IBM Platform Symphony 5.2 Interim Fix 234633 Readme File
Abstract
IBM Platform Cluster Manager Standard Edition includes the Apache Struts 2 framework. Security issues related to this framework include: struts 2 security issues(s2-020, s2-021, s2-022).
Description
· s2-020: The default upload mechanism in Apache Struts 2 is based on Commons FileUpload version 1.3 which is vulnerable and allows DoS attacks. Additional ParametersInterceptor allows access to 'class' parameter, which is directly mapped to the getClass() method and allows ClassLoader manipulation.
· s2-021: The excluded parameter pattern introduced in version 2.3.16.1 to block access to the getClass() method is not sufficient. It is possible to omit that excluded parameter pattern with specially crafted requests. Also, CookieInterceptor is vulnerable for the same kind of attack when it is configured to accept all cookies (when "*" is used to configure cookiesName param).
· s2-022: The excluded parameter pattern introduced in version 2.3.16.2 to block access to the getClass() method does not cover other methods. Thus, it is vulnerable to attacks that can cause changes in session states, requests, and other changes (when "*" is used to configure cookiesName param).
This fix addresses the following issue:
· The struts 2 security issues (s2-020, s2-021, s2-022). To address these issues, upgrade Commons FileUpload to version 1.3.1 and upgrade Struts 2.3.15.2 to 2.3.16.3.
This fix patch applies only to the following platform:
· Linux 64-bit/Windows 64-bit
Readme file for: IBM® Platform Symphony
Product/Component Release: 5.2
Update Name: Fix 234633
Fix ID: sym-5.2-build234633
Publication date: 30 May 2014
Last modified date: 30 May 2014
Contents:
1. List of fixes
2. Download location
3. Products or components affected
4. Installation and configuration
5. List of files
6. Copyright and trademark information
1. List of fixes
SUP_BY_SYM#234341:[New PSIRT Advisory]Struts 2 Security Issue (S2-020, S2-021, S2-022).
2. Download Location
Download Fix 234633 from the following location: http://www.ibm.com/eserver/support/fixes/
3. Products or components affected
Product/Component Name:
Platform Symphony/PMC
4. Installation and configuration
4.1 Prerequisites
1. Build #224587 installed.
4.2 Before installation
1. Stop the running service.
Log on to the master host as the cluster administrator and run:
a) On Linux
$ source cshrc.platform
$ egosh user logon -u Admin -x Admin
$ egosh service stop WEBGUI plc purger derbydb
b) On Windows
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI plc purger derbydb
2. Remove the following files to back up folder.
Log on to each management host and remove and back up the following file that will be replaced by this fix on Linux and Windows:
a) On Linux
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-core-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-json-plugin-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-spring-plugin-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/xwork-core-2.3.15.2.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/struts2-core-2.3.15.2.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/xwork-core-2.3.15.2.jar
>$EGO_TOP/gui/1.2.6/lib/commons-fileupload-1.2.1.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/commons-fileupload-1.2.1.jar
>$EGO_TOP/perf/1.2.6/lib/commons-fileupload-1.2.2.jar
b) On Windows
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\struts2-core-2.3.15.2.jar
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\xwork-core-2.3.15.2.jar
>%SOAM_HOME%\..\gui\1.2.6\lib\commons-fileupload-1.2.1.jar
>%SOAM_HOME%\..\perf\1.2.6\lib\commons-fileupload-1.2.2.jar
4.3 Installation steps
1. Apply the fix.
Log on to each management host and replace the old file with the downloaded one in the following directory:
a) On Linux
$ cp sym52_gui_security_patch_build234633.zip $EGO_TOP/
$ unzip -u sym52_gui_security_patch_build234633.zip
b) On Windows
Unzip the sym52_gui_security_patch_build234633.zip, and get struts2-core-2.3.16.3.jar, xwork-core-2.3.16.3.jar and commons-fileupload-1.3.1.jar
> copy struts2-core-2.3.16.3.jar xwork-core-2.3.16.3.jar %SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\
> copy commons-fileupload-1.3.1.jar %SOAM_HOME%\..\gui\1.2.6\lib\
> copy commons-fileupload-1.3.1.jar %SOAM_HOME%\..\perf\1.2.6\lib\
4.4 After installation
1. Clean up the GUI work directory and the browser cache.
To clean up the GUI work directory, delete all subdirectories and files in this directory.
