Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Enterprise Service Bus (CVE-2016-0385, CVE-2016-0377, CVE-2016-2960, CVE-2016-3092)

Summary

WebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in security bulletins

Vulnerability Details

CVEID: CVE-2016-0385** *DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112359 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

Please consult the security bulletin Bypass security restrictions in WebSphere Application Server for vulnerability details and information about fixes.

CVEID: CVE-2016-0377** *DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112238 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Please consult the security bulletin Information Disclosure in IBM WebSphere Application Server for vulnerability details and information about fixes.

CVEID: CVE-2016-2960** *DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113805 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

Please consult the security bulletin Potential denial of service with SIP Services for vulnerability details and information about fixes.

CVEID: CVE-2016-3092** *DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Please consult the security bulletin Apache Commons FileUpload Vulnerability affects WebSphere Application Server for vulnerability details and information about fixes.

Affected Products and Versions

WebSphere Enterprise Service Bus v7.0 and v 7.5
WebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5