Resolving BIRT Security Issues ISS04485990 (CVE-2015-5071) and ISS04485988 (CVE-2015-5072)

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    Remedy AR System Server


    COMPONENT:

    AR System Mid Tier


    APPLIES TO:

    BMC Remedy AR System Server



    PROBLEM:

     

    Any environment that uses BIRT Reporting feature of Remedy products has the following security vulnerabilities to be aware of:

      

    1. ISS04485990 (CVE-2015-5071)

      
       
    • The __report parameter of BIRT viewer servlet can be pointed to a URL of a report file located on any Web Server.
    •  
    • The __report parameter of BIRT viewer servlet can be pointed to report file located anywhere in the local file system.
      

    2. ISS04485988 (CVE-2015-5072)

      
       
    • preview  servlet (BIRT EngineServlet) allows navigation to any local File system file using the __imageid parameter
      

    Credits:

      

    Credit for discovery of the 2 BIRT security vulnerabilities: Stephan Tigges from tigges-security.de

     


    SOLUTION:

     

    Work around steps:

      

    Follow these steps if you want to secure your existing implementation without updating your Mid-Tier version as mentioned in the Resolution Steps section.

      

    1. ISS04485990 (CVE-2015-5071)
     

      
       
    • Backup Mid-Tier web.xml
    •  
    • In Mid-Tier web.xml, add the BIRT_VIEWER_WORKING_FOLDER to the setting in Mid-Tier configuration. This should be set to the directory pointed by the “Reporting Working Directory” setting in Mid-Tier configuration.
      

    <context-param>
       <param-name>BIRT_VIEWER_WORKING_FOLDER</param-name>
       <param-value>Set this to “Reporting Working Directory” setting in Mid-Tier configuration</param-value>
    </context-param>

      
       
    • In Mid-Tier web.xml, add the WORKING_FOLDER_ACCESS_ONLY setting to true if it does not exist. If WORKING_FOLDER_ACCESS_ONLY setting already exists then make sure to set its value to true.
      

       <context-param>
          <param-name>WORKING_FOLDER_ACCESS_ONLY</param-name>
          <param-value>true</param-value>
       </context-param>

      
       
    • Restart Mid-Tier.
      

    In this case, BIRT allows access to Report files under the Directory pointed to by the BIRT_VIEWER_WORKING_FOLDER setting only.

      

    Note If you change the “Reporting Working Directory” setting in Mid-Tier configuration, then you need to update BIRT_VIEWER_WORKING_FOLDER setting in Mid-Tier web.xml and restart Mid-Tier.

      

    2. ISS04485988 (CVE-2015-5072)

      
       
    • Create a User who has full permissions on the Tomcat installation folder, Mid-Tier installation directory (if Mid-Tier is not deployed as a war) and the reports folder (if this is a directory outside the Mid-Tier installation directory).
    •  
    • Use this User for starting Tomcat that hosts Mid-Tier.
      

    In this case, the underling Operating System / Virtual Machine will not allow access to any other directories or files to which the User does not have permissions to access.

      

    Resolution steps:
    1. Fixes for both ISS04485990 (CVE-2015-5071) and ISS04485988 (CVE-2015-5072) are available in Midtier 8.1 SP2 latest cumulative hot fix “8.1 SP02 Patch 001 201508040741” or later. The fixes will also be available in Midtier 9.0 SP1 or better
    2. If using 8.1 SP2, stop Mid-Tier apply the Midtier 8.1 SP2 latest cumulative hot fix as per steps specified for applying the hot fix and restart Mid-Tier.

      
    Related Products:  
       
    1. BMC Remedy AR System Server

     


    Article Number:

    000093536


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles