Direct link to fix
APAR status
Closed as program error.
Error description
A security vulnerability exists in the Sterling B2B Integrator CLA2 server which permits an unauthenticated user to execute arbitrary OS commands. An attacker with simple programming skills can exploit this vulnerability to execute any Unix or Windows command or script.
Local fix
RTC 335421 MA / MA Circumvention: None
Problem summary
Users Affected: CommandLine2 Adater users. Problem Description: A security vulnerability exists in the Sterling B2B Integrator CLA2 server which permits an unauthenticated user to execute arbitrary OS commands. An attacker with simple programming skills can exploit this vulnerability to execute a Unix or Windows command or script. Platforms Affected: All platforms
Problem conclusion
Resolution Summary: CLA2 adapter has been enhanced to support authentication and SSL. Please refer to documentation for more information. Documentation Links: 5020401_2: http://pic.dhe.ibm.com/infocenter/sb2bi/v5r2/topic/com.ic.custom ization.doc/SI_52_PDF/SI5241_2_Upgrade_Impacts_CLA2.pdf 5104: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si51/SI510 4_Upgrade_Impacts_CLA2.pdf 5009_1: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/si50/SI500 9_1_Upgrade_Impacts_CLA2.pdf 4325_1: http://public.dhe.ibm.com/software/commerce/doc/sb2bi/gis43/GIS4 325_1_Upgrade_Impacts_CLA2.pdf Delivered In: iFix 4325_1 iFix 5009_1 Fix Pack 5104 iFix 5020401_2 security vulnerability addressed CVE-2012-5937 5010 Fix Pack 5020402 Fix Pack 5020500
Temporary fix
WORKAROUND(S): Disable all instances of the CLA2 server. Please review Critical Patch Notifications for instructions on how to disable CLA2 server. The critical patch notifications are available on IWM (for GIS 4.3, SI 5.0, SFG 1.1 and SFG 2.0 versions) or FixCentral (for B2Bi 5.2 and SFG 2.2 versions) MITIGATION(S): Isolate CLA2 server network connectivity to limit access.
Comments
APAR Information
APAR number
IC85189
Reported component name
STR B2B INTEGRA
Reported component ID
5725D0600
Reported release
523
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2012-07-09
Closed date
2013-04-10
Last modified date
2014-12-11
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
STR B2B INTEGRA
Fixed component ID
5725D0600
Applicable component levels
R510 PSY
UP
[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"5.2.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]
Document Information
Modified date:
11 December 2014