JR50538: SECURITY APAR CVE-2014-0114, CVE-2014-0050 VULNERABLE VERSION OF STRUTS 1.1 AND APACHE COMMONS FILEUPLOAD INCL. IN IBM BPM V8.5.5

Version 8.5 Refresh Pack 6 for the IBM Business Process Manager products

APAR status

• Closed as program error.

Error description

• Apache Struts 1.x could allow a remote attacker to run arbitrary
  code on the system because setting ClassLoader attributes is not
  restricted. An attacker could exploit this vulnerability by
  using the class parameter of an ActionForm object to manipulate
  the ClassLoader attributes and run arbitrary code on the system.
  
  Apache Commons FileUpload and Tomcat are vulnerable to a denial
  of service because the Content-Type HTTP header is improperly
  handled for multipart requests. By sending a specially crafted
  request, an attacker could exploit this vulnerability to cause
  the application to enter into an infinite loop.
  

Local fix

• The vulnerable application is required only for IBM Support to
  gather additional information. By default, only a single
  administrative user (deployment environment administrator) can
  access the application. You can prevent access to the
  application by removing all users and groups from the security
  role mapping in this application.
  
  In the administrative console, go to Applications > Application
  Types > WebSphere Enterprise Applications >
  IBM_BPM_DocStoreAdmin_<clusterName> > Security role to
  user/group mapping and remove all users and groups from the role
  mapping.
  

Problem summary

• Security vulnerabilities have been reported for the Apache
  Struts 1.1 and Apache Commons FileUpload libraries shipped with
  one component of IBM BPM V8.5.5. The vulnerable libraries are
  used only in an administrative user interface that, by default,
  is available only to one administrative user.
  

Problem conclusion

• A fix is available for IBM BPM V8.5.5.0 that updates the
  vulnerable version of Apache Commons FileUpload and introduces a
  filter to validate user input before passing it to the Apache
  Struts 1.x library.
  
  On Fix Central (http://www.ibm.com/support/fixcentral), search
  for JR50538:
  
  1. Select IBM Business Process Manager with your edition from
   the product selector, the installed version to the fix pack
   level, and your platform, and then click Continue.
  
  2. Select APAR or SPR, enter JR50538, and click Continue.
  
  When you download fix packages, ensure that you also download
  the readme file for each fix. Review each readme file for
  additional installation instructions and information about the
  fix.
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  BPM STANDARD

• Fixed component ID

  5725C9500

Applicable component levels

• R855 PSY

     UP