IBM Support

Security Bulletin: Vulnerability in Apache Commons FileUpload DiskFileItem File Manipulation affects IBM Spectrum Conductor with Spark 2.2.0 (CVE-2016-1000031)

Created by Steve Haertel on
Published URL:
https://www.ibm.com/support/pages/node/664689
664689

Security Bulletin


Summary

A security vulnerability relating to remote code execution CVE-2016-1000031 has been reported against Apache Commons FileUpload DiskFileItem File Manipulation, which IBM Spectrum Conductor with Spark 2.2.0 uses as a framework for some services. Commons FileUpload 1.3.3 addresses this vulnerability and can be applied through the manual steps detailed in the Remediation section.

Vulnerability Details

CVEID: CVE-2016-1000031
DESCRIPTION: A vulnerability in IBM Spectrum Conductor with Spark 2.2.0 could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of FileUpload library. A attacker could exploit this vulnerability to execute arbitrary code under the context of the current process.
CVSS V3 Base Score: 7.5 HIGH
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (legend)
CVSS V3 Impact Score: 5.9
CVSS V3 Exploitability Score: 3.9

Affected Products and Versions

IBM Spectrum Conductor with Spark 2.2.0. All architectures. The remediation steps are provided in this document.

Remediation/Fixes

None

Workarounds and Mitigations

1.1 Log on to each management host in the cluster and download the commons-fileupload-1.3.3-bin.tar.gz package from the following location:

http://archive.apache.org/dist/commons/fileupload/binaries/commons-fileupload-1.3.3-bin.tar.gz

1.2 Stop the following services:

> egosh service stop WEBGUI REST ascd plc purger

1.3 For backup purposes, move the following files, which will be replaced by new files:

> mkdir -p /tmp/cf121backup/

> mkdir -p /tmp/cf131backup/

Make note of the file owner, group, and permissions for the following files:
>ls -la $EGO_TOP/gui/3.5/lib/commons-fileupload-*.jar
>ls -la $EGO_TOP/perf/3.5/lib/commons-fileupload-*.jar
>ls -la $EGO_TOP/ascd/2.2.0/lib/commons-fileupload-*.jar
>ls -la $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/commons-fileupload-*.jar

> mv $EGO_TOP/gui/3.5/lib/commons-fileupload-*.jar /tmp/cf131backup

> mv $EGO_TOP/perf/3.5/lib/commons-fileupload-*.jar /tmp/cf121backup/

> rm $EGO_TOP/ascd/2.2.0/lib/commons-fileupload-*.jar

> rm $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/commons-fileupload-*.jar

1.4 On each management host, decompress the commons-fileupload-1.3.3-bin.tar.gz package and copy the following files to your cluster directory:

> tar zxf commons-fileupload-1.3.3-bin.tar.gz

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/gui/3.5/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/perf/3.5/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/ascd/2.2.0/lib/

> cp commons-fileupload-1.3.3-bin/commons-fileupload-1.3.3.jar $EGO_TOP/wlp/usr/servers/rest/apps/3.5/deploymentrest/WEB-INF/lib/

If needed, restore the original file permissions with:
> chmod ### [file]

If needed, restore the original file owner and group with:
> chown [user]:[group] [file]

1.5 On each management host, clean up the GUI work directories:

> rm -rf $EGO_TOP/gui/work/*

> rm -rf $EGO_TOP/gui/workarea/*

NOTE: If you configured the WLP_OUTPUT_DIR parameter and APPEND_HOSTNAME_TO_WLP_OUTPUT_DIR is set to true in the $EGO_CONFDIR/wlp.conf file, you must clean up the $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/ directory.

1.6 Launch a web browser and clear your browser cache.

1.7 Start the following services:

> egosh service start WEBGUI REST ascd plc purger

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZU2E","label":"IBM Spectrum Conductor with Spark"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"2.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

isg3T1027394