DATABASE RESOURCES PRICING ABOUT US

{"id": "5D232E30AB5C93919EF580AFBE6D2ECEA897D47EF039A381A71CB4D189990CFC", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin:Security vulnerabilities have been identified in Websphere Application Server embedded in Tivoli Integrated Portal shipped with Tivoli Network Manager IP Edition.", "description": "## Summary\n\nWebsphere Application Server is shipped with Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting Websphere Application Server have been published in a security bulletin. \n\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n_Product and versions :_ \nIBM Tivoli Network Manager 3.9.x \nIBM Tivoli Network Manager 4.1.1.x \nIBM Tivoli Network Manager 4.2.x\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server bundled with Tivoli Network Manager IP Edition. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n \n * [](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [**Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [**Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n * [**Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)**](<http://www.ibm.com/support/docview.wss?uid=swg21998850>)\n * [**Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)**](<http://www.ibm.com/support/docview.wss?uid=swg21998805>)\n\n## ", "published": "2018-06-17T15:37:55", "modified": "2018-06-17T15:37:55", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.9, "acInsufInfo": true, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/295003", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-0360", "CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1151"], "immutableFields": [], "lastseen": "2023-02-21T01:45:53", "viewCount": 5, "enchantments": {"dependencies": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0959"]}, {"type": "cve", "idList": ["CVE-2016-0360", "CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1151"]}, {"type": "ibm", "idList": ["004A55EC5AFFF9F8642699A1B717B83364A3D2020F683FFBF6C8A3EF22CAC3EB", "0082EF69136DDF52FD30A1AD87BA70E90CD302F865DB0A1399F55BFA017CDC49", "023421ED4D4DE1CE11FE9E522B8E3B8A8B0A15E6BE55BA553D7A8232A44DFF84", "044AFEE40BF36BB3EE75709DF1CC1873FA73A33D95D8EC711E22E4A2F6E2FCF7", "04C68A4154F53DB70F6CF2A187509A3F1147E665A6C89FADCEBAB6E7F5E3009D", "0562A7C622FB9090483ADF1A395792B176E6127F2DE0622FB9F6EA76874B54B8", "056512202CC33AB21C4152EEC32EF3EE392ADAE1B891BC9D77AE9BD58B84F8D1", "058DDC2F33F50DAD4A23F7AD1136D68A3C420F854E4FC1399C8340811395D507", "065043A4F97D98BC08FD9CAA5BD98D88FD7572B7D4428A44CB505172C0223BB0", "0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F", "0681C227FE92A8AB5C0594A63C254BCA7CA821D8AB7BAEB8A33FF0D16BFE06D6", "06B457F7339BCCC23DA8DF77B3A4D0C81A2ADB588E02898CD44F146C3A9B22BF", "0C4F91C9AA7E146EDA1AA877B92C4C590E445AC7D2AC0E60ECCE4BA77A47F0EB", "0CCEC8ABD558DD7449BDDAB9E84F5DFA8520B9A0B5853305AF14F28B174BE11F", "0DF637B3284998466CF9C2A812E445BBD165260B4415CB473400F55711361A99", "10B4A1ECB227E231649BE8E4A32C8374549DAC9A952EBB0FCFB544E37F9A647A", "11A48BDEC7C322728D5C38E2A65C6152345555E3DC5223860FFCEB2424F46D5E", "120F89D786DAFCEA904CDFDE3CC03CC57195A6BA2C76C63F6B4A814C241B114B", "126537C1F8F0F30E3E1F51F743F09DF0CD7BE1FC4C806F6317B231F16161C1D7", "1381B98ABA6B880EAF88AF4EF55B330BFD425893F93C59EA19BE8351ADF9DDE4", "16A27B2A86BA89A686BECF2C885006A9BAAACF9F9B3C3EC2CFE91D241C4A44A5", "17415BC48E86A98D5F410E3B171AB671765EC41C0E582F1F781BE5F0813B2A38", "17778B43D8F84CA62AA64E76208DDA152AA82F96A219944D7B74EB069542AA67", "191ED0FC710CC29D37F2021F055C5B6E215B0D429C955179B8D16255149183CC", "20A55E42E337FB65FD5A5C952D64105AF460AF02F0F9D2F936473CAA5A9FB7C7", "21C98DE98E9374C4CF11A15D5C86502E772ED8CD0C2E42213CE01503AAB9766C", "225BA36154E74070AF69A361EED7215084E8AB26B6C1580AE066C11B200C07AB", "237BBBA9548654864D2FE412BB3C8101EFD132E51D2D0A5101F8435F2DA56C43", "238C94A76C35B9E28D5EEC3382672C79D675E8074B52AC9B27881CAEDC44DA7D", "24154670B8CC3EB03C11F4CFFCD12D680AF81E5BF7B5E295FE2642969C84E9B2", "25FD18258A26691264DEBBCCBA1D7490F913AE13FC136566A3F1377AB0AFBD37", "26381738404F7B6DE24D6998858764B65A9EB4B83330310F854A9041D835DD8D", "27C3A52871836133D5312CCDBC3812D323A3609FA0DC9142701333F1EA057227", "28CC49FB103280BB14EF3B3C2643BB48718832E42B21E80C929F84D323F98BEE", "28D594CDC7AC4D58CD521E460CE5103A7C34B637D887E2835F3EB2025D7850CA", "3295A5B404301FFFBCC0048CA18EC9488AE38BD5B689038192F853720B4FCF1F", "36BA5A9CF6B059E5B55E9376E4E9E87769F2597E8D12EE0B8E70E1D709D9B1A2", "36EAF631AD2195D87F303F82AFF5E7B7CFA7545A0A6B18A6E83CF844C469D54D", "3807634CE4F716938A9C964BADF32046049F08DE0F20E027C1152B93AF6316FC", "38E3695C5B3EE4D15780660A89F4D26019A58543CF739F5287F581F2B2B6A7D3", "3E5F6D838B50632034BF7E67BCEB2D724189D53BF12F6055B9B362CCB99B9414", "3EFFB027C3E17E54A0E59F1021E1E46FE4B8BFD117C62AA5245F5B8DC93B6556", "41206CDD0B1940C1ECA32E18D5D69FC0995009A0B3A5366A3DC124B7606BA25E", "43A6AB12EA2CF36465A8EA1AF578A0F7235298877A542981F53FF6ECF8555E96", "4B8B028335F38A81B875EEDB76A203E73DFD0F84677B9AAD2F4DCDE90DD3AC4E", "4C3E9BA47DD2FADD1D2F72920168275F04EE75E47AE79D74B1E9E7D48E8C5ADE", "4D438A3B2A5B98652ED5EFCAC7E346399FE5B15FB6EC9F7DFEA3A376D4BA2904", "4EBA50C07BC037765C73A48B2FDA84919C2AD90247E0A724ED8571079559C261", "50265EDE25BA65FCC20843B6501DB78AE1C7807F2BF5AD72A39FC8D805AF2A85", "53DE79EA36CC70E39ED3ADEDDF7B03288CE0A5AA43A75E91EB31074E052AF91C", "55DACA18AFE52B9657ED6763ECD6310E15A2B6AF470F5EA9C7BA6E971FD15B5B", "5D5511FB05FC37444DAD215E7692D2A296E9AEECC91702B6E9BD1D11BCFE5407", "5DCFD439936E2F8A52E5C8672372D872D6A4B217ABE8891AB553B9118FD960DE", "5E18DDFEF42C9E454FD2B7F4F9F8E06973E1051692FB5605975B9AA96CB79617", "5FFFABE6C27976E004859C11D0A20CA6A695745A0BC02907B56701FD667FC57F", "61D420CBF525B0B0F7B6F0B31E19E818B9B55694EB5923E5A2AA5F80361EF5B8", "6510B32415