Security Bulletin: Incorrect setting for serveServletsbyClassname can affect FTM for Check Services and FTM for Corporate Payment Services (CVE-2015-1927)

Summary

Incorrect setting for serveServletsbyClassname could allow a remote attacker on WebSphere Application Server to gain elevated privileges on the system for FTM for Check Services and FTM for Corporate Payment Services

Vulnerability Details

CVEID: CVE-2015-1927**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system, caused by an application not having the correct serveServletsbyClassname setting. By a developer not setting the correct property, an attacker could exploit this vulnerability to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102872 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Affected Products and Versions

- FTM for Check v2.1.1.8

- FTM for CPS v2.1.1.0

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
FTM for Check Services| 2.1.1.8| PI46336| Apply 2.1.1-FTM-CHECK-MP-fp0009 or later.
FTM for Corporate Payment Services| 2.1.1.0| PI41632| Apply 2.1.1-FTM-CPS-MP-fp0001 or later

Workarounds and Mitigations

This has been fixed in WebSphere Application Server - refer to security bulletin http://www.ibm.com/support/docview.wss?uid=swg21959083