IBM Support

JR50538: SECURITY APAR CVE-2014-0114, CVE-2014-0050 VULNERABLE VERSION OF STRUTS 1.1 AND APACHE COMMONS FILEUPLOAD INCL. IN IBM BPM V8.5.5

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Apache Struts 1.x could allow a remote attacker to run arbitrary
    code on the system because setting ClassLoader attributes is not
    restricted. An attacker could exploit this vulnerability by
    using the class parameter of an ActionForm object to manipulate
    the ClassLoader attributes and run arbitrary code on the system.
    
    Apache Commons FileUpload and Tomcat are vulnerable to a denial
    of service because the Content-Type HTTP header is improperly
    handled for multipart requests. By sending a specially crafted
    request, an attacker could exploit this vulnerability to cause
    the application to enter into an infinite loop.
    

Local fix

  • The vulnerable application is required only for IBM Support to
    gather additional information. By default, only a single
    administrative user (deployment environment administrator) can
    access the application. You can prevent access to the
    application by removing all users and groups from the security
    role mapping in this application.
    
    In the administrative console, go to Applications > Application
    Types > WebSphere Enterprise Applications >
    IBM_BPM_DocStoreAdmin_<clusterName> > Security role to
    user/group mapping and remove all users and groups from the role
    mapping.
    

Problem summary

  • Security vulnerabilities have been reported for the Apache
    Struts 1.1 and Apache Commons FileUpload libraries shipped with
    one component of IBM BPM V8.5.5. The vulnerable libraries are
    used only in an administrative user interface that, by default,
    is available only to one administrative user.
    

Problem conclusion

  • A fix is available for IBM BPM V8.5.5.0 that updates the
    vulnerable version of Apache Commons FileUpload and introduces a
    filter to validate user input before passing it to the Apache
    Struts 1.x library.
    
    On Fix Central (http://www.ibm.com/support/fixcentral), search
    for JR50538:
    
    1. Select IBM Business Process Manager with your edition from
     the product selector, the installed version to the fix pack
     level, and your platform, and then click Continue.
    
    2. Select APAR or SPR, enter JR50538, and click Continue.
    
    When you download fix packages, ensure that you also download
    the readme file for each fix. Review each readme file for
    additional installation instructions and information about the
    fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    JR50538

  • Reported component name

    BPM STANDARD

  • Reported component ID

    5725C9500

  • Reported release

    855

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2014-06-18

  • Closed date

    2014-07-10

  • Last modified date

    2014-07-10

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    BPM STANDARD

  • Fixed component ID

    5725C9500

Applicable component levels

  • R855 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Edition":"","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
10 July 2014