Security Bulletin: A vulnerability in Apache Struts 2 affects IBM Spectrum Conductor with Spark (CVE-2017-9787, CVE-2017-9804, and CVE-2017-12611)

Summary

Several security vulnerabilities CVE-2017-9787 (S2-049) CVE-2017-9804 (S2-050) CVE-2017-12611 (S2-053) have been reported against Apache Struts 2, which IBM Spectrum Conductor with Spark uses as a framework for its WEBGUI service. Struts 2.3.34 addresses these vulnerabilities and can be applied through the manual steps detailed in the Remediation section.

Vulnerability Details

CVEID: CVE-2017-9787
DESCRIPTION: Apache Struts is vulnerable to a denial of service, caused by an error when using a Spring AOP functionality to secure Struts actions. A remote authenticated attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/128527&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2017-9804
DESCRIPTION: Apache Struts is vulnerable to a denial of service, caused by an error when using URLValidator. By placing a specially crafted URL in a form field to trigger an error in regular expression processing, an attacker could exploit this vulnerability to overload server process.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131401&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2017-12611
DESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the use of an unintentional expression in Freemarker tag instead of string literals. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/131603&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

IBM Spectrum Conductor with Spark 2.2.0, which supports Linux and Linux on POWERLE.

Remediation/Fixes

Follow the steps to update to Struts version 2.3.34 on Linux hosts:

Before installation

a. Log on to each management host in the cluster and download the struts-2.3.34-lib.zip package from the following location (you need to only perform this once if IBM Spectrum Conductor with Spark cluster is installed to a shared environment):

<http://archive.apache.org/dist/struts/2.3.34/struts-2.3.34-lib.zip&gt;.

b. Log on to the master host as the cluster administrator and stop the cluster management console service (WEBGUI):

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

c. For recovery purposes, on each management host, move the files corresponding to your host operating system to a backup directory (you need to only perform this once if $EGO_TOP is a shared directory):

> mkdir -p /tmp/guibackup/egogui

> mkdir -p /tmp/guibackup/perfgui

> mkdir -p /tmp/guibackup/perfguiv5

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-digester-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-fileupload-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-io-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-lang3-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/commons-logging-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/org.apache.commons-io-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/freemarker-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/javassist-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/ognl-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-json-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/struts2-spring-plugin-*.jar /tmp/guibackup/

> mv $EGO_TOP/gui/$EGO_VERSION/lib/xwork-core-*.jar /tmp/guibackup/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/xstream-*.jar /tmp/guibackup/egogui/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/velocity-[0-9]*.jar /tmp/guibackup/egogui/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/struts2-core-*.jar /tmp/guibackup/perfgui

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfgui/

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/freemarker-*.jar /tmp/guibackup/perfguiv5

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/ognl-*.jar /tmp/guibackup/perfguiv5

> mv $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/xwork-core-*.jar /tmp/guibackup/perfguiv5

Installation

a. On each management host, unzip the struts-2.3.34-lib.zip package and copy the files for your host operating system to your cluster directory (you need to only perform this once if $EGO_TOP is a shared directory):

> unzip -u struts-2.3.34-lib.zip

> cd struts-2.3.34/lib/

> cp commons-digester-2.0.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-fileupload-1.3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-io-2.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-lang3-3.2.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp commons-logging-1.1.3.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp javassist-3.11.0.GA.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp ognl-3.0.21.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-core-2.3.34.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-json-plugin-2.3.34.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp struts2-spring-plugin-2.3.34.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp xwork-core-2.3.34.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> cp xstream-1.4.10.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

> cp velocity-1.6.4.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp ognl-3.0.21.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp struts2-core-2.3.34.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp xwork-core-2.3.34.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> cp freemarker-2.3.22.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/

> cp ognl-3.0.21.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/

> cp xwork-core-2.3.34.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/

After installation

a. On each management host, delete all subdirectories and files in the GUI work directory (you need to only perform this once if $EGO_TOP is a shared directory):

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

b. Launch your browser and clear the browser cache.

c. Log on to the master host as the cluster administrator and start the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI

Uninstallation

If required, follow these steps to uninstall the Struts upgrade in the IBM Spectrum Conductor with Spark cluster:

a. Log on to the master host as the cluster administrator and stop the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service stop WEBGUI

b. On each management host, delete all the JAR files that were introduced by this interim fix (you need to only perform this once if IBM Spectrum Conductor with Spark cluster is installed to a shared environment).

c. On each management host, restore your backup files (you need to only perform this once if $EGO_TOP is a shared directory):

> mv /tmp/guibackup/*.jar $EGO_TOP/gui/$EGO_VERSION/lib/

> mv /tmp/guibackup/egogui/*.jar $EGO_TOP/wlp/usr/servers/gui/apps/ego/$EGO_VERSION/platform/WEB-INF/lib/

> mv /tmp/guibackup/perfgui/*.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfgui/WEB-INF/lib/

> mv /tmp/guibackup/perfguiv5/*.jar $EGO_TOP/wlp/usr/servers/gui/apps/perf/$EGO_VERSION/perfguiv5/WEB-INF/lib/

d. On each management host, delete all subdirectories and files in the GUI work directory (you need to only perform this once if $EGO_TOP is a shared directory):

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you changed the default configuration for the WLP_OUTPUT_DIR environment variable and the APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR parameter is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

e. Launch your browser and clear the browser cache.

f. Log on to the master host as the cluster administrator and start the WEBGUI service:

> egosh user logon -u Admin -x Admin

> egosh service start WEBGUI