Lucene search

K
ibmIBM52B4D9D8F0C35A8ED4BF1E8C6B7007F0F22DE6776296FCD8048C0DB7F18162CD
HistoryDec 18, 2019 - 2:26 p.m.

Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities.

2019-12-1814:26:38
www.ibm.com
7

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Summary

IBM i Integrated Web Application Server version 8.5 is affected by multiple security vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-0385 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-2960 DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113805 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5986 DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-3092 DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-1546 DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by the failure to limit the number of simultaneous stream workers for a single HTTP/2 connection when mod_http2 is enabled. A remote attacker could exploit this vulnerability using modified flow-control windows, to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114793 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-4979 DESCRIPTION: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the improper validation of X509 client certificate when experimental module for the HTTP/2 protocol is used to access a resource. An attacker could exploit this vulnerability to allow a third party to access resources on the web server without providing proper credentials and obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114720 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2016-5983 DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Release 6.1, 7.1, 7.2 and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed.

Release 6.1 – SI62166 Release 7.1 – SI62167 & SI62590 Release 7.2 – SI62168 Release 7.3 – SI62169

_Important note: _IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm ieq7.1.0

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

Related for 52B4D9D8F0C35A8ED4BF1E8C6B7007F0F22DE6776296FCD8048C0DB7F18162CD