IBM Support

Security Bulletin: Vulnerability in Apache Commons in IBM WebSphere Application Server affects Intelligent Operations Center and related products (CVE-2015-7450)

Created by Mary Dwyer on

Security Bulletin


Summary

Remote execution vulnerability in Apache Commons Collections affects Intelligent Operations Center components WebSphere Application Server (WAS) or WAS Hypervisor Edition.

Vulnerability Details

CVE ID: CVE-2015-7450

Description: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects editions of WebSphere Application Server and bundling products, and all versions and releases of IBM WebSphere Application Server in:

Versions 1.5 and 1.6, all sub-versions, of

  • IBM Intelligent Operations Center
  • IBM Intelligent Operations for Water
  • IBM Intelligent Operations for Transportation
  • IBM Intelligent City Planning and Operations

Versions 5.1 and all sub-versions of
IBM Intelligent Operations Center

Remediation/Fixes

If you have version 5.1 or later, see For Intelligent Operations Center 5.1.x below.

For Intelligent Operations Center (IOC), Intelligent Transportation, and Intelligent Water Versions 1.6 Standard or High Availability:
For High Availability, the same steps apply. Stop both Analytics servers and both Applications servers and perform the upgrade by using IBM Installation Manager on the second Analytics server and the second Applications server after you perform the upgrade on the primary Analytics server and the primary Applications server.

You must update WebSphere Application Server on all Analytics servers and all Applications servers.

Installation prerequisites for Analytics and Applications servers.

1) You must have a Passport Advantage ID and password.

2) Log in as root on each server.

3) All servers should have access to the internet for the following instructions.

4) Either perform the update using a graphical user interface (GUI):
    Log in to a GUI desktop on Linux.
    The desktop can be either Gnome or KDE.
    If a desktop is not installed, you can use these steps to install a desktop:
      a) Enter the command:
        yum -y groupinstall "X Window System" Desktop
      b) Modify the file /etc/inittab to contain the line:
        id:5:initdefault:
      c) Reboot the operating system.
Or perform the update by using a command prompt:
5) Either use IOCControl with the IOC Topology password to stop WebSphere on the Analytics servers and on the Applications servers, or stop WebSphere by using another method such as the IBM Integrated Console.


Upgrading WebSphere Application Server on the Analytics servers


To perform the upgrade, follow these steps:

1) Log on to each Analytics server through a terminal server:
    Log on as user ibmadmin if possible.
    If ibmadmin is unavailable,
    log on as user root and enter the command: perform "su - ibmadmin".
2) Enter the command:
    IOCControl -a stop -c ana -p "ioc topology password"
When the IOCControl command finishes, you should see output such as this:
    IBM COGNOS Enterprise node agent (anacognosnode) - [ off ]
    IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ off ]
    IBM COGNOS Enterprise gateway (anacognosgw) - [ off ]
    IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ off ]
    IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ off ]

    IBM SPSS Modeler server (anaspss) - [ on ]
3) Log on to the Analytics server as user root by using the Gnome desktop or the KDE desktop.

4) Configure the Installation Manager:  
    a) Start the Installation Manager through the GUI :
      Applications -> IBM Applications Installation Manager
    b) In File -> Preferences .... Passport Advantage,
      select "Connect to Passport Advantage"
      Click Apply and then click OK.
    c) In File -> Preferences .... Repository,
      clear the selection for every repository that begins with the string "/tmp/ioc" or "/installMedia/*". These repositories are no longer relevant, and can be deleted.
    d) Select "Search service repositories during installation and updates".
      Click Apply and then click OK.
    e) In File -> Preferences --> Updates,
      select "Search for Installation Manager updates ..".
      Click Apply and then click OK. The Installation Manager then looks for updates for the IBM Installation Manager Program itself.
     f) Stop and restart the IBM Installation Manager.