FB6056A2624FB07DE2B42CCFF5953DB4CE49F4C978EC09BA079B38", "6609091280A6265ACF23CC819056F828A2821488E85E726131FA51BDBE28BD88", "6788F1A96B921298C14A54FC3FE4C33EEAAC34E9DBECAF0ED22B8662EF114B62", "6943EBF756F3E60DFD08A92A9555CEFCB7E709C96CF139AF025DB30FC1740DB0", "6CF712EC46E650EA0B3532ABACC5EB4ED5C9F8F8B5F77D0B96DCFD88A9040D1E", "70DC2A30E72FE178C160BDBD013AC7631F1DE502FB35203760983EF33612E2E9", "71BD98D15863867D1955C6BE20CE38B1FCD81182C4462C5AD7B097E20B1704EE", "7387456ACC07F9EBAAAF5AD5995B47629294A79264AE158FEE795E098E30CB66", "7655E911C4B5C15A4CCD0F1A20473B81F6CC77E75CE6CF711D4B46EC3E025649", "778D5DFC07927E0976A1EE0D444F4B2AF071C29E58642C35B6240F099747720E", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "7A930E692B42F0E6068A68ED67582BB683B61EBB2E232EFA08FD301A8BF0874B", "7CA25B1EC003F3EC4251CC48661D2C1C1605AB32921651FD207AFBA860EF2063", "7CACEC65AE1B6A93658FC1036992E1D68660EBEBF809E8F5624C791B2264E7F9", "7D9A5F2991077AA9574FC57673D25FBF554D22D590E6151ED3F7D8BBBA3D434A", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2F62106B895325A750D4AC20BF018E0EF2AE3D85B9685ADBC3048C8D7487CA", "808466038C0E6A9D6277192338DF41535AF3F030D86409338429391D7DFBCB8E", "8532AD1C55503FF56DC3398C3EBD7DF43A159B31C56E1AB52687FA4654D3FECB", "8550C30C4A56D3070A2109BE13555117FD37487C131991DA553C8B5CDFAE2259", "860EED3D9CEA7E95A62905473DB727412A3D17D7F13C770B6FB6D63CC3CAD663", "86DB132AD151A8E40020A0B23000EE7EBA54ED84C7245575EF0890BC153DB650", "87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "87F9F17A2139C18ED1651C78BD6B6B9871F86AF41FBCB2650D11DD7F64C74352", "8937CBA3426FCE31295ADA0BA5DCA9E051C3D3F6491200BA2153E80CAABAFBCC", "8DD72BF6B48CC7E3A22134A69D2AE261895AD3165F7ABE79CDBBFB7F9422199F", "8ED1793CA771BC0716D3207C034E4E856DBFA7BCA5969C297D05D82458D53725", "8F39456B689B7B3239345CEE3BB6882722E86B4B05278F4F8EB15DF59EFBCAFC", "8F79D2A58294872E907CD64EDEF102AC9A962D6A809E0F42914B355A2DC384F8", "9089C63EA075732A2F18A9DEF551E15CB6F40EA0AE9BD8F8C0605D12A3FBDE92", "91B6BA027BFC49F4F23C4AB3FE83336E62B2EA9F0FC3AB35DBCA8F664E8F55C3", "94B4745A12693F764247E6D0E442D91B5CA4C4A7AE80BC5EC5B4AE245AFFE440", "96F7970728800B0EA1F359155E0D440D3914E976DFC09CEAD452C7D7EA6BE61B", "990A0947B346D27E9EFAFE9E60CD230F937AAFF139879297F40C6C040F57EB70", "9A2D4C1EC195390B272F126E69E1B55B908EBE9D951C7D586FF0AE36740528B8", "9BE435454DACB8768FC256EDFA7E257961D1A1C3EA69888A96357F49067B254C", "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "A1443A5159346F026B4AD311838BD38F0642FFB9585AD38025A4F1C9922845F0", "A1907953628F052A8D862BBA6332A8418C4E0C8826FD9B3064449756F7540110", "A363FD5475E83037358698D66188D32D3ADE4F4EE7F733C5F897EC6702FEAB73", "AA78017E77C6DE25EC48E196CEC49E926CC723505037966B91429F257DA144D2", "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C", "AC94B80CCBC2EB56618366A30B69B9EE44D076505868D027EF028C829EF45AA3", "AF41BE48B7388AC88C7B7B04DE51E720BFB46F49D0B57B55AF8F7E065CF0DA02", "AFCC8D64778E095307228BB2EFC0BA7EFE364EEFBCC328895796C30B8AE8C830", "B0435D245CEA6490D5CFD38D5F0BF6DEE8017B36FA413D190293E5EB84544630", "B0549540072FC1BB0D803052330E32E656605B46C7EDC1BE259FE2273831E00B", "B092A6E897951ECC10739C027B685833C755CC077686979313AFCEFA2A8170D2", "B24A96EC081A0578A55C688511BE4ED453BC2B72438C6DF0DD5135F5FC69F4AA", "B2D738D495357B6A6F988B5B24AFC26D143E96F8175777E6CE2CE15CDCD2E8E0", "B3070CDC89694B6DDDE4CAF9B2A72605C462E75ECCFD37293A6ADF63D52940D9", "B37880F51576751375FE7D9EBE05F55C5D38BE8567056EF4ABA103092A7E8CF9", "B4010B4E21B127AA0A6CACC8E96F2406EAE6CDF71E449DF6FCA304D4DC567ADE", "B480569E9EAAF60928F07D6B15EF8300E13C83515E1DC170316E4A43855FB862", "B4ACC50FB3EFBFCDCC381ED7E344E2F40C781747A414909444C31FECCA264613", "B5983E7776B85F8B471BF41894D79B06B277D9375223AEB0B2B7060D59865A92", "B5F14721CB3CF1C884B72C16A99A8A84B07CD516016A63172B73890E30DDF2B6", "B75E162D2CBA6CF870D30FB620B711AB192ED67D9C447723E650911CCE5632AF", "B8E29C1A22B44FD5885063AA1EC199F8FACE7810C68C738CFE28848D0ECBC504", "B907DA0F3696F949D350768CF81A7E26D19494D84E8C4C72E66014F34E409C6B", "BA00D2D757BAAC274D87A18224BEBB9CAB187A87A5111B7900F36CE8500DC305", "BA641051633E4D947A94268037F8B8865B6EE865868B44CAAC2ACF192C454E89", "C1450674E414C248C8B4650F7BC6D613589F7A314921C62363FD799A2F1FD089", "C46BF4200B36B22461916E9FBF0EA67604946795AF498449A8067A89DEC8E5F4", "C4E2D8C57E54799CB038AA5522DC01329EEA1DECA150D909511519365D0BBC4C", "C5589143DA30D86428255EFD2ADF121F96FF8D82C17B89DAF84BE0F7EC959B3C", "C6D3893A0A2AD210850BB8F4A26AB7C73EF4360C454D9EEA1A69850B46587C9E", "CE3EB460B9647ACCA093825A27E5BECCC421E5D4A48BE26AB3F174E9509AEE7D", "D298FA6BEB1855A11B72B3942004181440E190878F6AEBEF802D8B5D57A6AF14", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D311C4613E37B27918A0B9E5911867460F3D21D634C309E0D56DB7349F67B74E", "D6D01193465D0489CF18524A794AA59CC76D91403E1F923FB9E1F5CD46E21E8A", "DB9BA983E7D2FAC653E24BEBCF41FC8BAB8D997E65F48954297E2FCB8153E17F", "DCFBC967CAEFE6FF899B971BBA64A8091F1B74E3F469ADEA929AD9389A85883C", "DF1E9BDB92169D884822F099433AE49D99725BDE57D69AD10D1A2ADE2C7BF3E0", "E113332A5414D5938986A807B55833A60DA76B753C924BAD31BD440A18A61C93", "E79B1CBF1524EDF0CFB25255419FAA5ADAFCD6176139338206646C7E39D87AC8", "E8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7", "E9815A3B04E1EB0668298517258C04B83A614591F0C92919380E17504AB710DE", "EB5B40BFE11CF3025FE055F2C8D312BF5256AD62D977DC4C5DF07B8E0B5BC0A4", "EC05240EE77DDC84E58CE34E9DAA5BAA0AE07AC1B1E54421F5BD689DFB14DB26", "EC9C4942DC6B13EB8A7D2C5ED6757C645B967E343E6EFF8AEBCB6CB67C0FF535", "EE31FC377D70F6E35C21A71191A7230C6A2677EB248387944F83CA0C5657975F", "EE8BF9A0EF2479FC1B1957C736D189D791B61FA235FC54164370BEB1A326EBB9", "EF9F63F010095739C07233F9C717ADF8FF540A4F2057023CF95B9A0C3CE4240C", "F377EB02DAEA61BF9CA5FA8E0CC0F3E1F167BF16C536210BB423500CBF3E31FC", "F38918D5F16993392