IBM Support

Security Bulletin: An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.

Security Bulletin


Summary

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.

Vulnerability Details

CVEID: CVE-2015-7450

DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.CVSS Base Score: 9.8CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1

Platform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1

Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1

Remediation/Fixes

See Workarounds

Workarounds and Mitigations

Platform Cluster Manager 4.2.x & Platform HPC 4.2.x

1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi

2. Extract the file commons-collections-3.2.2.jar file and copy the extracted files to the management node.

3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:


    · /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar

    · /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar

    · /opt/pcm/web-portal/docs/kc.war/WEB-INF/lib/commons-collections-3.2.1.jar

    · /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar

    · /opt/pcm/pcmd/1.0/lib/external/commons-collections-3.2.1.jar

    If high availability is enabled, in addition to the above files, replace the following JAR file on the standby management node.

    · /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar


4. Restart services. If high availability is enabled, run the following commands on active management node:

    # pcmhatool failmode -m manual

    # pcmadmin service stop --group all

    # pcmadmin service start --group all

    # pcmhatool failmode -m auto

    Otherwise, if high availability is not enabled, run the following commands on the active management node:

    # pcmadmin service stop --group all

    # pcmadmin service start --group all


Platform Cluster Manager 4.1.x & Platform HPC 4.1.x

1. Download Apache Commons Collections 3.2.2 from http://commons.apache.org/proper/commons-collections/download_collections.cgi

2. Extract the commons-collections-3.2.2.jar file and copy the extracted files to the management node.

3. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:


    · /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar

    · /opt/pcm /web-portal/perf/1.2/lib/commons-collections-3.2.1.jar

    · /opt/pcm /web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/commons-collections-3.2 .1.jar


4. Restart services. If high availability is enabled, run the following commands on active management node:

    # pcmhatool failmode -m manual

    # pmcadmin stop

    # perfadmin stop all

    # perfadmin start all

    # pmcadmin start

    # pcmhatool failmode -m auto

    Otherwise, if high availability is not enabled, run the following commands on the active management node:

    # pmcadmin stop

    # perfadmin stop all

    # perfadmin start all

    # pmcadmin start

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSENRW","label":"Platform HPC for System x"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"4.1.1;4.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSENRW","label":"Platform HPC for System x"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

More support for:
Platform HPC for System x

Software version:
4.1.1, 4.2

Operating system(s):
Linux

Document number:
681933

Modified date:
17 June 2018

UID

isg3T1023162