9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
WebSphere Application Server may have insecure file permissions after custom startup scripts are run. The custom startup script will not pull the umask from the server.xml. This may cause some log files to have different permissions then expected.
There is an information disclosure in the WebSphere Application Server Proxy Server or On-Demand-Router (ODR). This only occurs when the system clock is changed. If the system clock is changed it could cause stale data to be cached and served.
There is a potential cross-site scripting vulnerability in the Admin Console for WebSphere Application Server.
There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server.
There is a potential security vulnerability in the WebSphere Application Server Admin Console if you have updated the web services security bindings settings. If you changed the cipher suites in the web services security bindings settings they may not have been saved properly and thus be weaker security then you expected. Verify that your settings are what you expect.
WebSphere Application Server traditional 9.0.0.4 added a new feature using the PasswordUtil command to enable AES password encryption. If you used this feature, then you have a potential for weaker than expected security since some passwords did not get encrypted as you might have expected. If you didn’t use this new feature, then you are not affected by this vulnerability. This does not affect passwords with the default XOR encoding, or passwords with custom encryption.
There are two potential infomation disclosure vulnerabilities that affects the Java Server Faces (JSF) component used by WebSphere Application Server.
CVEID: CVE-2017-1382**
DESCRIPTION:** IBM WebSphere Application Server might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2017-1381**
DESCRIPTION:** IBM WebSphere Application Server Proxy Server or On-demand-router (ODR) could allow a local attacker to obtain sensitive information, caused by stale data being cached and then served.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127152 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2017-1380**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127151 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2017-1501**
DESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security after using the Admin Console to update the web services security bindings settings.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/129576 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-1504**
DESCRIPTION:** IBM WebSphere Application Server Version 9.0.0.4 could provide weaker than expected security after using the PasswordUtil command to enable AES password encryption.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/129579 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2011-4343**
DESCRIPTION:** Apache MyFaces could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using specially crafted parameters to inject EL expressions into input fields mapped as view parameters and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132287 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2017-1583**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132342 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
These vulnerabilities affects the following versions and releases of IBM WebSphere Application Server:
To patch an existing service instance requires two steps:
1. To update WebSphere Application Server refer to the IBM WebSphere Application Server bulletins listed below:
Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382)
Security Bulletin: Information disclosure in WebSphere Application Server
(CVE-2017-1381)
Security Bulletin: Weaker than expected security in WebSphere Application Server (CVE-2017-1504)
2. To apply the RHEL OS updates, run yum update.
Alternatively, delete the vulnerable service instance and create a new instance.
None
CPE | Name | Operator | Version |
---|---|---|---|
ibm websphere application server in ibm cloud | eq | any |
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
7.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P