Security Bulletin
Summary
Remote execution vulnerability in Apache Commons Collections affects Intelligent Operations Center components WebSphere Application Server (WAS) or WAS Hypervisor Edition.
Vulnerability Details
CVE ID: CVE-2015-7450
Description: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
This vulnerability affects editions of WebSphere Application Server and bundling products, and all versions and releases of IBM WebSphere Application Server in:
Versions 1.5 and 1.6, all sub-versions, of
- IBM Intelligent Operations Center
- IBM Intelligent Operations for Water
- IBM Intelligent Operations for Transportation
- IBM Intelligent City Planning and Operations
Versions 5.1 and all sub-versions of
IBM Intelligent Operations Center
Remediation/Fixes
If you have version 5.1 or later, see For Intelligent Operations Center 5.1.x below.
For Intelligent Operations Center (IOC), Intelligent Transportation, and Intelligent Water Versions 1.6 Standard or High Availability:
For High Availability, the same steps apply. Stop both Analytics servers and both Applications servers and perform the upgrade by using IBM Installation Manager on the second Analytics server and the second Applications server after you perform the upgrade on the primary Analytics server and the primary Applications server.
You must update WebSphere Application Server on all Analytics servers and all Applications servers.
Installation prerequisites for Analytics and Applications servers.
1) You must have a Passport Advantage ID and password.
2) Log in as root on each server.
3) All servers should have access to the internet for the following instructions.
- If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section.
Download the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL:
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en
The fix that you must download for WebSphere is located here:
http://www-01.ibm.com/support/docview.wss?uid=swg21970575
- Log in to a GUI desktop on Linux.
The desktop can be either Gnome or KDE.
If a desktop is not installed, you can use these steps to install a desktop:
- a) Enter the command:
- yum -y groupinstall "X Window System" Desktop
- id:5:initdefault:
- If you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here:
Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures.
5) Either use IOCControl with the IOC Topology password to stop WebSphere on the Analytics servers and on the Applications servers, or stop WebSphere by using another method such as the IBM Integrated Console.
Upgrading WebSphere Application Server on the Analytics servers
To perform the upgrade, follow these steps:
1) Log on to each Analytics server through a terminal server:
- Log on as user ibmadmin if possible.
If ibmadmin is unavailable,
log on as user root and enter the command: perform "su - ibmadmin".
- IOCControl -a stop -c ana -p "ioc topology password"
- IBM COGNOS Enterprise node agent (anacognosnode) - [ off ]
IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ off ]
IBM COGNOS Enterprise gateway (anacognosgw) - [ off ]
IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ off ]
IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ off ]
IBM SPSS Modeler server (anaspss) - [ on ]
4) Configure the Installation Manager:
- a) Start the Installation Manager through the GUI :
- Applications -> IBM Applications Installation Manager
- select "Connect to Passport Advantage"
c) In File -> Preferences .... Repository,
- clear the selection for every repository that begins with the string "/tmp/ioc" or "/installMedia/*". These repositories are no longer relevant, and can be deleted.
- Click Apply and then click OK.
- select "Search for Installation Manager updates ..".
f) Stop and restart the IBM Installation Manager.
5) Update the components on the Analytics server:
- a) Start the Installation Manager through the GUI:
- Applications -> IBM Applications Installation Manager
c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
- On the next screen, where you are prompted for a Master Password, click 'Cancel'.
- click 'Yes' to perform the upgrade, and then click 'OK' to restart the Installation Manager when prompted.
g) If you are prompted to attach to the IBM WebSphere Application Server Repository,
- select 'Yes'.
i) On the "Update Packages" screen, in the Package Group Name column,
- select "IBM WebSphere Application Server Network Deployment V8.0", and click 'Next'.
Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
- You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0", and then select "All available fixes for WebSphere Application Server Network Deployment".
Apply all outstanding WebSphere Application Server updates.
