9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.
CVEID: CVE-2015-7450
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.CVSS Base Score: 9.8CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1
See Workarounds
Platform Cluster Manager 4.2.x & Platform HPC 4.2.x
1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi
2. Extract the file commons-collections-3.2.2.jar file and copy the extracted files to the management node.
3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:
· /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar
· /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar
· /opt/pcm/web-portal/docs/kc.war/WEB-INF/lib/commons-collections-3.2.1.jar
· /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar
· /opt/pcm/pcmd/1.0/lib/external/commons-collections-3.2.1.jar
If high availability is enabled, in addition to the above files, replace the following JAR file on the standby management node.
· /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar
4. Restart services. If high availability is enabled, run the following commands on active management node:
Otherwise, if high availability is not enabled, run the following commands on the active management node:
Platform Cluster Manager 4.1.x & Platform HPC 4.1.x
1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi
2. Extract the commons-collections-3.2.2.jar file and copy the extracted files to the management node.
3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:
· /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar
· /opt/pcm /web-portal/perf/1.2/lib/commons-collections-3.2.1.jar
· /opt/pcm /web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/commons-collections-3.2 .1.jar
4. Restart services. If high availability is enabled, run the following commands on active management node:
Otherwise, if high availability is not enabled, run the following commands on the active management node:
CPE | Name | Operator | Version |
---|---|---|---|
platform hpc for system x | eq | 4.1.1 | |
platform hpc for system x | eq | 4.2 | |
platform hpc for system x | eq | any |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C