IBM Support

Security Bulletin: RCE vulnerability (CVE-2018-1595) affects IBM Platform Symphony, IBM Spectrum Symphony

Security Bulletin


Summary

A security vulnerability related to Remote Command Execution (RCE), caused by dynamic JSP file builds, has been identified in IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, 7.1.1 and IBM Spectrum Symphony 7.1.2, 7.2.0.2.

Vulnerability Details

CVEID: CVE-2018-1595
DESCRIPTION: IBM Spectrum Symphony and Platform Symphony could allow an authenticated user to execute arbitrary commands due to improper handling of user supplied input.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/143622 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Platform Symphony 6.1.1, 7.1 Fix Pack 1, and 7.1.1

IBM Spectrum Symphony 7.1.2 and 7.2.0.2

Remediation/Fixes

These are the steps for the Linux and the steps for Windows are similar.
1.     Log on to the master host as the cluster administrator and stop the WEBGUI service:
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI
2.     Log on to each management host in your cluster as the cluster administrator.
3.     Delete the following files:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
$EGO_TOP/gui/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
For IBM Platform Symphony 7.1.1: $EGO_TOP/wlp/usr/servers/gui/apps/soam/7.1.1/symgui/generaltable/getDeviceInfo.jsp
For IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
$EGO_TOP/wlp/usr/servers/gui/apps/ego/<EGO_VERSION>/platform/generaltable/getDeviceInfo.jsp
$EGO_TOP/wlp/usr/servers/gui/apps/soam/<SOAM_VERSION>/symgui/generaltable/getDeviceInfo.jsp
4.     Delete all subdirectories and files from the following directories:
For IBM Platform Symphony 6.1.1 and 7.1 Fix Pack 1:
> rm -rf $EGO_TOP/gui/work/*
For IBM Platform Symphony 7.1.1, IBM Spectrum Symphony 7.1.2 and 7.2.0.2:
> rm -rf $EGO_TOP/gui/work/*
> rm -rf $EGO_TOP/gui/workarea/*
> rm -rf $WLP_OUTPUT_DIR/webgui_hostname/gui/workarea/*
5.     Clear your browser cache.
6.     Start the WEBGUI service:
> egosh service start WEBGUI

Note: The above contents can also be found on IBM Fix Central: sym-6.1.1-build493462sym-7.1-build486396sym-7.1.1-build493457sym-7.1.2-build493458sym-7.2.0.2-build493459

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Reference

Complete CVSS v3 Guide
On-line Calculator v3

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Andrea Scaduto

Change History

<June 07, 2018>: Original version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Spectrum Symphony

Component: --

Software version: 7.1.2, 7.2.0.2

Operating system(s): Platform Independent

Reference #: T1027819

Modified date: 23 July 2018