Fixes are available
APAR status
Closed as program error.
Error description
Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
Local fix
Problem summary
**************************************************************** USERS AFFECTED: Users of Business Glossary, Metadata Workbench, Information Governance Catalog and FastTrack in various release streams **************************************************************** PROBLEM DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. **************************************************************** RECOMMENDATION: Refer to Security bulletin http://www-01.ibm.com/support/docview.wss?uid=swg21971410 for actions to perform. CAVEAT: If you need to upgrade an 11.3.x.x system to 11.5.0.0, you must first uninstall this patch. After completing the upgrade, apply the 11.5 versions of this patch. If you cannot uninstall JR54719 because it is not the last installed patch, you can use patch_rollbackJR54719_ISF_all_11300-12 to roll it back and then do the upgrade followed by re-installing JR54719. ****************************************************************
Problem conclusion
Upgrade Apache Commons Collections to v3.2.2
Temporary fix
Comments
APAR Information
APAR number
JR54719
Reported component name
INFO SRVR PLATF
Reported component ID
5724Q3612
Reported release
B31
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt / Xsystem
Submitted date
2015-11-13
Closed date
2015-12-01
Last modified date
2016-01-22
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
INFO SRVR PLATF
Fixed component ID
5724Q3612
Applicable component levels
R850 PSY
UP
R870 PSY
UP
R912 PSY
UP
RB31 PSY
UP
RB50 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZJPZ","label":"InfoSphere Information Server"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"11.3","Line of Business":{"code":"LOB10","label":"Data and AI"}}]
Document Information
Modified date:
13 October 2021