IBM Support

Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114

Security Bulletin


Summary

There is a classloader manipulation vulnerability in the Apache Struts 1 that is used by IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor Edition and IBM WebSphere Extended Deployment Compute Grid.

Vulnerability Details

CVEID: CVE-2014-0114
Description: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. Struts 1 is used by IBM WebSphere Application Server and IBM WebSphere Extended Deployment Compute grid.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/92889 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Affected Products and Versions

This problem affects the following versions of the WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:

· Version 7
· Version 6.1
This is not an issue with Version 8.0 or 8.5 of IBM WebSphere Application Server or IBM WebSphere Application Server Hypervisor Edition:

This problem affects the Modern Batch Feature Pack on WebSphere Application Server Version 7.

This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 6.1 or Version 7

Remediation/Fixes

The Apache Struts used by the Administrative Console in WebSphere Application Server and batch processing in IBM Compute Grid may be vulnerable to a class loader manipulation. IBM recommends installing recommended fixes as outlined below.

If your Java Web Application is using Apache Struts version 1.x that is available in WebSphere Application Server's optional libraries, you also may be vulnerable. You will need to verify if your application is affected. WebSphere Application Server Version 7.0 deprecated the inclusion of version 1.x of Struts in 2008. We recommend that you upgrade your Struts 1 from Apache to include a version of Struts that has this fixed. Your application should be thoroughly tested to verify that it does not have any issues. Please refer to the Apache site for information and download: Apache Struts Web site. (struts.apache.org) For more information on migrating from Struts 1 to Struts 2, please refer to the Apache Struts Migration Guide at
http://struts.apache.org/docs/migration-guide.html

If this mitigation will not work for you, please contact IBM Support.
Please note: IBM does not plan on shipping any fix for Struts 1.x as the fix is only available at the current levels of Apache Struts which can only be obtained from the Apache Struts website.

Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 7.0.0.43, 8.0.0.13, 8.5.5.11 and 9.0.0.1. If you have copied the optional Struts packages to your shared library for your applications to use, you will need to take the following actions prior to moving to 7.0.0.43, 8.0.0.13, 8.5.5.11 or 9.0.0.1.

- Upgrade your applications to use a current level of Struts
- Include a copy of the Struts 1.x package from Apache that contains the fix as part of your ear file development.


FIXES
for WebSphere Application Server and batch processing in IBM Compute Grid:
The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links to Fix Central are provided below:

APARs
PI17190 for the Administrative Console
PI17420 for Administering batch jobs in Compute Grid

Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below:

For affected IBM WebSphere Application Server:

For V7.0.0.0 through 7.0.0.31:

--OR--
  • Apply Fix Pack 7.0.0.33 or later.

For V6.1.0.0 through 6.1.0.47:
For affected Modern Batch Feature Pack on WebSphere Application Server Version 7:

For V1.0.0.0 through 1.0.0.5:
  • Contact IBM Support for the Interim Fix

For affected IBM WebSphere Application Server Extended Deployment Compute Grid:

For Compute Grid V8.0.0.0 through 8.0.0.3 on WebSphere Application Server Version 8 or WebSphere Application Server Version 7

--OR--
  • Apply Compute Grid Fix Pack 8.0.0.4 or later.

For Compute Grid V6.1 on WebSphere Application Server Version 6.1 or 7.0:
  • Contact IBM Support for the Interim Fix

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 May 2014: Original document published
16 May 2014: Added Modern Batch and Migration Information
28 May 2014: Updated bullet on Apache Struts
18 December 2014: updated broken Apache Struts link
30 June 2016: updated optional library fixpacks

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Application Servers WebSphere Extended Deployment Compute Grid General
Application Servers WebSphere Application Server Hypervisor Edition

Document information

More support for: WebSphere Application Server
General

Software version: 6.1, 7.0

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition: Base, Developer, Enterprise, Network Deployment

Reference #: 1672316

Modified date: 15 September 2014