5) Update the components on the Analytics server:
    a) Start the Installation Manager through the GUI:
      Applications -> IBM Applications Installation Manager
    b) Select 'Update'.
    c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
      On the next screen, where you are prompted for a Master Password, click 'Cancel'.
    d) If you are prompted to perform an update to a new version of Installation Manager,
      click 'Yes' to perform the upgrade, and then click 'OK' to restart the Installation Manager when prompted.
    e) If you upgraded the Installation Manager, select "Update" again.
    g) If you are prompted to attach to the IBM WebSphere Application Server Repository,
      select 'Yes'.
    h) Enter your IBM ID and password.
    i) On the "Update Packages" screen, in the Package Group Name column,
      select "IBM WebSphere Application Server Network Deployment V8.0", and click 'Next'.
      Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
    j) Select all available fixes for "WebSphere Application Server Network Deployment".
      You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
      Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
      If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0", and then select "All available fixes for WebSphere Application Server Network Deployment".
      Apply all outstanding WebSphere Application Server updates.
6) Log in at a terminal prompt as user ibmadmin.
    7) Start the Analytics server by entering the command:
        IOCControl -a start -c ana -p ibmioc16
      Wait for these lines to appear in the output:
        IBM COGNOS Enterprise node agent (anacognosnode) - [ on ]
         IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ on ]
         IBM COGNOS Enterprise gateway (anacognosgw) - [ on ]
         IBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ on ]
         IBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ on ]

         IBM SPSS Modeler server (anaspss) - [ on ]
    8) To verify that the fixpacks and ifixes are installed on WebSphere Application Server, The upgrade to WebSphere Application Server on the Analytics server is now complete.

    Upgrading WebSphere Application Server on the Applications servers

    To perform the upgrade, follow these steps:

    1) Log on to the Analytics server through a terminal server.
      Log on as user ibmadmin if possible.
      If ibmadmin is unavailable,
      log on as user root and enter the command: perform "su - ibmadmin".
    2) Enter the command:
      IOCControl -a stop -c app -p "topology password"
      When the IOCControl command finishes, you should see output such as this:
        IBM WebSphere Application Server Network Deployment (appdmgr) - [ off ]
        IBM Business Monitor node agent (appbmonnode) - [ off ]
        IBM Business Monitor server (appbmonserv) - [ off ]
        IBM Lotus Sametime Proxy node agent (appstproxynode) - [ off ]
        IBM Lotus Sametime Proxy server (appstproxyserv) - [ off ]
        IBM Worklight node agent (appwrkltnode) - [ off ]
        IBM Worklight server (appwrkltserv) - [ off ]
        IBM WebSphere Portal Enable node agent (appwpenode) - [ off ]
        IBM WebSphere Portal Enable server (appwpeserv) - [ off ]
        IOP SVC tool node agent (appiopnode) - [ off ]
        IOP SVC tool server (appiopserv) - [ off ]
        IBM HTTP Server administration server - web server (webihsadm) - [ off ]

        IBM HTTP Server web server - web server (webihsserv) - [ off ]

    3) Log on to the Applications server as root by using the Gnome desktop or the KDE desktop.

    4) Configure the Installation Manager:  
      a) Start the Installation Manager through the GUI:
        Applications -> IBM Applications Installation Manager
      b) In File -> Preferences ....  Passport Advantage,
        select "Connect to Passport Advantage".
        Click Apply and then click OK.
      c) In File -> Preferences .... Repository,
        clear the selection for every repository that begins with the string "/tmp/ioc" or "/installMedia/*". These repositories are no longer relevant, and can be deleted.
      d) Select "Search service repositories during installation and updates".
        Click Apply and then click OK.
      e) In File -> Preferences --> Updates,
        select "Search for Installation Manager updates ..".
        Click Apply and then click OK. The Installation Manager then looks for updates for the IBM Installation Manager Program itself.
       f) Stop and restart the IBM Installation Manager.
    5) Update the components on the Applications server:
      a) Start the Installation Manager through the GUI:
        Applications -> IBM Applications Installation Manager
      b) Select 'Update'.
      c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
        On the next screen, that prompts for a Master Password, click 'Cancel'.
      d) If you are prompted to perform an update to a new version of Installation Manager,
        click 'Yes' to perform the upgrade, and then click 'OK' to restart the Installation Manager when prompted.
      e) If you upgraded the Installation Manager, select "Update" again.
      f) If you are prompted to attach to the IBM WebSphere Application Server Repository,
        select 'Yes'.
      g) Enter your IBM ID and password.
      h) On the "Update Packages" screen, in the Package Group Name column,
        select "IBM WebSphere Application Server Network Deployment V8.0" and click 'Next'.
        Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
      i) Select all available fixes for "WebSphere Application Server Network Deployment".
        You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
        Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.
        If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0" and then select "All available fixes for WebSphere Application Server Network Deployment".
      Apply all outstanding WebSphere Application Server updates.

