IC85189: Security APAR CVE-2012-5937. Sterling B2B Integrator CLA2 allows user to execute arbitrary OS commands.

Direct link to fix

patch_SI_5020500

APAR status

Closed as program error.

Error description

A security vulnerability exists in the Sterling B2B Integrator
CLA2 server which permits an unauthenticated user to execute
arbitrary OS commands.  An attacker with simple programming
skills can exploit this vulnerability to execute any Unix or
Windows command or script.

Local fix

```
RTC 335421
MA / MA
Circumvention: None
```

Problem summary

Users Affected:
CommandLine2 Adater users.
Problem Description:
A security vulnerability exists in the Sterling B2B
Integrator CLA2 server which permits an unauthenticated user to
execute arbitrary OS commands.  An attacker with simple
programming skills can exploit this vulnerability to execute a
Unix or Windows command or script.
Platforms Affected:
All platforms

Problem conclusion

Resolution Summary:
CLA2 adapter has been enhanced to support authentication and
SSL. Please refer to documentation for more information.
Documentation Links:
5020401_2:
http://pic.dhe.ibm.com/infocenter/sb2bi/v5r2/topic/com.ic.custom
ization.doc/SI_52_PDF/SI5241_2_Upgrade_Impacts_CLA2.pdf
5104:
http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si51/SI510
4_Upgrade_Impacts_CLA2.pdf
5009_1:
http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si50/SI500
9_1_Upgrade_Impacts_CLA2.pdf
4325_1:
http://public.dhe.ibm.com/software/commerce/doc/sb2bi/gis43/GIS4
325_1_Upgrade_Impacts_CLA2.pdf
Delivered In:
iFix 4325_1
iFix 5009_1
Fix Pack 5104
iFix 5020401_2
security vulnerability addressed CVE-2012-5937
5010
Fix Pack 5020402
Fix Pack 5020500

Temporary fix

WORKAROUND(S):
Disable all instances of the CLA2 server. Please review Critical
Patch Notifications for instructions on how to disable CLA2
server. The critical patch notifications are available on IWM
(for GIS 4.3, SI 5.0, SFG 1.1 and SFG 2.0 versions) or
FixCentral (for B2Bi 5.2 and SFG 2.2 versions)
MITIGATION(S):
Isolate CLA2 server network connectivity to limit access.

Comments

APAR Information

APAR number
IC85189
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
523
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-07-09
Closed date
2013-04-10
Last modified date
2014-12-11

APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600

Applicable component levels

R510 PSY
UP

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
11 December 2014

Tips

IC85189: Security APAR CVE-2012-5937. Sterling B2B Integrator CLA2 allows user to execute arbitrary OS commands.

Direct link to fix

Subscribe

APAR status

Closed as program error.

Error description

Local fix

Problem summary

Problem conclusion

Temporary fix

Comments

APAR Information

APAR number

Reported component name

Reported component ID

Reported release

Status

PE

HIPER

Special Attention

Submitted date

Closed date

Last modified date

APAR is sysrouted FROM one or more of the following:

APAR is sysrouted TO one or more of the following:

Fix information

Fixed component name

Fixed component ID

Applicable component levels

R510 PSY

Document Information

Share your feedback

Need support?