IBM Support

Security Bulletin: RCE vulnerability (CVE-2018-1595) affects IBM Platform Symphony, IBM Spectrum Symphony

Security Bulletin


A security vulnerability related to Remote Command Execution (RCE), caused by dynamic JSP file builds, has been identified in IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, 7.1.1 and IBM Spectrum Symphony 7.1.2,

Vulnerability Details

CVEID: CVE-2018-1595
DESCRIPTION: IBM Spectrum Symphony and Platform Symphony could allow an authenticated user to execute arbitrary commands due to improper handling of user supplied input.
CVSS Base Score: 8.8
CVSS Temporal Score: See for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and 7.1.1

IBM Spectrum Symphony 7.1.2 and


These are the steps for the Linux and the steps for Windows are similar.
1.     Log on to the master host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI
2.     Log on to each management host in your cluster as the cluster administrator.
3.     Delete the following files:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
For IBM Platform Symphony 7.1.1: $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/generaltable/getDeviceInfo.jsp
For IBM Spectrum Symphony 7.1.2 and
4.     Delete all subdirectories and files from the following directories:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
> rm -rf $EGO_TOP/gui/work/*
For IBM Platform Symphony 7.1.1, IBM Spectrum Symphony 7.1.2 and
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
> rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
5.     Clear your browser cache.
6.     Start the WEBGUI service:
> egosh service start WEBGUI

Note: The above contents can also be found on IBM Fix Central: sym-6.1.1-build493462sym-7.1-build486396sym-7.1.1-build493457sym-7.1.2-build493458sym-

Workarounds and Mitigations


Get Notified about Future Security Bulletins




Andrea Scaduto

Change History

<June 07, 2018>: Original version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.


According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSZUMP","label":"IBM Spectrum Symphony"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1.2;","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
23 July 2018