IBM Support

IT46056: SPRING FRAMEWORK OPEN REDIRECT VULNERABILITY IN IBM CONTROL CENTER

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • Found Spring Framework Open Redirect Vulnerability on IBM
Control Center servers.
Affected Versions:
Spring Framework 6.1.0 - 6.1.3
Spring Framework 6.0.0 - 6.0.16
Spring Framework 5.3.0 - 5.3.31
Older, unsupported versions of Spring Framework are also
affected

Path:
/appbin/ibm/ControlCenter/lib/Jasper_Lib_Jars/spring-core-5.3.2
7.jar
/appbin/ibm/ControlCenter/web/ccbase/webapps/scc-ccd-web-RELEAS
E/WEB-INF/lib/spring-core-5.3.27.jar
/appbin/ibm/cdws/mftws/BOOT-INF/lib/spring-core-6.0.13.jar
/appbin/ibm/ControlCenter/lib/Jasper_Lib_Jars/spring-core-5.3.2
7.jar

Local fix

  • STRRTC- MFT-15562
UK/NC
Circumvention: None

Problem summary

  • IBM Control Center - Spring Framework Open Redirect
Vulnerability

Problem conclusion

  • Description of fix: Against this issue, Spring boot framework
has been upgraded to latest minor version means from 3.1.6 to
3.1.10,spring Security Version from 6.1.6 to 6.1.8,spring
Context Version from 6.0.15 to 6.0.18,Bouncy Castle version from
1.77 to 1.78,common IO Version from 2.14.0 to 2.16.1,joda
Version from 2.10.1 to 2.12.7 and some more libraries version
has been changed like Jakarta Validation APIs, commons
validator, guava, org json, commons codex, common lang, common
collections4.
Database change required: No.
Rolling upgrade possible: Yes.

Temporary fix

  • 



Comments


    

  • 



APAR Information




    

  • APAR number
    IT46056
    • 

  • Reported component name
    STR CONTROL CEN
    • 

  • Reported component ID
    5725D0200
    • 

  • Reported release
    631
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2024-04-30
    • 

  • Closed date
    2024-06-17
    • 

  • Last modified date
    2024-06-17
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    • 



Fix information


    

  • Fixed component name
    STR CONTROL CEN
    • 

  • Fixed component ID
    5725D0200
    • 



Applicable component levels


    








      
              
                            

              

              [{"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SS9GLA","label":"IBM Control Center"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"631","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            17 June 2024
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback