Security Bulletin: Several vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-2923, CVE-2016-2945, CVE-2016-0359)

Summary

There is an information disclosure vulnerability in IBM WebSphere Application Server Liberty for any users of the JAX-RS API. There is a potential for weaker than expected security when using the WebSphere Application Server Liberty profile API Discovery feature and Swagger documents. There is a potential HTTP response splitting vulnerability in IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2016-2923**
DESCRIPTION:** IBM WebSphere Application Server Liberty using JAX-RS API could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-2945**
DESCRIPTION:** IBM WebSphere Application Server Liberty Profile using the API discovery feature could provide weaker than expected security. when using Swagger documents with external references, which could allow an authenticated attacker to gain the privileges of the user.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113591 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2016-0359**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v2.9.

Remediation/Fixes

To upgrade to Liberty for Java v3.0-20160608-1450 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the “Files” menu item for your application through the Bluemix UI. In the “logs” directory, check the “staging_task.log”.

You can also find this file through the command-line Cloud Foundry client by running the following command:

cf files <appname> logs/staging_task.log

You can see

-----> Liberty Buildpack Version: _________

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>