|
Systems Affected
• IBM WebSphere Application Server Version 7 & 6.1
• IBM WebSphere Application Server Hypervisor Edition Version 7 & 6.1
• IBM WebSphere Lombardi Edition version 7.2 and earlier
• IBM Business Process Manager Standard Version 7.5.x, 8.0.x & 8.5.x
• IBM Business Process Manager Express Version 7.5.x, 8.0.x & 8.5.x
• IBM Business Process Manager Advanced Version 7.5.x, 8.0.x & 8.5.x
Threat Level
Overview
Vulnerability has been reported in Apache Struts platform, which could allow unauthenticated remote attacker to execute arbitrary code on the system.
Description
The vulnerability exists in ActionForm object in Apache Struts due to improperly restricting access to the "class" parameter which is directly mapped to "getclass()" method. A remote attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the class loader used by the application server running struts.
Successful exploitation of this vulnerability could allow remote attacker to execute arbitrary code on the system.
Impact
Solution/ Workarounds
Apply appropriate patches as mentioned in IBM support.
http://www-01.ibm.com/support/docview.wss?uid=swg21674435
http://www-01.ibm.com/support/docview.wss?uid=swg21672316
References
http://www.cert-in.org.in/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|