DB8CEDA2D060D93DC7FA6787985A4BA01F2EC5B7D425F88", "F4B686A2FC89EE4E34E6E541C4CAE723235017E1AB5323D2E4FB5831F7D1599D", "F4EFF02429AD4384CA34D223887849DF7B877D5977A34EE9E2677775B01FE19D", "F7641FBFC3FEE710BEC608E58B5B1DE011444B647312DE547514C14638035FCC", "F775CB7FDFF7FE8D917CBED07EA98427F88ED764F9B29FECEAB1C5D83B3CE8B6", "F79F1906EA54AB2D37EF20E76EBAEA53E4E25BB3996B08D6FED860ECE70287DA", "F9C7ACF2002F6F3FDF193E4C427570D3991980C9A65D31E141CF3787E2A33C07", "FA3C7B721E4B1CAF2DD4403DE9BF7931562B63D98C19B634C38865E05C45DF36", "FCDE037DAB880EAB81EB1E606586B130B29C6D1FFE94F82FA3DEEC0CD62E087F", "FD942787DB7C05823C3BFCBB721E269B5810D06151CEBF8E45B4B69122D837D7", "FE28FDD1ABECE35D04E6C20DAF0FDDBD033B4E422F1A982B7583C25FF919F568"]}, {"type": "nessus", "idList": ["700015.PRM", "700016.PRM", "9880.PRM", "9881.PRM", "9989.PRM", "9990.PRM", "WEBSPHERE_9_0_0_2.NASL", "WEBSPHERE_9_0_0_3.NASL", "WEBSPHERE_9_0_0_4.NASL", "WEBSPHERE_MQ_SWG21983457.NASL", "WEBSPHERE_SWG21993797.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140161", "OPENVAS:1361412562310809349", "OPENVAS:1361412562310811442"]}]}, "score": {"value": 2.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "checkpoint_advisories", "idList": ["CPAI-2016-0959"]}, {"type": "cve", "idList": ["CVE-2016-5983"]}, {"type": "ibm", "idList": ["17415BC48E86A98D5F410E3B171AB671765EC41C0E582F1F781BE5F0813B2A38", "17778B43D8F84CA62AA64E76208DDA152AA82F96A219944D7B74EB069542AA67", "28CC49FB103280BB14EF3B3C2643BB48718832E42B21E80C929F84D323F98BEE", "6943EBF756F3E60DFD08A92A9555CEFCB7E709C96CF139AF025DB30FC1740DB0", "6CF712EC46E650EA0B3532ABACC5EB4ED5C9F8F8B5F77D0B96DCFD88A9040D1E", "87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C", "C1450674E414C248C8B4650F7BC6D613589F7A314921C62363FD799A2F1FD089", "D311C4613E37B27918A0B9E5911867460F3D21D634C309E0D56DB7349F67B74E"]}, {"type": "nessus", "idList": ["WEBSPHERE_MQ_SWG21983457.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310140161"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "tivoli network manager ip edition", "version": 3}, {"name": "tivoli network manager ip edition", "version": 4}, {"name": "tivoli network manager ip edition", "version": 4}, {"name": "tivoli network manager ip edition", "version": 4}]}, "epss": [{"cve": "CVE-2016-0360", "epss": "0.004480000", "percentile": "0.710610000", "modified": "2023-03-18"}, {"cve": "CVE-2016-5983", "epss": "0.015140000", "percentile": "0.849440000", "modified": "2023-03-17"}, {"cve": "CVE-2016-8919", "epss": "0.002250000", "percentile": "0.589960000", "modified": "2023-03-17"}, {"cve": "CVE-2017-1121", "epss": "0.000630000", "percentile": "0.253830000", "modified": "2023-03-18"}, {"cve": "CVE-2017-1151", "epss": "0.002860000", "percentile": "0.638760000", "modified": "2023-03-18"}], "vulnersScore": 2.0}, "_state": {"dependencies": 1676944113, "score": 1684013037, "affected_software_major_version": 1677355290, "epss": 1679174273}, "_internal": {"score_hash": "bc3dc0942cfd651f75c6d2209e559b41"}, "affectedSoftware": [{"version": "3.9", "operator": "eq", "name": "tivoli network manager ip edition"}, {"version": "4.1", "operator": "eq", "name": "tivoli network manager ip edition"}, {"version": "4.1.1", "operator": "eq", "name": "tivoli network manager ip edition"}, {"version": "4.2", "operator": "eq", "name": "tivoli network manager ip edition"}]}

{"ibm": [{"lastseen": "2022-06-28T22:08:29", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nInformation about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \n \nTivoli Usage and Accounting Management V7.3.0.0, V7.3.0.1, V7.3.0.2, V7.3.0.3, V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0.1| IBM WebSphere Application Server 7.0.0.19 \n \nTivoli Integrated Portal V2.2.0.7 | [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998850>) \nIBM SmartCloud Cost Management V2.1.0| IBM WebSphere Application Server 7.0.0.19 \n \nTivoli Integrated Portal V2.2.0.1 \nTivoli Usage and Accounting Management 7.3.0.0, 7.3.0.1, 7.3.0.2, 7.3.0.3, 7.3.0.4| IBM WebSphere Application Server 7.0.0.11 \n \nTivoli Integrated Portal 2.2.0.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n24 Feb 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSNHG7\",\"label\":\"Tivoli Usage and Accounting Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"2.1.0.0;2.1.0.1;7.3;7.3.0.1;7.3.0.2;7.3.0.3;7.3.0.4\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:28", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T22:33:28", "id": "96F7970728800B0EA1F359155E0D440D3914E976DFC09CEAD452C7D7EA6BE61B", "href": "https://www.ibm.com/support/pages/node/619377", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T17:45:49", "description": "## Summary\n\nThere is a security vulnerability in WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager that is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise. \nAdditionally, the vulnerability affects Jazz\u2122 for Service Management and IBM Tivoli Monitoring, which are shipped with Cloud Orchestrator Enterprise. