IBM Support

QRadar: Authentication Bypass Workaround for CVE-2018-1418

Troubleshooting


Problem

This techncial note advises users how to apply an additional workaround for CVE-2018-1418 for QRadar systems when a scheduled mainteance windows is not avilable to upgrade your software version.

Cause

A security bulletin and patch concerning IBM CVE-2018-1418 Authentication Bypass Leading to Remote Command Injection vulnerability was released on April 24, 2018 for 7.3.1 Patch 3 and 7.2.8 Patch 12. On May 24, 2018 the National Vulnerability Database (NVD) retroactively increased the base score of CVE-2018-1418 to 9.8 critical.  As with all patches, IBM would encourage administrators at 7.2.8 and 7.3.0 versions to upgrade to the latest software version as soon as possible to address this and all known critical vulnerabilities for the best security posture available.

Diagnosing The Problem

Administrators on QRadar 7.3.0 (any patch version) who do not have a scheduled maintenance window to apply a software update their Console appliance. This workaround includes a procedure to remove a deployed servlet from the QRadar webserver (Tomcat) to mitigate the two attack vectors used in the vulnerability reported for CVE-2018-1418.

Before you begin
Administrators who apply this workaround will lose file/image analysis functionality in QRadar Incident Forensics on the QRadar Console with the removal of the servlet. This workaround is only intended for users who do not have QRadar Incident Forensics in their deployment who cannot upgrade at this time or administrators who do not have a scheduled maintenance window upcoming at want to mitigate the issue described in security bulletin for CVE-2018-1418.



To remove the servlet from the QRadar Console
This procedure advises administrators how to remove the servlet from the QRadar Console. Administrators should be aware that this procedure requires services to be restarted, which will log off users and stop event collection temporarily while services are restarted.

  1. Using SSH, log in to the QRadar Console as the root user.
  2. To remove the servlet from the Console, type the following command:
    rm -rf /opt/qradar/webapps/ForensicsAnalysisServlet
  3. To remove the webserver servlet from the Console, type the following command:
    rm -rf /opt/tomcat/work/Catalina/localhost/ForensicsAnalysisServlet
  4. Select one the following options to restart services based on your QRadar verison:
    • For QRadar 7.2.x, type the following commands:
      service stop tomcat
      service stop hostcontext
      service start tomcat
      service start hostcontext
    • For QRadar 7.3.x, type:
      systemctl stop tomcat hostcontext && systemctl start tomcat hostcontext

Results
After services restart, the servlet is removed from the QRadar Console. Administrators who want to IBM encourages administrators at 7.2.8 and 7.3.0 versions to plan a maintenance window to upgrade to a version listed in the Remediation/Fixes area of the security bulletin for CVE-2018-1418. If you update to an earlier QRadar version that is not QRadar 7.3.1 Patch 3 or later or QRadar 7.2.8 Patch 12 or later, then this workaround would need to be reapplied after the update to mitigate the issues described in the security bulletin for CVE-2018-1418.




Where do you find more information?



[{"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"PSIRT","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.3.1;7.3;7.2.8","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg22016816