IC85189: Security APAR CVE-2012-5937. Sterling B2B Integrator CLA2 allows user to execute arbitrary OS commands.
Direct link to fix
Closed as program error.
A security vulnerability exists in the Sterling B2B Integrator CLA2 server which permits an unauthenticated user to execute arbitrary OS commands. An attacker with simple programming skills can exploit this vulnerability to execute any Unix or Windows command or script.
RTC 335421 MA / MA Circumvention: None
Users Affected: CommandLine2 Adater users. Problem Description: A security vulnerability exists in the Sterling B2B Integrator CLA2 server which permits an unauthenticated user to execute arbitrary OS commands. An attacker with simple programming skills can exploit this vulnerability to execute a Unix or Windows command or script. Platforms Affected: All platforms
Resolution Summary: CLA2 adapter has been enhanced to support authentication and SSL. Please refer to documentation for more information. Documentation Links: 5020401_2: http://pic.dhe.ibm.com/infocenter/sb2bi/v5r2/topic/com.ic.custom ization.doc/SI_52_PDF/SI5241_2_Upgrade_Impacts_CLA2.pdf 5104: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si51/SI510 4_Upgrade_Impacts_CLA2.pdf 5009_1: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si50/SI500 9_1_Upgrade_Impacts_CLA2.pdf 4325_1: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/gis43/GIS4 325_1_Upgrade_Impacts_CLA2.pdf Delivered In: iFix 4325_1 iFix 5009_1 Fix Pack 5104 iFix 5020401_2 security vulnerability addressed CVE-2012-5937 5010 Fix Pack 5020402 Fix Pack 5020500
WORKAROUND(S): Disable all instances of the CLA2 server. Please review Critical Patch Notifications for instructions on how to disable CLA2 server. The critical patch notifications are available on IWM (for GIS 4.3, SI 5.0, SFG 1.1 and SFG 2.0 versions) or FixCentral (for B2Bi 5.2 and SFG 2.2 versions) MITIGATION(S): Isolate CLA2 server network connectivity to limit access.
Reported component name
STR B2B INTEGRA
Reported component ID
Last modified date
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fixed component name
STR B2B INTEGRA
Fixed component ID
Applicable component levels