Security Bulletin: Potential Privilege Escalation in WebSphere Application Server Admin Console (CVE-2017-1731)

Summary

There is a potential privilege escalation in WebSphere Application Server Admin Console.

Vulnerability Details

CVEID: CVE-2017-1731 DESCRIPTION: IBM WebSphere Application Server could provide weaker than expected security when using the Administrative Console. An authenticated remote attacker could exploit this vulnerability to possibly gain elevated privileges.
CVSS Base Score: 8.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/134912 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 9.0
• Version 8.5
• Version 8.0
• Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APARs PI89498 for each named product as soon as practical.

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.0.6:
· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fix PI89498
--OR–
· Apply Fix Pack 9.0.0.7 or later.

For V8.5.0.0 through 8.5.5.13:
· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fix PI89498
--OR–
· Apply Fix Pack 8.5.5.14 or later.

For V8.0.0.0 through 8.0.0.14:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI89498
--OR–
· Apply Fix Pack 8.0.0.15 or later.

For V7.0.0.0 through 7.0.0.43:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI89498
--OR–
· Apply Fix Pack 7.0.0.45 or later.