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n---|--- \n \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3 | \n\n * WebSphere Application Server V8.5.5 through V8.5.5.11 \n * Business Process Manager 8.5.5 through V8.5.7 CF201703 \n * IBM Tivoli System Automation Application Manager V4.1 \n \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2,V2.4.0.3, V2.4.0.4 | \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.10 \n * IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2 \n * IBM Tivoli System Automation Application Manager V4.1 \n \nIBM Cloud Orchestrator V2.3, V2.3.0.1 | \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1 \n \nIBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3 | \n\n * WebSphere Application Server V8.5.5 through V8.5.5.11 \n * Business Process Manager 8.5.5 through V8.5.7 CF201703 \n * IBM Tivoli System Automation Application Manager 4.1 \n * IBM Tivoli Monitoring 6.3.0.2 \n * Jazz\u2122 for Service Management V1.1.0.1 through V1.1.2.1 \n \nIBM Cloud Orchestrator Enterprise V2.4, V2.4.01, V2.4.0.2,V2.4.0.3, V2.4.0.4 | \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.10 \n * IBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2 \n * IBM Tivoli System Automation Application Manager 4.1 \n * IBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2\n * Jazz\u2122 for Service Management V1.1.0.1 through V1.1.2.1 \n \nIBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1 | \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1\n * IBM Tivoli Monitoring V6.3.0.1 \n * Jazz\u2122 for Service Management V1.1.0.1 \n \n## Remediation/Fixes\n\nThese issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. \nAdditionally, these issues were also addressed by Jazz\u2122 for Service Management, IBM Tivoli Monitoring, and IBM SmartCloud Cost Management that are shipped with IBM Cloud Orchestrator Enterprise. \n\nFix delivery details for IBM Cloud Orchestrator and Cloud Orchestrator Enterprise:\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Cloud Orchestrator and Cloud Orchestrator Enterprise| V2.5, V2.5.0.1, V2.5.0.2,V2.5.0.3| For 2.5 versions, upgrade to Fix Pack 4 (2.5.0.4) of IBM Cloud Orchestrator. \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>) \nAfter you upgrde, apply the appropriate Interim to your environment as soon as practical. For details, see [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \nV2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4 | For 2.4 versions, upgrade to Fix Pack 4 (2.4.0.5) of IBM Cloud Orchestrator. \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667#2405>) \nV2.3, V2.3.0.1 | [Notice product withdrawal announcement as per ENUS917-138](<https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-138/index.html&request_locale=en>)\n\nContact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \n## Workarounds and Mitigations\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3| \n\n * WebSphere Application Server V8.5.5 through V8.5.5.11 \n| \n\n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n * IBM Business Process Manager Standard V8.5.7 CF3\n| \n\n[Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997477>) \n \n * IBM Tivoli System Automation Application Manager 4.1\n| \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997765>) \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.10 \n| [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n * IBM Business Process Manager Standard V8.5.0.1 through V8.5.6 CF2\n| \n\n[Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997477>) \n \n * IBM Tivoli System Automation Application Manager 4.1 \n| \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997765>) \nIBM Cloud Orchestrator V2.3, V2.3.0.1 | \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1\n| \n\nContact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server, IBM Business Process Manager, IBM Tivoli System Automation Application Manager, IBM Tivoli Monitoring, and Jazz\u2122 for Service Management, which are shipped with IBM Cloud Orchestrator Enterprise Edition. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3| \n\n * WebSphere Application Server V8.5.5 through V8.5.5.11 \n * | \n\n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n * IBM Business Process Manager Standard V8.5.0.1 through V8.5.6 CF2\n| \n\n[Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997477>) \n \n * IBM Tivoli System Automation Application Manager 4.1\n| \n\nSecurity Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-8919) \n \n * IBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2\n| \n\n[Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22004242>) \n \n * Jazz\u2122 for Service Management V1.1.0.1 through V1.1.2.1\n| \n\n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998805>) \nIBM Cloud Orchestrator Enterprise Edition V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.10 \n| \n\n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n * IBM Business Process Manager Standard V8.5.0.1\n| \n\n[Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997477>) \n \n * IBM Tivoli System Automation Application Manager 4.1\n| \n\nSecurity Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-8919) \n \n * IBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2\n| \n\n[Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg22004242>) \n \n * Jazz\u2122 for Service Management V1.1.0.1 through V1.1.2.1\n| \n\n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998805>) \nIBM Cloud Orchestrator Enterprise Edition V2.3, V2.3.0.1| \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1\n * IBM Tivoli Monitoring V6.3.0.1 \n * Jazz\u2122 for Service Management V1.1.0.1\n| \n\nContact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:33", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T22:33:33", "id": "C612DD0F96E731C74D37192DB9C9761CDA43F60B2620F7A37877545924C9A161", "href": "https://www.ibm.com/support/pages/node/609303", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:04", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \n[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n| \n| \n \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:35:19", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T15:35:19", "id": "F775CB7FDFF7FE8D917CBED07EA98427F88ED764F9B29FECEAB1C5D83B3CE8B6", "href": "https://www.ibm.com/support/pages/node/291945", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:04", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) v7.0.x is shipped as a component of Tivoli Integrated Portal (TIP v2.1 and v2.2). The version of eWAS has been affected by multiple security vulnerabilities, as described below. