IBM20E3B1F87F3897C5097B81356FCE11464CD877269B9F4957C06C086D1328FAE8Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty that affect IBM Spectrum Protect for Workstations Central Administration Console
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
IBM Spectrum Protect for Workstations ((formerly Tivoli Storage Manager FastBack for Workstations) Central Administration Console requires the dependent product IBM WebSphere Application Server Liberty. Information about security vulnerabilities affecting IBM WebSphere Application Server Liberty has been published in security bulletins.
Vulnerability Details
Please consult the following WebSphere Application Server security bulletins for vulnerability details and information about the fixes:
-
<https://www.ibm.com/support/docview.wss?uid=ibm10795115>
-
<https://www.ibm.com/support/docview.wss?uid=ibm10869570>
Affected Products and Versions
Principal Product and Version(s)
| Affected Supporting Product and Version
—|—
IBM Spectrum Protect for Workstations (formerly Tivoli Storage Manager FastBack for Workstations) Central Administration Console versions:
- 8.1.0.0 through 8.1.2.x
- 7.1.0.0 through 7.1.8.x | IBM WebSphere Application Server Liberty:
- versions prior to 19.0.0.3 for CVE-2018-1902
- versions prior to 19.0.0.4 for CVE-2019-4046
Remediation/Fixes
Upgrading Liberty to 19.0.0.4 or later fixes both of the security issues reported by the following IBM WebSphere Application Server security bulletins:
-
<https://www.ibm.com/support/docview.wss?uid=ibm10795115>
-
<https://www.ibm.com/support/docview.wss?uid=ibm10869570>
To upgrade the version of Liberty used by Central Administration Console (CAC):
- download the Liberty update, (e.g., wlp-base-all-19.0.0.4.jar or later)
- change the jar file to a zip file (e.g., change wlp-base-all-19.0.0.4.jar to wlp-base-all-19.0.0.4.zip or later)
- run net stop CAC_Service
- unzip the file (e.g., unizip wlp-base-all-19.0.0.4.zip)
- copy the wlp folder into the CAC install directory, typically C:\Program Files\Tivoli\TSM\CAC
- run net start CAC_Service
Workarounds and Mitigations
None
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P