IBM Support

Security Bulletin: Vulnerabilities in Struts affects IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-1182, CVE-2016-1181)

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/599269
599269

Security Bulletin


Summary

Struts vulnerabilities affects WebSphere Application Server, Business Process Manager, and Tivoli System Automation Application Manager that have addressed the applicable CVEs.

These issues were also addressed by IBM Tivoli Montioring and Jazz™ for Service Management that are shipped with Cloud Orchestrator Enterprise.

Vulnerability Details

CVEID: CVE-2016-1182
DESCRIPTION:
Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113853 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2016-1181
DESCRIPTION:
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113852 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

    Principal Product and Version(s)

    Affected Supporting Product and Version
    IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2
  • WebSphere Application Server V8.5.5 through V8.5.5.7
  • IBM Business Process Manager Standard V8.5.5 - V8.5.6.2
  • Tivoli System Automation Application Manager V4.1.0
    IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4
  • WebSphere Application Server V8.5.0.1 through V8.5.5.7
  • IBM Business Process Manager Standard V8.5.0.1
  • Tivoli System Automation Application Manager V4.1.0
    IBM Cloud Orchestrator V2.3, V2.3.0.1
  • IBM WebSphere Application Server V8.0, V8.0.11
  • IBM Business Process Manager Standard V8.5.0.1
    IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2
  • WebSphere Application Server V8.5.5 through V8.5.5.7
  • IBM Business Process Manager Standard V8.5.5 - V8.5.6.2
  • Tivoli System Automation Application Manager V4.1.0
  • IBM Tivoli Monitoring V6.3.0.2
  • Jazz™ for Service Management V1.1.0.1
    IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4
  • WebSphere Application Server V8.5.0.1 through V8.5.5.7
  • IBM Business Process Manager Standard V8.5.0.1
  • Tivoli System Automation Application Manager V4.1.0
  • IBM Tivoli Monitoring V6.3.0.2
  • Jazz™ for Service Management V1.1.0.1
    IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1
  • IBM WebSphere Application Server V8.0, V8.0.11
  • IBM Business Process Manager Standard V8.5.0.1
  • IBM Tivoli Monitoring V6.3.0.1
  • Jazz™ for Service Management V1.1.0.1

Remediation/Fixes

This issue has been addressed by IBM Cloud Orchestrator and Cloud Orchestrator Enterprise through the IBM WebSphere Application Server, IBM Business Process Manager Standard, Tivoli System Automation Application Manager, IBM Tivoli Monitoring, and Jazz™ for Service Management which are shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise.

    Product
    VRMF
    Remediation/First Fix
    IBM Cloud Orchestrator
    V2.5, V2.5.0.1,V2.5.0.2
    IBM Cloud Orchestrator
    V2.4, V2.4.0.1,V2.4.0.2, V2.4.0.3
    IBM Cloud Orchestrator
    V2.4.0.4
.
Refer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server, IBM Business Process Manager, and Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator.
Principal Product and Version(s)
    Affected Supporting Product and Version
    Affected Supporting Product Security Bulletin
    IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2
    WebSphere Application Server V8.5.5 through V8.5.5.7
    IBM Business Process Manager Standard V8.5.5 through V8.5.6.2
    Tivoli System Automation Application Manager V4.1.0
    IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4
    WebSphere Application Server V8.5.0.1 through V8.5.5.7
    IBM Business Process Manager Standard V8.5.0.1 through V8.5.6
    Tivoli System Automation Application Manager V4.1.0
    IBM Cloud Orchestrator V2.3, V2.3.0.1
    IBM WebSphere Application Server V8.0, V8.0.11
    IBM Business Process Manager Standard V8.5.0.1

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, IBM Business Process Manager Standard, Tivoli System Automation Application Manager, IBM Tivoli Monitoring, and Jazz™ for Service Management, which are shipped with IBM Cloud Orchestrator Enterprise:

    Principal Product and Version(s)
    Affected Supporting Product and Version
    Affected Supporting Product Security Bulletin
    IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2 Enterprise
    WebSphere Application Server V8.5.5 through V8.5.5.7
    IBM Business Process Manager Standard V8.5.5 through V8.5.6.2
    Tivoli System Automation Application Manager V4.1.0
    IBM Tivoli Monitoring V6.3.0.2
    Jazz™ for Service Management V1.1.0.1
    IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4 Enterprise
    WebSphere Application Server V8.5.0.1 through V8.5.5.7
    IBM Business Process Manager Standard V8.5.0.1 through V8.5.6
    Tivoli System Automation Application Manager V4.1.0
    IBM Tivoli Monitoring V6.3.0.2
    Jazz™ for Service Management V1.1.0.1
    IBM Cloud Orchestrator V2.3, V2.3.0.1 Enterprise
    IBM WebSphere Application Server V8.0, V8.0.11
    IBM Business Process Manager Standard V8.5.0.1
    IBM Tivoli Monitoring V6.3.0.1
    Jazz™ for Service Management V1.1.0.1

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

28 April 2017: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.3;2.3.0.1;2.4;2.4.0.1;2.4.0.2;2.4.0.3;2.4.0.4;2.5;2.5.0.1;2.5.0.2","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg2C1000269