IBM Support

Security Bulletin:Multiple vulnerabilities in IBM JRE affect IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC(CVE-2016-4003)

Created by Chang Liu on
Published URL:
https://www.ibm.com/support/pages/node/629005
629005

Security Bulletin


Summary

There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 that is used by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus CVE-2016-0636 and three additional vulnerabilities.

Vulnerability Details

CVE-ID: CVE-2016-4003
Description: Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/111514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Remediation/Fixes

See workaround

Workarounds and Mitigations

IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 should be replaced.

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x

1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.

3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

# pcmadmin service stop --group ALL

5. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-7.0-9.40-linux-x86_64.tgz# mv /opt/pcm/jre/bin /opt/pcm/jre/bin-old# mv /opt/pcm/jre/lib /opt/pcm/jre/lib-old# mv /opt/pcm/jre/plugin /opt/pcm/jre/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/jre/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/jre/# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-70/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-70/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/



6. On management node, start GUI and PERF services

# pcmadmin service start --group ALL

7. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.

Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)

2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.

3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.

4. On the management node, stop GUI and PERF services

5. HA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all

6. On management node, extract new JRE files and replace some old folders with new ones.

# tar -zxvf ibm-java-jre-6.0-16.26-linux-x86_64.tgz# mv /opt/pcm/web-portal/jre/linux-x86_64/bin /opt/pcm/web-portal/jre/linux-x86_64/bin-old# mv /opt/pcm/web-portal/jre/linux-x86_64/lib /opt/pcm/web-portal/jre/linux-x86_64/lib-old# mv /opt/pcm/web-portal/jre/linux-x86_64/plugin /opt/pcm/web-portal/jre/linux-x86_64/plugin-old# cp -r ibm-java-x86_64-60/jre/bin /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/lib /opt/pcm/web-portal/jre/linux-x86_64/# cp -r ibm-java-x86_64-60/jre/plugin /opt/pcm/web-portal/jre/linux-x86_64/

7. On management node, start GUI and PERF services

HA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

None

Change History

<09 April 2016>: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSENRW","label":"Platform HPC for System x"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1;4.1.1;4.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1023824