Interstage Business Process Manager Analytics, Systemwalker Service Quality Coordinator: Vulnerability of allowing attackers to "manipulate" the ClassLoader (CVE-2014-0094). June 3rd, 2014

Notes on using this web page

1. Description

We confirmed that there is a vulnerability of Apache Struts which is integrated to Management console, Dashboard and AnalyticsStudio(V12 or later) of Interstage Business Process Manager Analytics(BPMA), and Dashboard of Systemwalker Service Quality Coordinator Enterprise Edition(SQC EE) allows attackers to "manipulate" the ClassLoader.
In consequence of this vulnerability, BPMA and SQC EE could allow attackers to abstract information and control specific files.

The workaround shown in 3-3. are provided, and Fujitsu requests that these be applied promptly.

2. Impact

We have an assumption that BPMA and SQC EE are used on the intranet or the operating environment to which appropriate security measures are implemented in order to prevent security breaches.
If BPMA and SQC EE received a special request which intends to exploit this vulnerability from malicious user on above environments.
BPMA and SQC EE could receive various damages. For example, Dashboard cannot be used or malicious user could access any files on server which BPMA or SQC EE's dashboard function is running.

For a severity assessment of this vulnerability, see JVN information in "4. Related information".

3. Affected systems and corresponding action

3-1. Affected systems:

GP7000F, PRIMEPOWER, PRIMERGY, GP5000, SPARC

3-2. Affected products and required patch

For the solution, please refer to the following "3-3. Workaround".

Note: Determining the affected product

• BPMA
  
  • In Windows
    
    1. Click the "Start" button and select "Programs".
    2. Select the Interstage Business Process Manager Analytics, as appropriate.
    3. Open the software instruction file.
    4. Confirm the product name and version level written at the head of the file.
  • In Linux
    
    1. Execute the following command in the console window: #rpm -qi FJSVibpma
    2. The product version level is displayed.
  • In Solaris
    
    1. Execute the following command in the console window: #pkginfo -l FJSVibpma
    2. The product version level is displayed.
• SQC
  
  • In Windows
    Check if the following key exists;
    
    • 32bit
      HKEY_LOCAL_MACHINE\SOFTWARE\Fujitsu\INTS-BPMMW\11.00.0001
    • 64bit
      HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Fujitsu\INTS-BPMMW\11.00.0001
  • In Linux
    - Package information
    Summary: Interstage Business Process Manager Analytics
    Name: FJSVibpma
    Version: 11.1.0
    Release: 5
    
  • In Solaris
    - Package information
    PKG=FJSVibpma
    NAME=Interstage Business Process Manager Analytics
    VERSION=11.1.0
    IBPMA_RELEASE=5
    PSTAMP=ymir20110222134804

3-3. Workaround

• If you use a IPS(Intrusion Prevention System) product, you can refuse request which has the string matching the following regular expression pattern.
  
  (^|¥¥W)[cC]lass¥¥W
• Implement the following servlet filter and apply to BPMA and SQC EE.
  
  1. Create and compile a java program like a sample shown below.
     [Example of program (You can define any class name) ]
       ------
       package com.fujitsu.patch;
     
       import javax.servlet.Filter;
       ...(abbreviation)...
       import java.util.regex.Pattern;
     
       public class BPMStrutsFilter implements Filter {
         static Pattern EXCLUDE_PATTERN = Pattern.compile("(^|¥¥W)[cC]lass¥¥W"); 
     
         public void doFilter(ServletRequest req, ServletResponse res,
           FilterChain filter) throws IOException, ServletException {
         req.setCharacterEncoding("UTF-8");   
         Enumeration params = ((HttpServletRequest)req).getParameterNames();
         while (params.hasMoreElements()) {
           String name = (String) params.nextElement();
           if (EXCLUDE_PATTERN.matcher(name).find()) {
             throw new IllegalArgumentException(name);
           }
         }
         filter.doFilter(req, res);
       }
       public void init(FilterConfig filterConfig) throws ServletException {
       }
       public void destroy() {
       }
     }
     ------
  2. Spesify class name created in 1) as filter in web.xml that is located in WEB-INF directory, where BPMA's web application server's war file is deployed.
     For example of Interstage J2EE(Linux):/var/opt/FJSVj2ee/deployment/ijserver/IBPMMServer/apps/ibpmm.war/WEB-INF
     [Example of modifying web.xml(You can set any name for fileter-name)]
     (In case of BPMA V11.0/V11.1 SQC EE V13.4/V13.5)
       ------
       < web-app >
         ...
         < filter >
           < filter-name > BPMStrutsFilter < /filter-name >
           < filter-class > com.fujitsu.patch.BPMStrutsFilter < /filter-class >
         < /filter >
         < filter-mapping >
           < filter-name> BPMStrutsFilter < /filter-name >
           < url-pattern > *.do < /url-pattern >
         < /filter-mapping >
         ...
       < /web-app >
       ------
     
       (In case of BPMA V12.0/V12.1/V12.2 SQC EE V15.0/V15.1)
       "filter-mapping" element below should appear before other "filter-mapping" elements.
       ------
       < web-app >
         ...
         < filter >
           < filter-name > BPMStrutsFilter < /filter-name >
           < filter-class > com.fujitsu.patch.BPMStrutsFilter < /filter-class >
         < /filter >
       < filter-mapping >
         < filter-name > BPMStrutsFilter < /filter-name >
         < url-pattern > /admintool/* < /url-pattern >
       < /filter-mapping >
     
       < filter-mapping >
         < filter-name > BPMStrutsFilter < /filter-name >
         < url-pattern > /dashboard/* < /url-pattern >
       < /filter-mapping >
     
       < filter-mapping >
         < filter-name > BPMStrutsFilter < /filter-name >
         < url-pattern > /mobile/* < /url-pattern >
       < /filter-mapping >
     
       < filter-mapping >
         < filter-name > BPMStrutsFilter < /filter-name >
         < url-pattern > /studio/* < /url-pattern >
       < /filter-mapping >
     
       < filter-mapping >
         < filter-name > BPMStrutsFilter < /filter-name >
         < url-pattern > /struts/* < /url-pattern >
       < /filter-mapping >
         ...
       < /web-app >
       ------
  3. Create "classes" folder(directory) in the ii)'s WEB-INF, and put class file created in i) following rule below;
     Create the hierarchy of folder(directory) in the "classes" folder(directory) as same as the hierarchy which package name indicates. And put the file in the folder(directory).
     Ex.)If package name is "com.fujitsu.patch", The folder where the file is stored becomes "classes/com/fujitsu/patch"
  4. Re-start BPMA's Application server to reflect the setting.

4. Related information

1. National Vulnerability Database (NVD): CVE-2014-0094
   http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0094

5. Revision history

• June 3rd, 2014; 2nd releae
  • Added product the Interstage Business Process Manager Analytics, 12.1, Solaris 11 in [3-2. Affected products and required patch].
  • Fixed a wrong method in [3-3. Workaround].
• May 20th, 2014: Initial release