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5 \n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.17\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5 \n\n2.2.0 - 2.2.0.17\n\n| embedded Websphere Application Server version 7.0.x| [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>)[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \n \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin. \n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:35:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T15:35:47", "id": "B0435D245CEA6490D5CFD38D5F0BF6DEE8017B36FA413D190293E5EB84544630", "href": "https://www.ibm.com/support/pages/node/292021", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:56:00", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise edition. \n \nA potential code execution security vulnerability has been identified in WebSphere Application Server. \n \nThis issue was also addressed by IBM Business Process Manager Standard and IBM Tivoli System Automation Application Manager which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise edition. The issue was also addressed by IBM Tivoli Monitoring, Jazz for Service Management, and SmartCloud Cost Manager which are shipped with IBM Cloud Orchestrator Enterprise edition. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 \n\n * IBM WebSpshere Application Server 8.5.5 through 8.5.5.7\n * Business Process Manager 8.5.6 \n * Tivoli System Application Automation Manager 4.1\n \nIBM Cloud Orchestrator V2.3, V2.3, 0.1 \n\n * IBM WebSpshere Application Server 8.0.1 through 8.0.11\n * Business Process Manager 8.5.0.1\n \nIBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 \n\n * IBM WebSpshere Application Server 8.5.5 through 8.5.5.7\n * SmartCloud Cost Manager 2.1.0.5 - 2.1.0.4\n * IBM Tivoli Monitoring 6.3.0.2\n * Jazz for Service Management 1.1.0.1\n \nIBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1 \n\n * IBM Tivoli Monitoring 6.3.0.1\n * Business Process Manager 8.5.0.1 \n * SmartCloud Cost Manager 2.1.0.3\n * Jazz for Service Management 1.1.0.1\n\n## Remediation/Fixes\n\nThis issue has been addressed by IBM Cloud Orchestrator and Enterprise Edition and WebSphere Application Server which is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition. \n\nFix information details for IBM Cloud Orchestrator: \n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Cloud Orchestrator | V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.3, V2.3.0.1| Upgrade to Fix Pack 4 (2.4.0.4) of IBM Cloud Orchestrator. \n\n[_https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049_](<https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049>) \n \nIBM Cloud Orchestrator | V2.5, V2.5.0.1 | For 2.5 versions, upgrade to Fix Pack 2 (2.5.0.2) or later of IBM Cloud Orchestrator. \nAfter you upgrade to 2.5.0.2, apply the following fix: \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>)\n\nReview affected supporting product security bulletin for vulnerability details and fix information. \n \nIBM Cloud Orchestrator | V2.5.0.2| Apply the following fix: \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>)\n\nReview affected supporting product security bulletin for vulnerability details and fix information. \n \n \nFix information details for IBM Cloud Orchestrator Enterprise Edition: **Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Cloud Orchestrator Enterprise Edition| V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.3, V2.3.0.1| Upgrade to Fix Pack 4 (2.4.0.4) of IBM Cloud Orchestrator Enterprise. \n\n[_https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049_](<https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049>) \n \nIBM Cloud Orchestrator Enterprise Edition| V2.5,V2.5.0.1 | For 2.5 versions, upgrade to Fix Pack 2 (2.5.0.2) of IBM Cloud Orchestrator. \nAfter you upgrade to 2.5.0.2, apply the following fix [_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>)\n\nReview affected supporting product security bulletin for vulnerability details and fix information. \n \nIBM Cloud Orchestrator Enterprise Edition| V2.5.0.2| Apply the following fix: \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>)\n\nReview affected supporting product security bulletin for vulnerability details and fix information. \n \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, and additionally identified in supporting products Business Process Manager, Tivoli System Application Automation Manager which are shipped with IBM Cloud Orchestrator. **Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM WebSphere Application Server 8.5 through 8.5.5.7 \n\nBusiness Process Manager 8.5.0.1 through 8.5.6 \n\nTivoli System Application Automation Manager 4.1\n\n| [_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM Tivoli Monitoring, and Jazz for Service Management which are shipped with IBM Cloud Orchestrator Enterprise edition. Notice SmartCloud Cost Manager is shipped as component IBM Cloud Orchestrator Enterprise. **Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM WebSphere Application Server 8.5.5 through 8.5.5.7 \n \nSmartCloud Cost Manager 2.1.0.5- 2.1.0.4 | [](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \nTivoli System Application Automation Manager 4.1| [Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21991898>) \nJazz for Service Management 1.0.1 | [Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21998805>) \nIBM Tivoli Monitoring 6.3.0.2| [Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21995683>) \nBusiness