Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center.

Summary

Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center.

Vulnerability Details

CVEID: CVE-2018-1327

DESCRIPTION: Apache Struts is vulnerable to a denial of service. By sending a specially crafted XML request using the XStream handler with the Struts REST plugin, a remote attacker could exploit this vulnerability to cause a denial of service.

CVSS Base Score: 7.5

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140766 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Mitigation

The only solution is to replace fixed Apache Struts 2 files into LSF Application Center environment.

Affected Products and Versions

Version Independent

Remediation/Fixes

<Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
Platform Application Center| 9.1.5| None| See work around
Platform Application Center| 9.1.4.2| None| See work around
Platform Application Center| 9.1.4.1| None| See work around
Platform Application Center| 9.1.4| None| See work around
Platform Application Center| 9.1.3| None| See work around
Platform Application Center| 9.1.2| None| See work around
Platform Application Center| 9.1.1| None| See work around
Platform Application Center| 9.1| None| See work around

Workarounds and Mitigations

Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1

1. Download Apache Struts 2.5.16 from following link, https://cwiki.apache.org/confluence/display/WW/S2-056

2. Replace the downloaded files (struts2-core-2.5.16.jar, struts2-json-plugin-2.5.16.jar and struts2-spring-plugin-2.5.16.jar) into Application Center installed environment.

3. How to find replace files location

· Navigate to PAC installed directory

· run command ‘find . -name “struts.jar”’