Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center.
CVEID: CVE-2018-1327
DESCRIPTION: Apache Struts is vulnerable to a denial of service. By sending a specially crafted XML request using the XStream handler with the Struts REST plugin, a remote attacker could exploit this vulnerability to cause a denial of service.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/140766 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Mitigation
The only solution is to replace fixed Apache Struts 2 files into LSF Application Center environment.
Version Independent
<Product
| VRMF| APAR| Remediation/First Fix
β|β|β|β
Platform Application Center| 9.1.5| None| See work around
Platform Application Center| 9.1.4.2| None| See work around
Platform Application Center| 9.1.4.1| None| See work around
Platform Application Center| 9.1.4| None| See work around
Platform Application Center| 9.1.3| None| See work around
Platform Application Center| 9.1.2| None| See work around
Platform Application Center| 9.1.1| None| See work around
Platform Application Center| 9.1| None| See work around
Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1
1. Download Apache Struts 2.5.16 from following link, https://cwiki.apache.org/confluence/display/WW/S2-056
2. Replace the downloaded files (struts2-core-2.5.16.jar, struts2-json-plugin-2.5.16.jar and struts2-spring-plugin-2.5.16.jar) into Application Center installed environment.
3. How to find replace files location
Β· Navigate to PAC installed directory
Β· run command βfind . -name βstruts.jarββ
CPE | Name | Operator | Version |
---|---|---|---|
platform application center | eq | any |