There are multiple vulnerabilities in IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 that is used by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC. These issues were disclosed in the Oracle April 2016 Critical Patch Update, plus CVE-2016-0636 and three additional vulnerabilities.
CVE-ID: CVE-2016-4003
Description: Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the URLDecoder implementation. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 6.100
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/111514 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Platform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1
Platform Cluster Manager Advanced Edition Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1
Platform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1
See workaround
IBM® Runtime Environment Java™ Technology Edition, Version 6, 7 should be replaced.
Platform Cluster Manager 4.2.x & Platform HPC 4.2.x
1. Download IBM JRE 7.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
5. On management node, extract new JRE files and replace some old folders with new ones.
6. On management node, start GUI and PERF services
7. If high availability is enabled, start up standby management node, and replace bin, lib, plugin folders under /opt/pcm/web-portal/jre/linux-x86_64, on standby management node.
Platform Cluster Manager 4.1.x & Platform HPC 4.1.x
1. Download IBM JRE 6.0 x86_64 from the following location: http://www.ibm.com/support/fixcentral. (For POWER platform, download ppc64 version JRE tart package. The followings steps are using x86_64 as an example.)
2. Copy the tar package into the management node. If high availability is enabled, copy the JRE tar package to standby management node, as well.
3. If high availability is enabled, shutdown standby management node, in order to avoid triggering high availability.
4. On the management node, stop GUI and PERF services
5. HA disabled:# pmcadmin stop# perfadmin stop allHA enabled:# egosh user logon -u Admin -x Admin# egosh service stop all
6. On management node, extract new JRE files and replace some old folders with new ones.
7. On management node, start GUI and PERF services
HA disabled:# pmcadmin start# perfadmin start allHA enabled:# egosh user logon -u Admin -x Admin# egosh service start all