Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)

Summary

There is a potential denial of service with IBM WebSphere Application Server when using SIP services.

Vulnerability Details

CVEID: CVE-2016-2960**
DESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113805 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server using SIP services

• Version 9.0
• Version 8.5.5 Full Profile and Liberty
• Version 8.5 Full Profile and Liberty
• Version 8.0
• Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI61548 for each named product as soon as practical. **

For WebSphere Application Server:** **
For V9.0.0.0:**
· Apply Interim Fix PI61548

--OR–
· Apply Fix Pack 9.0.0.1 or later.

For V8.5.0.0 through 16.0.0.2 Liberty:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI61548
--OR–
· Apply Liberty Fix Pack 16.0.0.3 or later.
**
For V8.5.0.0 through 8.5.5.9 Full Profile:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI61548

--OR–
· Apply Fix Pack 8.5.5.10 or later.

For V8.0.0.0 through 8.0.0.12:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI61548

--OR–
· Apply Fix Pack 8.0.0.13 or later. ** **

For V7.0.0.0 through 7.0.0.41:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI61548

--OR–
· Apply Fix Pack 7.0.0.43 or later.