IBM Support

Security Bulletin: Vulnerability in Apache Commons BeanUtils affect IBM Spectrum LSF Suite and Spectrum LSF Application Center

Security Bulletin


Summary

There is vulnerability in Apache Commons BeanUtils used by IBM Spectrum LSF Suite and Spectrum LSF Application Center.

Vulnerability Details

CVEID: CVE-2019-10086
DESCRIPTION: Apache Commons Beanutils could allow a remote attacker to gain unauthorized access to the system, caused by the failure to suppresses the class property in bean introspection by default. An attacker could exploit this vulnerability to gain unauthorized access to the classloader.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/166353 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)

Affected Products and Versions

Spectrum LSF Suite 10.2, Spectrum LSF Application Center 10.2

Remediation/Fixes

Product VRMF APAR Remediation/First Fix
Spectrum LSF Suite

Spectrum LSF Application Center
 10.2 None
1. Download Apache Commons BeanUtils v1.9.4 from: http://commons.apache.org/proper/commons-beanutils/download_beanutils.cgi. (The following steps use x86_64 as an example.)
2. Copy the package into the Application Center host.
3. On the Application Center host, stop pmc and plc services.
4. On the Application Center host, extract new files and replace old files with commons-beanutils-1.9.4.jar in the following directories:
    $PERF_TOP/1.2/lib/commons-beanutils.jar
    $GUI_TOP/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-beanutils-1.9.2.jar
5. Delete all files under $GUI_TOP/work/platform/workarea.
6. On the Application Center host, start plc and pmc services on demand.

Workarounds and Mitigations

N/A

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

Sep 10, 2019: Original version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide


[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSZRJV","label":"IBM Spectrum LSF Application Center"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZUDP","label":"IBM Spectrum LSF Suite for HPC"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSZU9Q","label":"IBM Spectrum LSF Suite for Workgroups"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"All Versions","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

More support for:
IBM Spectrum LSF Application Center

Software version:
All Versions

Document number:
1073222

Modified date:
27 September 2019

UID

ibm11073222

Manage My Notification Subscriptions

Page Feedback