2. Start the services.
Log on to the master host as the cluster administrator and run:
a) On Linux
$ source $EGO_TOP/cshrc.platform
$ egosh user logon -u Admin -x Admin
$ egosh service start WEBGUI plc purger derbydb
b) On Windows
> egosh user logon -u Admin -x Admin
> egosh service start WEBGUI plc purger derbydb
4.5 Uninstallation
1. Stop the running service.
Log on to the master host as the cluster administrator and run:
a) On Linux
$ source $EGO_TOP/cshrc.platform
$ egosh user logon -u Admin -x Admin
$ egosh service stop WEBGUI plc purger derbydb
b) On Windows
> egosh user logon -u Admin -x Admin
> egosh service stop WEBGUI plc purger derbydb
2. Restore the backup file.
Log on to each management host and restore the backup file for the following file:
a) On Linux
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-core-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-json-plugin-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-spring-plugin-2.3.15.2.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/xwork-core-2.3.15.2.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/struts2-core-2.3.15.2.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/xwork-core-2.3.15.2.jar
>$EGO_TOP/gui/1.2.6/lib/commons-fileupload-1.2.1.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/commons-fileupload-1.2.1.jar
>$EGO_TOP/perf/1.2.6/lib/commons-fileupload-1.2.2.jar
b) On Windows
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\struts2-core-2.3.15.2.jar
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\xwork-core-2.3.15.2.jar
>%SOAM_HOME%\..\gui\1.2.6\lib\commons-fileupload-1.2.1.jar
>%SOAM_HOME%\..\perf\1.2.6\lib\commons-fileupload-1.2.2.jar
3. Remove the following files.
Log on to each management host and remove the following files:
a) On Linux
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-core-2.3.16.3.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-json-plugin-2.3.16.3.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/struts2-spring-plugin-2.3.16.3.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/xwork-core-2.3.16.3.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/struts2-core-2.3.16.3.jar
>$EGO_TOP/gui/perf/1.2.6/perfgui/WEB-INF/lib/xwork-core-2.3.16.3.jar
>$EGO_TOP/gui/1.2.6/lib/commons-fileupload-1.3.1.jar
>$EGO_TOP/gui/pmr/5.2/pmrgui/WEB-INF/lib/commons-fileupload-1.3.1.jar
>$EGO_TOP/perf/1.2.6/lib/commons-fileupload-1.3.1.jar
b) On Windows
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\struts2-core-2.3.16.3.jar
>%SOAM_HOME%\..\gui\perf\1.2.6\perfgui\WEB-INF\lib\xwork-core-2.3.16.3.jar
>%SOAM_HOME%\..\gui\1.2.6\lib\commons-fileupload-1.3.1.jar
>%SOAM_HOME%\..\perf\1.2.6\lib\commons-fileupload-1.3.1.jar
4. Clean up the GUI work directory and the browser cache.
To clean up the GUI work directory, delete all subdirectories and files in this directory.
5. Start the services.
Log on to the master host as the cluster administrator and run:
a) On Linux
$ egosh service start WEBGUI plc purger derbydb
b) On Windows
> egosh service start WEBGUI plc purger derbydb
5. List of files
· sym52_gui_security_patch_build234633.zip
6. Copyright and trademark information
© Copyright IBM Corporation 2014
U.S. Government Users Restricted Rights - Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp.
IBM®, the IBM logo and ibm.com®are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.