IBM Support

A security issue exists in the Verity dashboard that is installed with IBM FileNet Content Search Engine 4.5.1 and IBM Legacy Content Search Engine 5.0.0

Product documentation


Abstract

There is a security issue in the version of Apache Struts that is used by the Verity dashboard that runs in Apache Tomcat. There is no update to fix this security issue. This techdoc explains how to mitigate the issue by restricting access to the Verity dashboard.

Content

The Verity dashboard is a web-based administration console for the IBM Content Search Engine 4.5.1 and IBM Legacy Content Search Engine 5.0 that runs in an Apache 5.0 web host process.

Vulnerability details:
See IBM Security Bulletin # 1674128.

CVEID: CVE-2014-0114

CVE-2014-0114
Description:
Apache Struts might allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of ClassLoader attributes. An attacker might exploit this vulnerability by using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system.

Recommendations:
Apply at least one of the following recommended methods to restrict access to the Apache process that is installed with the Verity dashboard:

  • Configure Apache to restrict access to the Verity dashboard site based on the host name or host address of visitors. See the Apache 5.0 documentation to configure access restrictions on the Apache server.
  • Set up a firewall on the Verity dashboard host system to restrict access to the Verity dashboard site based on the host name or host address of visitors.
  • Shut down the Verity dashboard after initial configuration is complete. The Verity dashboard is required only for initial configuration of Legacy Content Search Engine. When configuration is complete, you can shut down the Apache process that hosts the dashboard. For support cases, IBM might request that you obtain information or make configuration changes by using the Verity dashboard. You need to start the Apache process for these requests. You can shut down the Apache process again after obtaining information or making the requested configuration changes.
  • Install the Verity dashboard on a server that is separate from all other IBM Content Engine or Content Platform Engine components. Shut down this server when the Verity dashboard is not required or restrict access as necessary. You can install the Verity dashboard on a system that is separate from all other Content Search Engine components.

Related information

Security Bulletin #1674128

Document information

More support for: FileNet P8 Platform
Content Search Engine

Software version: 4.5.1, 5.0, 5.1

Operating system(s): AIX, HP-UX, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 7042296

Modified date: 20 June 2014


Translate this page: