IBM Support

Security Bulletin: Vulnerability in Apache Commons affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7450)

Security Bulletin


Summary

An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Integration Tester in Rational Test Workbench, Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server (see CVE-2015-7450).

Vulnerability Details

CVEID: CVE-2015-7450
DESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.
CVSS Base Score: 9.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107918 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Rational Integration Tester component in Rational Test Workbench, Rational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server versions:
All versions from 8.0 up to and including 8.7.1

Remediation/Fixes

The fixes for the CVE(s) mentioned above have been incorporated into an interim fix available on Fix Central (http://www-933.ibm.com/support/fixcentral/).

Please follow the appropriate component instructions below:

Note: OS X Instructions are provided for version 8.7.1 only

Rational Test Control Panel (RTCP) component in Rational Test Workbench (RTW) and Rational Test Virtualization Server (RTVS)
1. Download the fix from Fix Central and unzip it to extract the library commons-collections-3.2.2.jar
2. Stop the server
3. For versions 8.0 to 8.5.0.x
o Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/ webapps/RTCP/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar'
4. For versions 8.5.1.x to 8.7.1
o Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/usr/servers/RTCPServer/apps/RTCP.war/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar'
5. Start the server

Note: The default install location for RTCP is opt/IBM/RationalTestControlPanel on AIX, Linux and Solaris, /Applications/IBM/RationalTestControlPanel on OS X (8.7.1 only) and C:\Program Files\IBM\RationalTestControlPanel on Windows.


Rational Integration Tester (RIT) component in Rational Test Workbench (RTW)

1. Download the fix from Fix Central and unzip it to a directory.

For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.

For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.

2. Close any running instances of Rational Integration Tester (and RIT Agent if installed on the same machine).

3. Locate the IBMIMShared directory.

4. Copy the appropriate file into the IBMIMShared\plugins directory.

5. Locate the “bundles.info” file. By default, the location of this file is:

{Installation Directory for RIT}\configuration\org.eclipse.equinox.simpleconfigurator

6. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:

For versions 8.7.0.x and before:

com.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false

For version 8.7.1:

org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false

7. In order to verify that the changes have been made successfully, re-start RIT from the command line with the following command:

GHTester.exe –clean –console

When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:

ss apache.commons.collections

Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.

Rational Integration Tester Agent (RIT Agent) component in Rational Test Virtualization Server (RTVS) and Rational Performance Test Server (RPTS)

1. Download the fix from Fix Central and unzip it to a directory.

For versions 8.7.0.x and before, use com.springsource.org.apache.commons.collections_3.2.2.jar.

For version 8.7.1, use org.apache.commons.collections_3.2.2.jar.

1. Close any running instances of RIT Agent (and Rational Integration Tester if installed on the same machine).

2. Locate the IBMIMShared directory.

3. Copy the unzipped file to the IBMIMShared\plugins directory.

4. Locate the “bundles.info” file. By default, the location of this file is:

{Installation Directory for RIT Agent}\configuration\org.eclipse.equinox.simpleconfigurator

5. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below:

For versions 8.7.0.x and before:

com.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false

For version 8.7.1:

org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false

6. In order to verify that the changes have been made successfully, check that RTCP is running, and then re-start the agent using the command line with the following command:

Agent.exe –clean –console

When the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:

ss apache.commons.collections

Note: The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\Program Files\IBM\IBMIMShared on Windows.

General Notes:
o When updating an installation to a later version of Rational Test Control Panel, Rational Integration Tester or RIT Agent, the security fix detailed above will have to be re-applied after the update
o When removing an installation that has had the security fix applied, not all the files will be removed by IBM Installation Manager, and some files will have to be removed manually

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Related information

Acknowledgement

None

Change History

<30 November 2015> : Original Version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Software Development Rational Test Virtualization Server Rational Test Control Panel AIX, Linux, Solaris, Windows 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.1.3, 8.5.1.4, 8.5.1.5, 8.6, 8.6.0.1, 8.6.0.2, 8.6.0.3, 8.6.0.4, 8.7, 8.7.0.1, 8.7.0.2, 8.7.0.3, 8.7.1 All Editions
Software Development Rational Performance Test Server RIT Load Agent AIX, Linux, Solaris, Windows 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.1.3, 8.5.1.4, 8.5.1.5, 8.6, 8.6.0.1, 8.6.0.2, 8.6.0.3, 8.6.0.4, 8.7, 8.7.0.1, 8.7.0.2, 8.7.0.3, 8.7.1 All Editions
Software Development Rational Test Virtualization Server RIT Load/Stub Agent AIX, Linux, Solaris, Windows 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.1.3, 8.5.1.4, 8.5.1.5, 8.6, 8.6.0.1, 8.6.0.2, 8.6.0.3, 8.6.0.4, 8.7, 8.7.0.1, 8.7.0.2, 8.7.0.3, 8.7.1 All Editions
Software Development Rational Test Workbench Rational Test Control Panel AIX, Linux, OS X, Solaris, Windows 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.1.3, 8.5.1.4, 8.5.1.5, 8.6, 8.6.0.1, 8.6.0.2, 8.6.0.3, 8.6.0.4, 8.7, 8.7.0.1, 8.7.0.2, 8.7.0.3, 8.7.1 All Editions

Document information

More support for: Rational Test Workbench
Rational Integration Tester

Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.0.4, 8.0.0.5, 8.0.1, 8.0.1.1, 8.0.1.2, 8.0.1.3, 8.0.1.4, 8.0.1.5, 8.0.1.6, 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.1, 8.5.1.1, 8.5.1.2, 8.5.1.3, 8.5.1.4, 8.5.1.5, 8.6, 8.6.0.1, 8.6.0.2, 8.6.0.3, 8.6.0.4, 8.7, 8.7.0.1, 8.7.0.2, 8.7.0.3, 8.7.1

Operating system(s): AIX, Linux, OS X, Solaris, Windows

Reference #: 1971818

Modified date: 30 November 2015