IBM Support

Security Bulletin: RCE vulnerability (CVE-2018-1595) affects IBM Platform Symphony, IBM Spectrum Symphony

Security Bulletin


Summary

A security vulnerability related to Remote Command Execution (RCE), caused by dynamic JSP file builds, has been identified in IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, 7.1.1 and IBM Spectrum Symphony 7.1.2, 7.2.0.2.

Vulnerability Details

CVEID: CVE-2018-1595
DESCRIPTION: IBM Spectrum Symphony and Platform Symphony could allow an authenticated user to execute arbitrary commands due to improper handling of user supplied input.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143622 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and 7.1.1

IBM Spectrum Symphony 7.1.2 and 7.2.0.2

Remediation/Fixes

These are the steps for the Linux and the steps for Windows are similar.
1.     Log on to the master host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI
2.     Log on to each management host in your cluster as the cluster administrator.
3.     Delete the following files:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
$EGO_TOP/gui/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
For IBM Platform Symphony 7.1.1: $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/generaltable/getDeviceInfo.jsp
For IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
$EGO_TOP/wlp/usr/servers/gui/apps/ego/<EGO_VERSION>/platform/generaltable/getDeviceInfo.jsp
$EGO_TOP/wlp/usr/servers/gui/apps/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
4.     Delete all subdirectories and files from the following directories:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
> rm -rf $EGO_TOP/gui/work/*
For IBM Platform Symphony 7.1.1, IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
> rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
5.     Clear your browser cache.
6.     Start the WEBGUI service:
> egosh service start WEBGUI

Note: The above contents can also be found on IBM Fix Central: sym-6.1.1-build493462sym-7.1-build486396sym-7.1.1-build493457sym-7.1.2-build493458sym-7.2.0.2-build493459

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Andrea Scaduto

Change History

<June 07, 2018>: Original version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZUMP","label":"IBM Spectrum Symphony"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.2;7.2.0.2","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
23 July 2018

UID

isg3T1027819

Page Feedback