Lucene search

K
ibmIBMEB93085B7374899EA5C0E8EA2497565106D942E650838AACC75C22BA9457AA10
HistoryJun 18, 2018 - 1:30 a.m.

Security Bulletin: An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.

2018-06-1801:30:16
www.ibm.com
4

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.

Vulnerability Details

CVEID: CVE-2015-7450

DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.CVSS Base Score: 9.8CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1

Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1

Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Remediation/Fixes

See Workarounds

Workarounds and Mitigations

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x

1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi

2. Extract the file commons-collections-3.2.2.jar file and copy the extracted files to the management node.

3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:

· /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar

· /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar

· /opt/pcm/web-portal/docs/kc.war/WEB-INF/lib/commons-collections-3.2.1.jar

· /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar

· /opt/pcm/pcmd/1.0/lib/external/commons-collections-3.2.1.jar

If high availability is enabled, in addition to the above files, replace the following JAR file on the standby management node.

· /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar

4. Restart services. If high availability is enabled, run the following commands on active management node:

pcmhatool failmode -m manual

pcmadmin service stop --group all

pcmadmin service start --group all

pcmhatool failmode -m auto

Otherwise, if high availability is not enabled, run the following commands on the active management node:

pcmadmin service stop --group all

pcmadmin service start --group all

Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi

2. Extract the commons-collections-3.2.2.jar file and copy the extracted files to the management node.

3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:

· /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar

· /opt/pcm /web-portal/perf/1.2/lib/commons-collections-3.2.1.jar

· /opt/pcm /web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/commons-collections-3.2 .1.jar

4. Restart services. If high availability is enabled, run the following commands on active management node:

pcmhatool failmode -m manual

pmcadmin stop

perfadmin stop all

perfadmin start all

pmcadmin start

pcmhatool failmode -m auto

Otherwise, if high availability is not enabled, run the following commands on the active management node:

pmcadmin stop

perfadmin stop all

perfadmin start all

pmcadmin start

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for EB93085B7374899EA5C0E8EA2497565106D942E650838AACC75C22BA9457AA10