- IOCControl -a start -c ana -p ibmioc16
- Wait for these lines to appear in the output:
- IBM COGNOS Enterprise node agent (anacognosnode) - [ on ]
IBM COGNOS Enterprise gateway (anacognosgw) - [ on ]
IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ on ]
IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ on ]
IBM SPSS Modeler server (anaspss) - [ on ]
- perform the following steps:
a) Log on to a terminal session as user root.
b) Enter the commands:
- cd /opt/IBM/WebSphere/AppServer/bin
./versionInfo.sh -fixpacks
./versionInfo.sh -ifixdetail
Upgrading WebSphere Application Server on the Applications servers
To perform the upgrade, follow these steps:
1) Log on to the Analytics server through a terminal server.
- Log on as user ibmadmin if possible.
If ibmadmin is unavailable,
log on as user root and enter the command: perform "su - ibmadmin".
- IOCControl -a stop -c app -p "topology password"
When the IOCControl command finishes, you should see output such as this:
IBM Business Monitor node agent (appbmonnode) - [ off ]
IBM Business Monitor server (appbmonserv) - [ off ]
IBM Lotus Sametime Proxy node agent (appstproxynode) - [ off ]
IBM Lotus Sametime Proxy server (appstproxyserv) - [ off ]
IBM Worklight node agent (appwrkltnode) - [ off ]
IBM Worklight server (appwrkltserv) - [ off ]
IBM WebSphere Portal Enable node agent (appwpenode) - [ off ]
IBM WebSphere Portal Enable server (appwpeserv) - [ off ]
IOP SVC tool node agent (appiopnode) - [ off ]
IOP SVC tool server (appiopserv) - [ off ]
IBM HTTP Server administration server - web server (webihsadm) - [ off ]
IBM HTTP Server web server - web server (webihsserv) - [ off ]
3) Log on to the Applications server as root by using the Gnome desktop or the KDE desktop.
4) Configure the Installation Manager:
- a) Start the Installation Manager through the GUI:
- Applications -> IBM Applications Installation Manager
- select "Connect to Passport Advantage".
c) In File -> Preferences .... Repository,
- clear the selection for every repository that begins with the string "/tmp/ioc" or "/installMedia/*". These repositories are no longer relevant, and can be deleted.
- Click Apply and then click OK.
- select "Search for Installation Manager updates ..".
f) Stop and restart the IBM Installation Manager.
- a) Start the Installation Manager through the GUI:
- Applications -> IBM Applications Installation Manager
c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
- On the next screen, that prompts for a Master Password, click 'Cancel'.
- click 'Yes' to perform the upgrade, and then click 'OK' to restart the Installation Manager when prompted.
f) If you are prompted to attach to the IBM WebSphere Application Server Repository,
- select 'Yes'.
h) On the "Update Packages" screen, in the Package Group Name column,
- select "IBM WebSphere Application Server Network Deployment V8.0" and click 'Next'.
Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
- You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0" and then select "All available fixes for WebSphere Application Server Network Deployment".
6) Log on to a terminal prompt as user ibmadmin.
7) Start the Applications server by entering the command:
- IOCControl -a start -c app -p "ioc topology password"
- Wait for these lines to appear in the output:
IBM WebSphere Application Server Network Deployment (appdmgr) - [ on ]
IBM Business Monitor node agent (appbmonnode) - [ on ]
IBM Business Monitor server (appbmonserv) - [ on ]
IBM Lotus Sametime Proxy node agent (appstproxynode) - [ on ]
IBM Lotus Sametime Proxy server (appstproxyserv) - [ on ]
IBM Worklight node agent (appwrkltnode) - [ on ]
IBM Worklight server (appwrkltserv) - [ on ]
IBM WebSphere Portal Enable node agent (appwpenode) - [ on ]
IBM WebSphere Portal Enable server (appwpeserv) - [ on]
IOP SVC tool node agent (appiopnode) - [ on ]
IOP SVC tool server (appiopserv) - [ on ]
IBM HTTP Server administration server - web server (webihsadm) - [ on ]
IBM HTTP Server web server - web server (webihsserv) - [ on ]
- perform the following steps:
- a) Log on to a terminal session as user root.
b) Enter the commands:
- cd /opt/IBM/WebSphere/AppServer/bin
./versionInfo.sh -fixpacks
./versionInfo.sh -ifixdetail
The upgrade to WebSphere Application Server on the Applications server is now complete.
