CVE-2023-50164: NOI 1.6.11 Test Fix for Apache Struts

Fix Readme

Abstract

The test fix for issue CVE-2023-50164 consists of updated images in the IBM Entitled Registry.

Content

This test fix applies to NOI 1.6.11.

Apache Struts is vulnerable as an attacker can manipulate file upload parameters to enable path traversal. Under some circumstances this vulnerability can lead to the upload of a malicious file, which can be used to perform Remote Code Execution. This test fix resolves CVE-2023-50164. For more information, see Apache Struts vulnerable to path traversal.

Image locations:

icr.io/cp/noi/nasm-app-disco-utils:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-controller:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-services:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-log-collector:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-secondarystorage:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-primarystorage:1.1.32-202401071407
icr.io/cp/noi/nasm-app-disco-discovery:1.1.32-202401071407
icr.io/cp/noi/webgui-asm:1.6.11.0-CVE-2023-50164

To patch an existing Netcool Operations Insight instance:

Step 1: Create a backup of the CustomResource:
• Go to the Red Hat OpenShift console (with administrator privileges) and from the sidebar menu, go to Operators > Installed Operators and look for IBM Cloud Pak for AIOps Event Manager. The Details tab displays different CustomResourceDefinitions in the Provided APIs section.
• Click the All Instances tab to display a list of instances (typically a single instance is displayed). The Name column displays the instance name and the Kind column displays the CustomResource Kind.
• Click the instance link and then the YAML tab. Copy the entire YAML content to a file as a backup.

Note: The instance name is required for step 3.
Note: The CustomResource (created from the CustomResourceDefinition) has singular and plural names, for example, the NOIHybrid CustomResource has the noihybrid singular name, while its plural name is noihybrids.
Note: The CustomResource Kind lowercase value is required for step 3.

Step 2: Air-gapped installations only, otherwise proceed to Step 3. Create an images.csv file with the following images only.

registry,image_name,tag,digest,mtype,os,arch,variant,insecure,digest_source,image_type,groups 
cp.icr.io,cp/noi/nasm-app-disco-utils,1.1.32-202401071407,sha256:c0e91f31dca31ba9e81470d5a111873f2ebe5c962319b55f05d703359c9dc145,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-controller,1.1.32-202401071407,sha256:fa39677e3bb63237c456208cd0ce7e133fee631c5abe82b12bab4e0a1e1fba32,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-services,1.1.32-202401071407,sha256:caac7d6c1c2267799458971738c95c3622715125d471fbee9ba6db93f85db09c,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-log-collector,1.1.32-202401071407,sha256:5b09acea79f086e8e08368236f1d16d72d75134e9a854524464e9c3af50aa118,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-secondarystorage,1.1.32-202401071407,sha256:b6db1e55407f2dcae84652df9182ab53214668a70ddf979cf1ed9ae60c5f9749",IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-primarystorage,1.1.32-202401071407,sha256:06450ae6487bd3d3863b1a3a0cb88563fce7ad203d077eb8caf03839f3e8b695,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/nasm-app-disco-discovery,1.1.32-202401071407,sha256:e4e95ea5789dc1938d0da7fc4e12b2b04d26c6857f0d24e6cd4ee81421bfced3,IMAGE,linux,amd64,"",0,CASE,"",""
cp.icr.io,cp/noi/webgui-asm,1.6.11.0-CVE-2023-50164,sha256:e363f245897b81bb853daf7dcd50d634123fffd43b133bbdb11ca071ec3da4ae,IMAGE,linux,amd64,"",0,CASE,"",""

Follow the steps to mirror images to a final location. For more information, see Mirror images.

Step 3: Copy the following lines into a file called patch.yaml.

