Security Bulletin: Vulnerability of jython-standalone-2.7.0.jar have affected APM WebSphere Application Server Agent and APM Tomcat Agent

Summary

APM WebSphere Application Server Agent and APM Tomcat Agent are vulnerable to jython-standalone-2.7.0.jar CVE-2013-2027. The workaround includes jython-standalone-2.7.0.jar upgraded to jython-standalone-2.7.3.jar.

Vulnerability Details

CVEID:CVE-2013-2027
**DESCRIPTION:**Jython could allow a local attacker to bypass security restrictions, caused by an error when creating the class cache files. An attacker could exploit this vulnerability using unknown attack vectors to execute arbitrary code on the system or obtain sensitive information.
CVSS Base score: 4.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/102960 for the current score.
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

Remediation/Fixes

None

Workarounds and Mitigations

For APM WebSphere Application Server Agent and APM Tomcat Agent, please follow the below steps as a workaround:

jython-standalone-2.7.0.jar. must be upgraded from Maven Repository: Search/Browse/Explore (mvnrepository.com)

Procedure:

A. For APM WebSphere Application Server Agent:

Step 1: Stop the agent.

Step 2:

i. For Windows- Navigate to the folder $CANDLEHOME\dchome<version>\bin\jython

ii. For Linux/AIX/SOL- Navigate to the directory $CANDLEHOME/yndchome/<version>/bin/jython,

where <dchome>/<yndchome> would be data collector home and <version> would be data collector version for WebSphere Application Server Agent.

Step 3: Take the backup of jython.jar. Replace existing jython.jar with latest version of jython-standalone-2.7.3.jar. Rename jython-standalone-2.7.3.jar as jython.jar.

Step 4: Start the agent.

B. For APM Tomcat Agent:

Step 1: Stop the agent.

Step 2:

i. For Windows: Navigate to the folder $CANDLEHOME&lt;dchome>&lt;version>\bin\jython

ii. For Linux Navigate to the directory $CANDLEHOME/<dchome>/<version>/bin/jython

where <dchome> would be otdchome and <version> would be 7.3.0.15.0 for Tomcat Agent.

Step 3: Take the backup of jython.jar. Replace existing jython.jar with latest version of jython-standalone-2.7.3.jar. Rename jython-standalone-2.7.3.jar as jython.jar.

Step 4: Start the agent.