Process Manager 8.5.5| [Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>) \nIBM Cloud Orchestrator Enterprise Edition V2.3, V2.3.0.1| IBM Tivoli Monitoring 6.3.0.1 Business Process Manager 8.5.0.1| Contact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:19", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T22:33:19", "id": "0BD574407A9D1EAF67D3017E4CBBBF5313A9500377797BC2DC85E1005D630F54", "href": "https://www.ibm.com/support/pages/node/619365", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T17:45:53", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nInformation about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \n \nTivoli Usage and Accounting Management V7.3.0.0, V7.3.0.1, V7.3.0.2, V7.3.0.3, V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0.1| IBM WebSphere Application Server 7.0.0.19 \n \nTivoli Integrated Portal V2.2.0.7 | [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998850>) \nIBM SmartCloud Cost Management V2.1.0| IBM WebSphere Application Server 7.0.0.19 \n \nTivoli Integrated Portal V2.2.0.1 \nTivoli Usage and Accounting Management 7.3.0.0, 7.3.0.1, 7.3.0.2, 7.3.0.3, 7.3.0.4| IBM WebSphere Application Server 7.0.0.11 \n \nTivoli Integrated Portal 2.2.0.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:28", "type": "ibm", "title": "Security Bulletin: Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T22:33:28", "id": "24154670B8CC3EB03C11F4CFFCD12D680AF81E5BF7B5E295FE2642969C84E9B2", "href": "https://www.ibm.com/support/pages/node/609277", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:50:43", "description": "## Summary\n\nWebsphere Application Server is shipped as a component of IBM Security Access Manager for Enterprise Single Sign-On (ISAM ESSO). Information about security vulnerabilities affecting Websphere Application Server has been published in security bulletins. \n\n## Vulnerability Details\n\nConsult the following security bulletins for vulnerability details and information about fixes. \n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n[Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nISAM ESSO 8.2, 8.2.1, 8.2.2| Websphere Application Server 7.0, 8.5.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:58:50", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been fixed in Websphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2016-8919, CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-16T21:58:50", "id": "61D420CBF525B0B0F7B6F0B31E19E818B9B55694EB5923E5A2AA5F80361EF5B8", "href": "https://www.ibm.com/support/pages/node/558409", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:38:49", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletins [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) and [_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n\n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n\n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-0360, CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360", "CVE-2017-1151"], "modified": "2020-02-11T21:31:00", "id": "023421ED4D4DE1CE11FE9E522B8E3B8A8B0A15E6BE55BA553D7A8232A44DFF84", "href": "https://www.ibm.com/support/pages/node/294293", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:39:09", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability only applies to the server component.\n\n**Versions 7.1.x.x: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5, 8.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-0360, CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360", "CVE-2017-1151"], "modified": "2020-02-04T16:40:40", "id": "EB5B40BFE11CF3025FE055F2C8D312BF5256AD62D977DC4C5DF07B8E0B5BC0A4", "href": "https://www.ibm.com/support/pages/node/294367", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:03:21", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| IBM WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| This vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PI73519](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* Tivoli Business Service Manager Fix Pack readme. \n\\--OR-- \nApply Fix Pack 7.0.0.43 or later (targeted availability 24 April 2017). \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n13 April 2017: Original Version Published.\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSSPFK\",\"label\":\"Tivoli Business Service Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"6.1;6.1.1\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:38:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Business Service Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:38:54", "id": "8F39456B689B7B3239345CEE3BB6882722E86B4B05278F4F8EB15DF59EFBCAFC", "href": "https://www.ibm.com/support/pages/node/558479", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:47:53", "description": "## Summary\n\nIBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-8919](<https://vulners.com/cve/CVE-2016-8919>)\n\n \n**DESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118529> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM eDiscovery Manager Version 2.2.2\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRM_| _Remediation_ \n---|---|--- \nIBM eDiscovery Manager| 2.2.2| _Use_ IBM eDiscovery Manager 2.2.2 Interim Fix 11 available at [__https://www.ibm.com/support/fixcentral/__](<https://www-933.ibm.com/support/fixcentral/>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:17:44", "type": "ibm", "title": "Security Bulletin: WebSphere deserialization of untrusted data (SOAP Connector) in IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T12:17:44", "id": "17415BC48E86A98D5F410E3B171AB671765EC41C0E582F1F781BE5F0813B2A38", "href": "https://www.ibm.com/support/pages/node/291265", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:50:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Identity