox.simpleconfigurator

6. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:

For versions 8.7.0.x and before:

com.springsource.org.apache.commons.collections,3.2.2,…/IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false

For version 8.7.1:

org.apache.commons.collections,3.2.2,…/IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false

7. In order to verify that the changes have been made successfully, re-start RIT from the command line with the following command:

GHTester.exe –clean –console

When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:

ss apache.commons.collections

Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.

**Rational Integration Tester Agent (RIT Agent)**component in Rational Test Virtualization Server (RTVS) and Rational Performance Test Server (RPTS)

1. Download the fix from Fix Central and unzip it to a directory.

For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.

For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.

1. Close any running instances of RIT Agent (and Rational Integration Tester if installed on the same machine).

2. Locate the IBMIMShared directory.

3. Copy the unzipped file to the IBMIMShared\plugins directory.

4. Locate the “bundles.info” file. By default, the location of this file is:

_{_Installation Directory for RIT Agent}\configuration\org.eclipse.equinox.simpleconfigurator

5. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:

For versions 8.7.0.x and before:

com.springsource.org.apache.commons.collections,3.2.2,…/IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false

For version 8.7.1:

org.apache.commons.collections,3.2.2,…/IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false

6. In order to verify that the changes have been made successfully, check that RTCP is running, and then re-start the agent using the command line with the following command:

Agent.exe –clean –console

When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:

ss apache.commons.collections

Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.

General Notes:

o When updating an installation to a later version of Rational Test Control Panel, Rational Integration Tester or RIT Agent, the security fix detailed above will have to be re-applied after the update
o When removing an installation that has had the security fix applied, not all the files will be removed by IBM Installation Manager, and some files will have to be removed manually

Workarounds and Mitigations

None