    6) Log on to a terminal prompt as user ibmadmin.

    7) Start the Applications server by entering the command:
      IOCControl -a start -c app -p "ioc topology password"
      Wait for these lines to appear in the output:
        IBM WebSphere Application Server Network Deployment (appdmgr) - [ on ]
        IBM Business Monitor node agent (appbmonnode) - [ on ]
       IBM Business Monitor server (appbmonserv) - [ on ]
       IBM Lotus Sametime Proxy node agent (appstproxynode) - [ on ]
       IBM Lotus Sametime Proxy server (appstproxyserv) - [ on ]
       IBM Worklight node agent (appwrkltnode) - [ on ]

        IBM Worklight server (appwrkltserv) - [ on ]
        IBM WebSphere Portal Enable node agent (appwpenode) - [ on ]
        IBM WebSphere Portal Enable server (appwpeserv) - [ on]
        IOP SVC tool node agent (appiopnode) - [ on ]
       IOP SVC tool server (appiopserv) - [ on ]
       IBM HTTP Server administration server - web server (webihsadm) - [ on ]

        IBM HTTP Server web server - web server (webihsserv) - [ on ]
    8) To verify that the fix packs and interim fixes are installed on WebSphere Application Server,
    The upgrade to WebSphere Application Server on the Applications server is now complete.

    For Intelligent Operations Center 5.1.x:

    Installation prerequisites for Analytics and Applications servers.

    1) You must have a Passport Advantage ID and password.

    2) Log in as user root on each server.

    3) All servers should have access to the internet for the following instructions. If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section.

    Download the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL:
    https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en

    The fix that you must download for WebSphere is located here:
    http://www-01.ibm.com/support/docview.wss?uid=swg21970575

    4) Either perform the update using a graphical user interface (GUI):
      Log in to a GUI desktop on Linux.
      The desktop can be either Gnome or KDE.
      If a desktop is not installed, you can use these steps to install a desktop:
        a) Enter the command:
          yum -y groupinstall "X Window System" Desktop
        b) Modify the file /etc/inittab to contain the line:
          id:5:initdefault:
        c) Reboot the operating system.
    Or perform the update by using a command prompt:
    Detailed Steps to perform the upgrade:

    1) Stop the Liberty server that runs on the Applications server.
      a) Log on to the Applications server as root.
      b) Enter the commands:
        cd /opt/ibm/ioc51install/sample
        ./maint.sh
      c) Under the title "Control an IOC single-server instance",
        select "4b) Stop Liberty <server>".

    2) Log on to the Applications server as root by using the Gnome desktop or the KDE desktop.

