IBMD25FC5FB8A8B1C59AB072CD2FAFBE0E65B654246DF1F523B2F0760F380BBA57DSecurity Bulletin: IBM Platform Application Center Standard Edition is affected by a security vulnerability (CVE-2015-7450)
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
A security vulnerability has been identified in the current levels of IBM Platform Application Center Standard Edition 9.1.4, 9.1.4.1 and 9.1.4.2 that could allow a remote attacker to execute arbitrary code on the system.
Vulnerability Details
CVEID: CVE-2015-7450
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Platform Application Center Standard Edition Version 9.1.4, 9.1.4.1, 9.1.4.2
Remediation/Fixes
Upgrade Application Center with the fix patch 380076 for 9.1.4.2
1. Download IBM Platform Application Center 9.1.4.2 fix patch 380076 from IBM fix central. Link: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Application+Center&release=9.1.4.2&platform=All&function=all
2. Upgrade IBM Platform Application Center with this patch according to the upgrade guide: http://www-01.ibm.com/support/knowledgecenter/SSGSCT_9.1.4/shared_files/upgrading.dita
Workarounds and Mitigations
Manually apply the Apache jar File for 9.1.4, 9.1.4.1 and 9.1.4.2
1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi
2. Extract the file commons-collections-3.2.2.jar file and copy the extracted files to the management node.
3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:
· /opt/pac/perf/1.2/lib/commons-collections-3.1.jar
· /opt/pac/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar
· /opt/pac/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.2.jar
If high availability is enabled, replace the above JAR file on the all Application Center Server nodes.
4. Restart services. If high availability is enabled, run the following commands on the active management nodes.
# perfadmin stop all
# pmcadmin stop
# perfadmin start all
# pmcadmin start
If high availability is not enabled, run the following commands on the all Application Center Server nodes.
# perfadmin stop all
# pmcadmin stop
# perfadmin start all
# pmcadmin start
| CPE | Name | Operator | Version |
|---|---|---|---|
| platform application center | eq | 9.1.4 | |
| ibm spectrum lsf application center | eq | any |
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C