CVE-2015-4852 (Apache Commons security vulnerability)
This page includes the details for how to mitigate against the security vulnerability CVE-2015-4852 (Oracle name) and CVE-2015-7501 (Red Hat name).http://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html
Security vulnerability (CVE-2015-4852/CVE-2015-7501) exists in the Apache Commons library which is used by many (Java) applications, such as IFS Middleware Server,the JBoss Application Server and Crystal Report Web Server.
The general advice, neutral to IFS Applications versions, is to block any client to access the application server directly. But there could also be patches that need to be applied depending on the used IFS Applications version, see below.
IFS Applications 9IFS Middleware ServerDefault application server used by all IFS customers on IFS Applications 9 – sales part(s) IFS Middleware Server. General advice is to make sure all direct access to the Managed Server(s) and the Admin Server is properly blocked by the firewall. No additional patch required.
Crystal ReportsOptional reporting functionality.If using Crystal Reports with IFS Applications please apply correction according to Solution Object 232219, estimated due date mid-December 2015.
IFS Applications 8IFS Middleware ServerDefault application server used by most IFS customers from IFS Applications 8 SP1.General advice is to make sure that all direct access to the Application Server(s) is properly blocked by the firewall.Apply LCS patch 125780 (Solution Object 231761) in order to also block any attempt to masquerade T3 over HTTP through the HTTP Server. This should be considered mandatory if the system is exposed to the Internet.
JBossDefault application server used by most IFS customers in IFS Applications 8 RTM.General advice is to make sure all direct access to the Application Server(s) is properly blocked by the firewall.Apply LCS patch 125982 (Solution Object 231761) in order to update to a version of Apache Commons which is not vulnerable. This should be considered mandatory if the system is exposed to the Internet.
Crystal ReportsOptional reporting functionality. If using Crystal Reports with IFS Applications please apply correction according to Solution Object 232219, estimated due date mid-December 2015.
IFS Applications 7.5 and earlierJBossGeneral advice is to make sure all direct access to the Application Server(s) is properly blocked by a firewall. Make sure the JBoss Management Console is disabled. This is a configuration option in the IFS Installer. It is disabled by default.No additional patch is required.
Crystal ReportsIf single patch 98572 have been applied or if using IFS Applications 7.5 SP7 please apply correction according to Solution Object 232219, estimated due date mid-December 2015.
頁:
[1]