Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137)

Summary

There is a potential for weaker than expected security with the Administrative Console in WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-1137**
DESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to the admin console.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121549 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 8.5.5.9 - 8.5.5.11
• Version 8.0.0.13
• This does not affect fix pack levels 8.5.0.0 through 8.5.5.8, or 8.0.0.0 through 8.0.0.12.

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI76088 for each named product as soon as practical. **
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition:

**For V8.5.5.9 through 8.5.5.11 traditional:
· Apply Interim Fix PI76088
--OR–
· Apply Fix Pack 8.5.5.12 or later. **

For V8.0.0.13 traditional:**
· Apply Interim Fix PI76088
--OR–
· Apply Fix Pack 8.0.0.14 or later. **

**