IBM Support

JR50221: SECURITY APAR CVE-2014-0114 - OPEN SOURCE APACHE STRUTS V1 MANIPULATION VULNERABILITY

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Insufficient input validation in Apache Struts V1.x (up to and
    including version 1.3.10) might allow a remote attacker to
    manipulate class loader attributes.
    
    PRODUCTS AFFECTED:
    IBM Business Process Manager (BPM) Advanced
    IBM BPM Standard
    IBM BPM Express
    IBM WebSphere Lombardi Edition
    

Local fix

Problem summary

  • The ActionForm object in Apache Struts V1.x (up to and including
     version 1.3.10 allows remote attackers to manipulate the
    ClassLoader object and run arbitrary code by using that object's
     class parameter, which is passed to the getClass method. Two
    web applications in IBM BPM and WebSphere Lombardi Edition,
    Process Portal and Performance Database Warehouse, use Apache
    Struts, so they are vulnerable to this security exposure.
    

Problem conclusion

  • A fix is available for IBM BPM V7.5.1.0, V7.5.1.1, V7.5.1.2,
    V8.0.1.2, and V8.5.0.1 and WebSphere Lombardi Edition V7.2.0.5
    that adds an HTTP filter to each of the web applications. With
    this filter, the vulnerable class loader parameter is ignored.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR50221:
    
     1. Select IBM WebSphere Lombardi Edition or IBM Business
    Process Manager (with your edition) from the product selector,
    the installed version to the fix pack level, and your platform,
    and then click Continue.
     2. Select APAR or SPR, enter JR50221, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

  • Not applicable
    

Comments

APAR Information

  • APAR number

    JR50221

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    751

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-05-13

  • Closed date

    2014-05-29

  • Last modified date

    2014-09-18

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R751 PSY

       UP

  • R801 PSY

       UP

  • R850 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.5.1","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
18 September 2014