Lucene search

K
ibmIBMFFD41E5F30DBD4EDCF120209DC19F7C811FB744C733A2D1A203E4064577F26A0
HistoryJul 21, 2023 - 11:52 a.m.

Security Bulletin: IBM Sterling Global Mailbox is vulnerable to arbitrary command execution due to com.ibm.ws.org.apache.commons.collections (CVE-2015-7501)

2023-07-2111:52:23
www.ibm.com
26
ibm sterling global mailbox
arbitrary command execution
cve-2015-7501
red hat jboss a-mq
bpm suite
brms
data grid
data virtualization
enterprise application platform
fuse
fuse service works
operations network
portal
web server
red hat openshift
red hat subscription asset manager
remote attackers
serialized java object
security vulnerability
fix central link

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%

Summary

A security vulnerability has been identified and addressed in com.ibm.ws.org.apache.commons.collections.3.2.1-1.0.9.jar shipped with IBM Sterling Global Mailbox.

Vulnerability Details

CVEID:CVE-2015-7501
**DESCRIPTION:**Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
CVSS Base score: 9.8
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Sterling Global Mailbox 6.1.2
IBM Sterilng Global Mailbox 6.0.3

Remediation/Fixes

Product

|

Version

|

Fix / Remediation

—|—|—

IBM Sterling Global Mailbox

|

6.0.3

|

Apply 6.0.3.8

IBM Sterling Global Mailbox

|

6.1.2

| Apply 6.1.2.1

6.0.3.8 is now available on Fix Central -

B2Bi IIM
Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-All&source=SAR

B2Bi Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+B2B+Integrator&fixids=6.0.3.8-OtherSoftware-B2Bi-Docker-All&source=SAR

SFG IIM

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-All&source=SAR

SFG Docker

Fix Central Link: https://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FSterling+File+Gateway&fixids=6.0.3.8-OtherSoftware-SFG-Docker-All&source=SAR

6.1.2.1 IIM & Certified Container is now available on Fix Central -

Sterling B2B Integrator

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+B2B+Integrator&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-B2Bi-All+&includeSupersedes=0

Sterling File Gateway

https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Sterling+File+Gateway&release=6.1.2.0&platform=All&function=fixId&fixids=6.1.2.1-OtherSoftware-SFG-All+&includeSupersedes=0

Certified Container

Certified Container edition images and Helm charts are now available for download from IBM Entitled Registry (ER) and IBM public chart repository, respectively.

IBM Sterling B2B Integrator V6.1.2.1

Certified Container Image

cp.icr.io/cp/ibm-b2bi/b2bi:6.1.2.1

Helm Chart

<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-b2bi-prod-2.1.1.tgz&gt;

IBM Sterling File Gateway V6.1.2.1

Certified Container Image

cp.icr.io/cp/ibm-sfg/sfg:6.1.2.1

Helm Chart
<https://github.com/IBM/charts/blob/master/repo/ibm-helm/ibm-sfg-prod-2.1.1.tgz&gt;

Workarounds and Mitigations

None

Affected configurations

Vulners
Node
ibmhigh_availability_cluster_multiprocessingMatch6.0.2

CVSS2

10

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS

0.018

Percentile

88.4%