A fix is available
APAR status
Closed as program error.
Error description
Apache Struts 1.x could allow a remote attacker to run arbitrary code on the system because setting ClassLoader attributes is not restricted. An attacker could exploit this vulnerability by using the class parameter of an ActionForm object to manipulate the ClassLoader attributes and run arbitrary code on the system. Apache Commons FileUpload and Tomcat are vulnerable to a denial of service because the Content-Type HTTP header is improperly handled for multipart requests. By sending a specially crafted request, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop.
Local fix
The vulnerable application is required only for IBM Support to gather additional information. By default, only a single administrative user (deployment environment administrator) can access the application. You can prevent access to the application by removing all users and groups from the security role mapping in this application. In the administrative console, go to Applications > Application Types > WebSphere Enterprise Applications > IBM_BPM_DocStoreAdmin_<clusterName> > Security role to user/group mapping and remove all users and groups from the role mapping.
Problem summary
Security vulnerabilities have been reported for the Apache Struts 1.1 and Apache Commons FileUpload libraries shipped with one component of IBM BPM V8.5.5. The vulnerable libraries are used only in an administrative user interface that, by default, is available only to one administrative user.
Problem conclusion
A fix is available for IBM BPM V8.5.5.0 that updates the vulnerable version of Apache Commons FileUpload and introduces a filter to validate user input before passing it to the Apache Struts 1.x library. On Fix Central (http://www.ibm.com/support/fixcentral), search for JR50538: 1. Select IBM Business Process Manager with your edition from the product selector, the installed version to the fix pack level, and your platform, and then click Continue. 2. Select APAR or SPR, enter JR50538, and click Continue. When you download fix packages, ensure that you also download the readme file for each fix. Review each readme file for additional installation instructions and information about the fix.
Temporary fix
Comments
APAR Information
APAR number
JR50538
Reported component name
BPM STANDARD
Reported component ID
5725C9500
Reported release
855
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2014-06-18
Closed date
2014-07-10
Last modified date
2014-07-10
APAR is sysrouted FROM one or more of the following:
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
BPM STANDARD
Fixed component ID
5725C9500
Applicable component levels
R855 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFTDH","label":"IBM Business Process Manager Standard"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"855","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
16 October 2021