Security Bulletin
Summary
An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Integration Tester in Rational Test Workbench, Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server (see CVE-2015-7450).
Vulnerability Details
CVEID: CVE-2015-7450
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
Rational Integration Tester component in Rational Test Workbench, Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server versions:
All versions from 8.0 up to and including 8.7.1
Remediation/Fixes
The fixes for the CVE(s) mentioned above have been incorporated into an interim fix available on Fix Central (http://www-933.ibm.com/support/fixcentral/).
Please follow the appropriate component instructions below:
Note: OS X Instructions are provided for version 8.7.1 only
Rational Test Control Panel (RTCP) component in Rational Test Workbench (RTW) and Rational Test Virtualization Server (RTVS)
1. Download the fix from Fix Central and unzip it to extract the library commons-collections-3.2.2.jar
2. Stop the server
3. For versions 8.0 to 8.5.0.x
o Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/ webapps/RTCP/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar'
4. For versions 8.5.1.x to 8.7.1
o Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/usr/servers/RTCPServer/apps/RTCP.war/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar'
5. Start the server
Note: The default install location for RTCP is opt/IBM/RationalTestControlPanel on AIX, Linux and Solaris, /Applications/IBM/RationalTestControlPanel on OS X (8.7.1 only) and C:\Program Files\IBM\RationalTestControlPanel on Windows.
Rational Integration Tester (RIT) component in Rational Test Workbench (RTW)
1. Download the fix from Fix Central and unzip it to a directory.
For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.
For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.
2. Close any running instances of Rational Integration Tester (and RIT Agent if installed on the same machine).
3. Locate the IBMIMShared directory.
4. Copy the appropriate file into the IBMIMShared\plugins directory.
5. Locate the “bundles.info” file. By default, the location of this file is:
{Installation Directory for RIT}\configuration\org.eclipse.equinox.simpleconfigurator
6. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:
For versions 8.7.0.x and before:
com.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false
For version 8.7.1:
org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false
7. In order to verify that the changes have been made successfully, re-start RIT from the command line with the following command:
GHTester.exe –clean –console
When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:
ss apache.commons.collections
Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.
Rational Integration Tester Agent (RIT Agent) component in Rational Test Virtualization Server (RTVS) and Rational Performance Test Server (RPTS)
1. Download the fix from Fix Central and unzip it to a directory.
For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.
For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.
1. Close any running instances of RIT Agent (and Rational Integration Tester if installed on the same machine).
2. Locate the IBMIMShared directory.
3. Copy the unzipped file to the IBMIMShared\plugins directory.
4. Locate the “bundles.info” file. By default, the location of this file is:
{Installation Directory for RIT Agent}\configuration\org.eclipse.equinox.simpleconfigurator
5. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:
For versions 8.7.0.x and before:
com.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false
For version 8.7.1:
org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false
6. In order to verify that the changes have been made successfully, check that RTCP is running, and then re-start the agent using the command line with the following command:
Agent.exe –clean –console
When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:
ss apache.commons.collections
Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.
General Notes:
o When updating an installation to a later version of Rational Test Control Panel, Rational Integration Tester or RIT Agent, the security fix detailed above will have to be re-applied after the update
o When removing an installation that has had the security fix applied, not all the files will be removed by IBM Installation Manager, and some files will have to be removed manually
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
None
Change History
<30 November 2015> : Original Version published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
17 June 2018
UID
swg21971818