There is a security issue in the version of Apache Struts that is used by the Verity dashboard that runs in Apache Tomcat. There is no update to fix this security issue. This techdoc explains how to mitigate the issue by restricting access to the Verity dashboard.
The Verity dashboard is a web-based administration console for the IBM Content Search Engine 4.5.1 and IBM Legacy Content Search Engine 5.0 that runs in an Apache 5.0 web host process.
See IBM Security Bulletin # 1674128.
Apache Struts might allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of ClassLoader attributes. An attacker might exploit this vulnerability by using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system.
Apply at least one of the following recommended methods to restrict access to the Apache process that is installed with the Verity dashboard:
- Configure Apache to restrict access to the Verity dashboard site based on the host name or host address of visitors. See the Apache 5.0 documentation to configure access restrictions on the Apache server.
- Set up a firewall on the Verity dashboard host system to restrict access to the Verity dashboard site based on the host name or host address of visitors.
- Shut down the Verity dashboard after initial configuration is complete. The Verity dashboard is required only for initial configuration of Legacy Content Search Engine. When configuration is complete, you can shut down the Apache process that hosts the dashboard. For support cases, IBM might request that you obtain information or make configuration changes by using the Verity dashboard. You need to start the Apache process for these requests. You can shut down the Apache process again after obtaining information or making the requested configuration changes.
- Install the Verity dashboard on a server that is separate from all other IBM Content Engine or Content Platform Engine components. Shut down this server when the Verity dashboard is not required or restrict access as necessary. You can install the Verity dashboard on a system that is separate from all other Content Search Engine components.
17 June 2018