|
This page includes the details for how to mitigate against the security vulnerability CVE-2015-4852 (Oracle name) and CVE-2015-7501 (Red Hat name).
Security vulnerability (CVE-2015-4852/CVE-2015-7501) exists in the Apache Commons library which is used by many (Java) applications, such as IFS Middleware Server, the JBoss Application Server and Crystal Report Web Server.
The general advice, neutral to IFS Applications versions, is to block any client to access the application server directly. But there could also be patches that need to be applied depending on the used IFS Applications version, see below.
IFS Applications 9 IFS Middleware Server Default application server used by all IFS customers on IFS Applications 9 – sales part(s) IFS Middleware Server. General advice is to make sure all direct access to the Managed Server(s) and the Admin Server is properly blocked by the firewall. No additional patch required.
Crystal Reports Optional reporting functionality. If using Crystal Reports with IFS Applications please apply correction according to Solution Object 232219, estimated due date mid-December 2015.
IFS Applications 8 IFS Middleware Server Default application server used by most IFS customers from IFS Applications 8 SP1. General advice is to make sure that all direct access to the Application Server(s) is properly blocked by the firewall. Apply LCS patch 125780 (Solution Object 231761) in order to also block any attempt to masquerade T3 over HTTP through the HTTP Server. This should be considered mandatory if the system is exposed to the Internet.
JBoss Default application server used by most IFS customers in IFS Applications 8 RTM. General advice is to make sure all direct access to the Application Server(s) is properly blocked by the firewall. Apply LCS patch 125982 (Solution Object 231761) in order to update to a version of Apache Commons which is not vulnerable. This should be considered mandatory if the system is exposed to the Internet.
Crystal Reports Optional reporting functionality. If using Crystal Reports with IFS Applications please apply correction according to Solution Object 232219, estimated due date mid-December 2015.
IFS Applications 7.5 and earlier JBoss General advice is to make sure all direct access to the Application Server(s) is properly blocked by a firewall. Make sure the JBoss Management Console is disabled. This is a configuration option in the IFS Installer. It is disabled by default. No additional patch is required.
Crystal Reports If single patch 98572 have been applied or if using IFS Applications 7.5 SP7 please apply correction according to Solution Object 232219, estimated due date mid-December 2015. | 
發表於 2016-8-31 17:02:34
QQ好友和群
QQ空間
騰訊微博
騰訊朋友
收藏
轉播
分享
淘帖