IBM055E59F2851A7F333363149D5BB7D9E0D90ADD13DFCB70EC1FF9D592FA2988C8Security Bulletin: OPEN Source Apache Struts Vulnerabilities IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC (CVE-2016-4003)
EPSS
Percentile
88.6%
Summary
Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
Affected Products and Versions
Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1
Remediation/Fixes
See workarounds
Workarounds and Mitigations
Platform Cluster Manager 4.2.1 & Platform HPC 4.2.1
1. Download the struts-2.3.28-lib.zip package from the following location: http://archive.apache.org/dist/struts/2.3.28/
2. Copy the struts-2.3.28-lib.zip package to the management node.
3. Extract the struts-2.3.28-lib.zip package on the management node.
unzip struts-2.3.28-lib.zip # cd struts-2.3.28/lib # cp xwork-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib# cp struts2-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib# cp struts2-jasperreports-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib# cp struts2-json-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib# cp struts2-spring-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib# cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib
cp ognl-3.0.13.jar /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib
mkdir -p /root/backup
mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-core-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-json-plugin-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/struts2-spring-plugin-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/xwork-core-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/freemarker-2.3.18.jar /root/backup
mv /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/ognl-3.0.6.jar /root/backup
4. Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node:
pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI# pcmadmin service start --service WEBGUI# pcmhatool failmode -m auto
Otherwise, if high availability is not enabled, run the following commands on the management node:
pcmadmin service stop --service WEBGUI# pcmadmin service start --service WEBGUI
Platform Cluster Manager 4.2.0 4.2.0.x & Platform HPC 4.2.0 4.2.0.x
1. Download the struts-2.3.28-lib.zip package from the following location: http://archive.apache.org/dist/struts/2.3.28/
2. Copy the struts-2.3.28-lib.zip package to the management node.
3. Extract the struts-2.3.28-lib.zip package on the management node.
unzip struts-2.3.28-lib.zip # cd struts-2.3.28/lib # cp xwork-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-jasperreports-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-json-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-spring-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib
cp ognl-3.0.13.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib
mkdir -p /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-2.3.16.3.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-2.3.18.jar /root/backup
mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/ognl-3.0.6.jar /root/backup
4. Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node:
pcmhatool failmode -m manual # pcmadmin service stop --service WEBGUI# pcmadmin service start --service WEBGUI# pcmhatool failmode -m auto
Otherwise, if high availability is not enabled, run the following commands on the management node:
pcmadmin service stop --service WEBGUI# pcmadmin service start --service WEBGUI
Platform Cluster Manager 4.1.x & Platform HPC 4.1.x
1. Download the struts-2.3.28-lib.zip package from the following location: http://archive.apache.org/dist/struts/2.3.28/
2. Copy the struts-2.3.28-lib.zip package to the management node.
3. Extract the struts-2.3.28-lib.zip package on the management node
unzip struts-2.3.28-lib.zip # cd struts-2.3.28/lib/ # cp xwork-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-core-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-json-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-spring-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp freemarker-2.3.22.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib# cp struts2-jasperreports-plugin-2.3.28.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib
cp ognl-3.0.13.jar /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib
mkdir -p /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-core-2.3.15.2.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-json-plugin-2.3.15.2.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/struts2-spring-plugin-2.3.15.2.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/xwork-core-2.3.15.2.jar /root/backup# mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/freemarker-2.3.18.jar /root/backup
mv /opt/pcm/web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/ognl-3.0.6.jar /root/backup
4. Restart Platform HPC services. If high availability is enabled, run the following commands on the active management node:
pcmhatool failmode -m manual # pmcadmin stop# pmcadmin start# pcmhatool failmode -m auto
Otherwise, if high availability is not enabled, run the following commands on the management node:
pmcadmin stop
pmcadmin start
Related
EPSS
Percentile
88.6%