There is a classloader manipulation vulnerability in the Apache Struts 1 that is used by IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor Edition and IBM WebSphere Extended Deployment Compute Grid.
Description: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. Struts 1 is used by IBM WebSphere Application Server and IBM WebSphere Extended Deployment Compute grid.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Affected Products and Versions
This problem affects the following versions of the WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:
· Version 7
· Version 6.1
This is not an issue with Version 8.0 or 8.5 of IBM WebSphere Application Server or IBM WebSphere Application Server Hypervisor Edition:
This problem affects the Modern Batch Feature Pack on WebSphere Application Server Version 7.
This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 6.1 or Version 7
The Apache Struts used by the Administrative Console in WebSphere Application Server and batch processing in IBM Compute Grid may be vulnerable to a class loader manipulation. IBM recommends installing recommended fixes as outlined below.
If your Java Web Application is using Apache Struts version 1.x that is available in WebSphere Application Server's optional libraries, you also may be vulnerable. You will need to verify if your application is affected. WebSphere Application Server Version 7.0 deprecated the inclusion of version 1.x of Struts in 2008. We recommend that you upgrade your Struts 1 from Apache to include a version of Struts that has this fixed. Your application should be thoroughly tested to verify that it does not have any issues. Please refer to the Apache site for information and download: Apache Struts Web site. (struts.apache.org) For more information on migrating from Struts 1 to Struts 2, please refer to the Apache Struts Migration Guide at
If this mitigation will not work for you, please contact IBM Support.
Please note: IBM does not plan on shipping any fix for Struts 1.x as the fix is only available at the current levels of Apache Struts which can only be obtained from the Apache Struts website.
Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 18.104.22.168, 22.214.171.124, 126.96.36.199 and 188.8.131.52. If you have copied the optional Struts packages to your shared library for your applications to use, you will need to take the following actions prior to moving to 184.108.40.206, 220.127.116.11, 18.104.22.168 or 22.214.171.124.
- Upgrade your applications to use a current level of Struts
- Include a copy of the Struts 1.x package from Apache that contains the fix as part of your ear file development.
FIXES for WebSphere Application Server and batch processing in IBM Compute Grid:
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links to Fix Central are provided below:
PI17190 for the Administrative Console
PI17420 for Administering batch jobs in Compute Grid
Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below:
For affected IBM WebSphere Application Server:
For V126.96.36.199 through 188.8.131.52:
- Apply Interim Fix PI17190
- Apply Fix Pack 184.108.40.206 or later.
For V220.127.116.11 through 18.104.22.168:
- Apply Interim Fix PI17190
For affected Modern Batch Feature Pack on WebSphere Application Server Version 7:
For V22.214.171.124 through 126.96.36.199:
For affected IBM WebSphere Application Server Extended Deployment Compute Grid:
For Compute Grid V188.8.131.52 through 184.108.40.206 on WebSphere Application Server Version 8 or WebSphere Application Server Version 7
- Apply Interim Fixes PI17420
- Apply Compute Grid Fix Pack 220.127.116.11 or later.
For Compute Grid V6.1 on WebSphere Application Server Version 6.1 or 7.0:
- Contact IBM Support for the Interim Fix
Get Notified about Future Security Bulletins
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
15 May 2014: Original document published
16 May 2014: Added Modern Batch and Migration Information
28 May 2014: Updated bullet on Apache Struts
18 December 2014: updated broken Apache Struts link
30 June 2016: updated optional library fixpacks
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
15 June 2018