Note: Add the helmValuesASM parameters only if the AppDisco extension is enabled. If AppDisco is enabled, you must delete the extension before you patch your deployment.

oc delete deployment -l app.kubernetes.io/managed-by=appdisco-operator --namespace $NAMESPACE

Note: If your installation is a hybrid deployment, you do not need to add the helmValuesNOI parameters.

spec:
  helmValuesNOI:
    webgui.image.name:	webgui-asm
    webgui.image.digest: sha256:e363f245897b81bb853daf7dcd50d634123fffd43b133bbdb11ca071ec3da4ae
    webgui.image.tag: 1.6.11.0-CVE-2023-50164	
  helmValuesASM:
    global.appDisco.version: 1.1.32
    appDisco.image.digest: sha256:fa39677e3bb63237c456208cd0ce7e133fee631c5abe82b12bab4e0a1e1fba32
    appDisco.image.tag: 1.1.32-202401071407
    appDisco.images.ds.digest: sha256:e4e95ea5789dc1938d0da7fc4e12b2b04d26c6857f0d24e6cd4ee81421bfced3
    appDisco.images.ds.tag: 1.1.32-202401071407
    appDisco.images.pss.digest: sha256:06450ae6487bd3d3863b1a3a0cb88563fce7ad203d077eb8caf03839f3e8b695
    appDisco.images.pss.tag: 1.1.32-202401071407
    appDisco.images.sss.digest: sha256:b6db1e55407f2dcae84652df9182ab53214668a70ddf979cf1ed9ae60c5f9749
    appDisco.images.sss.tag: 1.1.32-202401071407
    appDisco.images.utils.digest: sha256:c0e91f31dca31ba9e81470d5a111873f2ebe5c962319b55f05d703359c9dc145
    appDisco.images.utils.tag: 1.1.32-202401071407
    appDisco.images.logcollector.digest: sha256:5b09acea79f086e8e08368236f1d16d72d75134e9a854524464e9c3af50aa118
    appDisco.images.logcollector.tag: 1.1.32-202401071407
    appDisco.images.services.digest: sha256:caac7d6c1c2267799458971738c95c3622715125d471fbee9ba6db93f85db09c
    appDisco.images.services.tag: 1.1.32-202401071407

Step 4: Run the following command where NAMESPACE and NAME are the namespace and name of the Netcool Operations Insight instance.

oc patch <SINGULAR NAME OF CR> -n <NAMESPACE> <INSTANCE NAME OF CR> --type=merge --patch-file <PATCH FILE>

where:
- <SINGULAR NAME OF CR>: Refer to Step 1.

- <NAMESPACE>: The namespace used by the operator or project, for example noi-on-ocp.

- <INSTANCE NAME OF CR>: The name of the Operands (instance of CustomResource). Refer to Step 1.

Example:

oc patch noihybrid -n noi-on-ocp hybrid-424 --type=merge --patch-file patch.yaml

Step 5: After 30 to 60 seconds, check that the pods were restarted and the old ones terminated.

oc get pods

To verify whether the patch is successfully applied, run the following command:

oc describe <pod name>

where <pod name> is the name of the restarted pod.

Example:

oc describe pod

The images are listed in the output of the command.

Rollback

To roll back the test fix, edit the CR by running the command:

oc edit <SINGULAR NAME OF CR>

Example:

oc edit noihybrid

This command opens the YAML configuration of the CR.

Look for the helmValuesNOI properties under the spec section and remove the following lines from the YAML configuration:

    webgui.image.name:	webgui-asm
    webgui.image.digest: sha256:e363f245897b81bb853daf7dcd50d634123fffd43b133bbdb11ca071ec3da4ae
    webgui.image.tag: 1.6.11.0-CVE-2023-50164