    3) Either perform the update using a GUI:
      Update the components on the Applications server, including Liberty:
        a) Start the Installation Manager through the GUI:
          Applications -> IBM Applications Installation Manager
        b) Select 'Update'.
        c) Select 'Next' repeatedly until you are prompted for an IBM ID and password.
        d) If you are prompted to perform an update to a new version of Installation Manager,
          click 'Yes' to perform the upgrade and then click 'OK' to restart the Installation Manager when prompted.
        e) If you upgraded the Installation Manager, select "Update" again.
        f) On the "Configuration for IBM WebSphere Application Server Liberty Network Deployment 8.5.5.7" panel, select "Launch Asset Selection Wizard".
        g) Select "Update all packages with recommended updates and recommended fixes"
        h) Enter your IBM ID and password.
        i) Accept the terms of the license agreement, and click 'Finish'.
        j) On the "Update Packages" screen, in the Package Group Name column,
          select "IBM WebSphere Application Server Network Deployment V8.0" and click 'Next'.
          Do not select "IBM SPSS Collaboration and Deployment Services 7.0", and do not select "Update all packages with recommended updates and recommended fixes". IOC is incompatible with the upgrade to SPSS.
        k) Select all available fixes for "WebSphere Application Server Network Deployment".
          You must apply the Apache Commons fix 8.0.0.0-WS-WAS-IFPI52103.
          Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server to see this fix.
          If necessary, re-run IBM Installation Manager, select "Update Packages for IBM WebSphere Application Server Network Deployment V8.0" and then select "All available fixes for WebSphere Application Server Network Deployment".
          Apply all outstanding WebSphere Application Server updates.
          When you have applied all the WebSphere Application Server fixes, proceed to the next step.

    Or perform the update using a command line:
        a) Download the 8.5.5.7-WS-WLP-DistOnly-IFPI52103.zip file to a local system.
        b) Upload the compressed file to the /tmp file system on the Application Server.
        c) Log on to a terminal session as the root user.
        d) Execute these two commands to perform the installation:
          cd /opt/IBM/InstallationManager/eclipse/tools

          /imcl install 8.5.5.7-WS-WLP-DistOnly-IFPI52103
             -installationDirectory /opt/IBM/WebSphere/wlp -repositories
             /tmp/8.5.5.7-ws-wlp-distonly-ifpi52103.zip
        These commands install
          8.5.5.7-WS-WLP-DistOnly-IFPI52103_8.5.5007.20151114_2058
        to the /opt/IBM/WebSphere/wlp directory.
        e) To validate the installation perform the command:
          ./imcl listInstalledPackages -long

    4) Start the Liberty server with the commands:
      cd /opt/ibm/ioc51install/sample
      ./maint.sh
    5) Under the title "Control an IOC single-server instance",
      select "4a) Start Liberty <server>".

    Workarounds and Mitigations

    None

    Get Notified about Future Security Bulletins

    References

    Off

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

    Internal Use Only

    James Stroud:
    Then for IOC 5.1 the command from WebSphere Liberty does not work that is supposed to give the list of ifixes, so we won't include this step for IOC 5.1. I wanted to though. IT would have been this step:

    5) To verify fix packs and interim fixes installed on WebSphere Liberty do the following from a terminal sessions as the root user
    a) cd /opt/IBM/WebSphere/wlp/bin
    b) ./productInfo --ifixes

    More details on the productInfo command is here https://www-01.ibm.com/support/knowledgecenter/#!/SSEQTP_8.5.5/com.ibm.websphere.wlp.doc/ae/rwlp_command_productinfo.html?cp=SSEQTP_8.5.5%2F1-3-11-0-1-3-0

    [{"Product":{"code":"SS3NGB","label":"IBM Intelligent Operations Center"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"1.5;1.5.0.1;1.5.0.2;1.6;1.6.0.1;1.6.0.2;1.6.0.3;5.1;5.1.0.1;5.1.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSTMV4","label":"IBM Intelligent Transportation"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":" ","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.6.1;1.6;1.5.0;1.0.1.3;1.0.1.2;1.0.1.1;1.0.1;1.0.0","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SS7QZZ","label":"IBM Intelligent Water"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF016","label":"Linux"}],"Version":"1.6.1.1;1.6.1;1.6.0;1.5.1;1.5.0.2;1.5.0.1;1.5.0;1.0.0;1.6.1.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SSR3XR","label":"IBM Intelligent Operations Center for Emergency Management"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"1.6;5.1;5.1.0.2","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

    Document Information

    Modified date:
    19 August 2022

    UID

    swg21971203