Manager. Information about a security vulnerability affecting IBM Security Identity Manager has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin[ Denial of Service with WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0 and IBM Tivoli Identity Manager version 5.1| IBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T21:59:00", "type": "ibm", "title": "Security Bulletin:: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Identity Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:59:00", "id": "7A930E692B42F0E6068A68ED67582BB683B61EBB2E232EFA08FD301A8BF0874B", "href": "https://www.ibm.com/support/pages/node/558775", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:01", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with WebSphere Sensor Events and IBM Real-Time Asset Locator. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>), for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebSphere Sensor Events V7.0| IBM WebSphere Application Server V7.0 \nIBM Real-Time Asset Locator V7.1| IBM WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [](<http://www.ibm.com/support/docview.wss?uid=swg21992315>)[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:28:39", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Sensor Events and IBM Real-Time Asset Locator (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T22:28:39", "id": "A363FD5475E83037358698D66188D32D3ADE4F4EE7F733C5F897EC6702FEAB73", "href": "https://www.ibm.com/support/pages/node/290023", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-28T21:59:07", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin,[ Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nTSPM 7.0| WAS 7.0 \nTSPM 7.1| WAS 7.0 \nWAS 8.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n1 February 2017: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n## Internal Use Only\n\nPSIRT PRID: 89883 \n\n[{\"Product\":{\"code\":\"SSNGTE\",\"label\":\"Tivoli Security Policy Manager\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.0;7.1\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB24\",\"label\":\"Security Software\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:50:08", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:50:08", "id": "D311C4613E37B27918A0B9E5911867460F3D21D634C309E0D56DB7349F67B74E", "href": "https://www.ibm.com/support/pages/node/290901", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:50:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Access Manager for e-business and IBM Security Access Manager version 7.0 software. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [\"Denial of Service with WebSphere Application Server (CVE-2016-8919)\"](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \n \nIBM Tivoli Access Manager for e-business 6.0, 6.1, 6.1.1| \nIBM WebSphere Application Server 7.0 \n \nIBM Security Access Manager for Web 7.0 (software)| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:49:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Access Manager for e-business and IBM Security Access Manager version 7.0 software (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:49:57", "id": "B2D738D495357B6A6F988B5B24AFC26D143E96F8175777E6CE2CE15CDCD2E8E0", "href": "https://www.ibm.com/support/pages/node/290365", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:44", "description": "## Summary\n\nThere is a potential denial of service with WebSphere Application Server with SOAP connectors. \n\n## Vulnerability Details\n\nPlease consult the security bulletin for vulnerability details and information about fixes: \n\n * [**Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919**](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>)**)**\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM WebSphere Application Server that IBM WebSphere Application Server Patterns supports: \n\n * Version 8.0 traditional\n * Version 8.5.5 traditional \n * Version 9.0 traditional\n\n## Remediation/Fixes\n\nTo patch an existing PureApplication Virtual System Instance, apply the patch using the PureApplication Maintainence fix process. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:58", "type": "ibm", "title": "Security Bulletin: Security vulnerability affects IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server on Cloud", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:58", "id": "E6182FFFFCDEB9AAD2D4DF793CC4E3F38E0E1DFDE44F8F6EABE5383EC6CB58CD", "href": "https://www.ibm.com/support/pages/node/290175", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:44:52", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Netcool Impact. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| IBM WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| This vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PI73519.](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* IBM Tivoli Netcool Impact Fix Pack readme. \n\n\\--OR-- \n\nApply Fix Pack 7.0.0.43 or later (targeted availability 24 April 2017*). \n\n \n \n_* Note this date is a scheduled date and does not represent a formal commitment by IBM._ \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:38:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:38:54", "id": "3295A5B404301FFFBCC0048CA18EC9488AE38BD5B689038192F853720B4FCF1F", "href": "https://www.ibm.com/support/pages/node/558483", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:39", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Potential Cross-site scripting vulnerability in WebSphere Application Server ](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:07:04", "id": "F38918D5F16993392DB8CEDA2D060D93DC7FA6787985A4BA01F2EC5B7D425F88", "href": "https://www.ibm.com/support/pages/node/292017", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:46:09", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [_Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:34:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:34:14", "id": "91B6BA027BFC49F4F23C4AB3FE83336E62B2EA9F0FC3AB35DBCA8F664E8F55C3", "href": "https://www.ibm.com/support/pages/node/290385", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:41:34", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server. \n**Versions 7.1.x.x : Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.0, and 7.0.