For Intelligent Operations Center 5.1.x:
Installation prerequisites for Analytics and Applications servers.
1) You must have a Passport Advantage ID and password.
2) Log in as user root on each server.
3) All servers should have access to the internet for the following instructions. If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section.
Download the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL:
https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en
The fix that you must download for WebSphere is located here:
http://www-01.ibm.com/support/docview.wss?uid=swg21970575
4) Either perform the update using a graphical user interface (GUI):
- Log in to a GUI desktop on Linux.
The desktop can be either Gnome or KDE.
If a desktop is not installed, you can use these steps to install a desktop:
- a) Enter the command:
- yum -y groupinstall "X Window System" Desktop
- id:5:initdefault:
- If you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here:
Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures.
Detailed Steps to perform the upgrade:
1) Stop the Liberty server that runs on the Applications server.
- a) Log on to the Applications server as root.
b) Enter the commands:
- cd /opt/ibm/ioc51install/sample
./maint.sh
- select "4b) Stop Liberty <server>".
2) Log on to the Applications server as root by using the Gnome desktop or the KDE desktop.
3) Either perform the update using a GUI:
- Update the components on the Applications server, including Liberty:
- a) Start the Installation Manager through the GUI:
- Applications -> IBM Applications Installation Manager
c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
d) If you are prompted to perform an update to a new version of Installation Manager,
- click 'Yes' to perform the upgrade and then click 'OK' to restart the Installation Manager when prompted.
f) On the "Configuration for IBM WebSphere Application Server Liberty Network Deployment 8.5.5.7" panel, select "Launch Asset Selection Wizard".
g) Select "Update all packages with recommended updates and recommended fixes"
h) Enter your IBM ID and password.
i) Accept the terms of the license agreement, and click 'Finish'.
j) On the "Update Packages" screen, in the Package Group Name column,
- select "IBM WebSphere Application Server Network Deployment V8.0" and click 'Next'.
Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
- You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server to see this fix.
If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0" and then select "All available fixes for WebSphere Application Server Network Deployment".
Apply all outstanding WebSphere Application Server updates.
When you have applied all the WebSphere Application Server fixes, proceed to the next step.
Or perform the update using a command line:
- a) Download the 8.5.5.7-WS-WLP-DistOnly-IFPI52103.zip file to a local system.
b) Upload the compressed file to the /tmp file system on the Application Server.
c) Log on to a terminal session as the root user.
d) Execute these two commands to perform the installation:
- cd /opt/IBM/InstallationManager/eclipse/tools
/imcl install 8.5.5.7-WS-WLP-DistOnly-IFPI52103
- -installationDirectory /opt/IBM/WebSphere/wlp -repositories
/tmp/8.5.5.7-ws-wlp-distonly-ifpi52103.zip
- 8.5.5.7-WS-WLP-DistOnly-IFPI52103_8.5.5007.20151114_2058
e) To validate the installation perform the command:
- ./imcl listInstalledPackages -long
4) Start the Liberty server with the commands:
- cd /opt/ibm/ioc51install/sample
./maint.sh
- select "4a) Start Liberty <server>".
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Internal Use Only
James Stroud:
Then for IOC 5.1 the command from WebSphere Liberty does not work that is supposed to give the list of ifixes, so we won't include this step for IOC 5.1. I wanted to though. IT would have been this step:
5) To verify fix packs and interim fixes installed on WebSphere Liberty do the following from a terminal sessions as the root user
a) cd /opt/IBM/WebSphere/wlp/bin
b) ./productInfo --ifixes
More details on the productInfo command is here https://www-01.ibm.com/support/knowledgecenter/#!/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_command_productinfo.html?cp=SSEQTP_8.5.5%2F1-3-11-0-1-3-0
Was this topic helpful?
Document Information
Modified date:
19 August 2022
UID
swg21971203