Look for the helmValuesASM properties under the spec section and remove the following lines from the YAML configuration:

    global.appDisco.version: 1.1.32
    appDisco.image.digest: sha256:fa39677e3bb63237c456208cd0ce7e133fee631c5abe82b12bab4e0a1e1fba32
    appDisco.image.tag: 1.1.32-202401071407
    appDisco.images.ds.digest: sha256:e4e95ea5789dc1938d0da7fc4e12b2b04d26c6857f0d24e6cd4ee81421bfced3
    appDisco.images.ds.tag: 1.1.32-202401071407
    appDisco.images.pss.digest: sha256:06450ae6487bd3d3863b1a3a0cb88563fce7ad203d077eb8caf03839f3e8b695
    appDisco.images.pss.tag: 1.1.32-202401071407
    appDisco.images.sss.digest: sha256:b6db1e55407f2dcae84652df9182ab53214668a70ddf979cf1ed9ae60c5f9749
    appDisco.images.sss.tag: 1.1.32-202401071407
    appDisco.images.utils.digest: sha256:c0e91f31dca31ba9e81470d5a111873f2ebe5c962319b55f05d703359c9dc145
    appDisco.images.utils.tag: 1.1.32-202401071407
    appDisco.images.logcollector.digest: sha256:5b09acea79f086e8e08368236f1d16d72d75134e9a854524464e9c3af50aa118
    appDisco.images.logcollector.tag: 1.1.32-202401071407
    appDisco.images.services.digest: sha256:caac7d6c1c2267799458971738c95c3622715125d471fbee9ba6db93f85db09c
    appDisco.images.services.tag: 1.1.32-202401071407

Save the YAML configuration and the pods restart.

Use the oc get pods command to check for pod restarts.

Including the patch in a new Netcool Operations Insight instance:

Include the following properties in the spec.helmValuesNOI property of a new Netcool Operations Insight instance.

    webgui.image.name:	webgui-asm
    webgui.image.digest: sha256:e363f245897b81bb853daf7dcd50d634123fffd43b133bbdb11ca071ec3da4ae
    webgui.image.tag: 1.6.11.0-CVE-2023-50164

Include the following properties in the spec.helmValuesNASM property of a new Netcool Operations Insight instance, where the AppDisco extension is enabled.

    global.appDisco.version: 1.1.32
    appDisco.image.digest: sha256:fa39677e3bb63237c456208cd0ce7e133fee631c5abe82b12bab4e0a1e1fba32
    appDisco.image.tag: 1.1.32-202401071407
    appDisco.images.ds.digest: sha256:e4e95ea5789dc1938d0da7fc4e12b2b04d26c6857f0d24e6cd4ee81421bfced3
    appDisco.images.ds.tag: 1.1.32-202401071407
    appDisco.images.pss.digest: sha256:06450ae6487bd3d3863b1a3a0cb88563fce7ad203d077eb8caf03839f3e8b695
    appDisco.images.pss.tag: 1.1.32-202401071407
    appDisco.images.sss.digest: sha256:b6db1e55407f2dcae84652df9182ab53214668a70ddf979cf1ed9ae60c5f9749
    appDisco.images.sss.tag: 1.1.32-202401071407
    appDisco.images.utils.digest: sha256:c0e91f31dca31ba9e81470d5a111873f2ebe5c962319b55f05d703359c9dc145
    appDisco.images.utils.tag: 1.1.32-202401071407
    appDisco.images.logcollector.digest: sha256:5b09acea79f086e8e08368236f1d16d72d75134e9a854524464e9c3af50aa118
    appDisco.images.logcollector.tag: 1.1.32-202401071407
    appDisco.images.services.digest: sha256:caac7d6c1c2267799458971738c95c3622715125d471fbee9ba6db93f85db09c
    appDisco.images.services.tag: 1.1.32-202401071407

[{"Type":"MASTER","Line of Business":{"code":"LOB45","label":"Automation"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSTPTP","label":"Netcool Operations Insight"},"ARM Category":[{"code":"a8m500000008a6cAAA","label":"NOI Netcool Operations Insights"}],"ARM Case Number":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"1.6.11"}]

Tips

CVE-2023-50164: NOI 1.6.11 Test Fix for Apache Struts

Fix Readme

Abstract

Content

To patch an existing Netcool Operations Insight instance:

Rollback

Including the patch in a new Netcool Operations Insight instance:

Was this topic helpful?

Document Information

UID

Share your feedback

Need support?