| [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-07-10T08:34:12", "id": "B24A96EC081A0578A55C688511BE4ED453BC2B72438C6DF0DD5135F5FC69F4AA", "href": "https://www.ibm.com/support/pages/node/290181", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:39:08", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability only applies to the server component.\n\n**Versions 7.1.x.x: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.0, and 7.0.| [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2020-02-04T16:40:40", "id": "6609091280A6265ACF23CC819056F828A2821488E85E726131FA51BDBE28BD88", "href": "https://www.ibm.com/support/pages/node/290309", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:51:53", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM InfoSphere Identity Insight. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPotential Denial of Service in WebSphere Application Server with SOAP connectors.\n\n## Affected Products and Versions\n\nIBM InfoSphere Identity Insight 8.1.x\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM Embeddable WebSphere Application Server which is shipped with IBM InfoSphere Identity Insight. \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM InfoSphere Identity Insight 8.1.x| IBM Embeddable WebSphere Application Server version 7.0.0.17| [Potential Denial of Service in WebSphere Application Server with SOAP connectors](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n## ", "cvss3": {}, "published": "2018-06-16T13:47:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM InfoSphere Identity Insight (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T13:47:09", "id": "A1443A5159346F026B4AD311838BD38F0642FFB9585AD38025A4F1C9922845F0", "href": "https://www.ibm.com/support/pages/node/294895", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:50:01", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms| WebSphere Application Server v8.5.5 \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms| WebSphere Application Server v8.5.5.7 \nIBM Security Key Lifecycle Manager (SKLM) v2.7 on distributed platforms| WebSphere Application Server v9.0.0.1 \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:50:20", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:50:20", "id": "6CF712EC46E650EA0B3532ABACC5EB4ED5C9F8F8B5F77D0B96DCFD88A9040D1E", "href": "https://www.ibm.com/support/pages/node/291689", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:50:01", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security/Tivoli Directory Server. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease see the following security bulletin for vulnerability details: \n[Potential denial of service with WebSphere Application Server with SOAP connectors](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) (CVE-2016-8919).\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nIBM Security Directory Server Version 6.4| IBM WebSphere Application Server Version 8.5.5.9 \nIBM Security Directory Server Version 6.3.1 and \nTivoli Directory Server Version 6.3| IBM WebSphere Application Server Version 7.0.0.41 \n \n## Remediation/Fixes\n\n \nApply WebSphere Application Server Interim Fix [_PI73519_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>). \nAfter the above we can refer to SDS [recommended fixes](<http://www.ibm.com/support/docview.wss?uid=swg27009778>) .\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:50:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Websphere Application Server shipped with IBM Security/Tivoli Directory Server (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:50:17", "id": "28CC49FB103280BB14EF3B3C2643BB48718832E42B21E80C929F84D323F98BEE", "href": "https://www.ibm.com/support/pages/node/291409", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:50:04", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2, 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2, 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:50:08", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T21:50:08", "id": "D298FA6BEB1855A11B72B3942004181440E190878F6AEBEF802D8B5D57A6AF14", "href": "https://www.ibm.com/support/pages/node/290807", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:44", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Denial of Service with WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:06:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:59", "id": "4B8B028335F38A81B875EEDB76A203E73DFD0F84677B9AAD2F4DCDE90DD3AC4E", "href": "https://www.ibm.com/support/pages/node/290605", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:46:07", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin[_ Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nTivoli Network Manager IP Edition 3.9.0 | Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nTivoli Network Manager IP Edition 4.1 | Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nTivoli Network Manager IP Edition 4.1.1 | Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nTivoli Network Manager IP Edition 4.2.0 | IBM Tivoli Network Manager 4.2 requires to install IBM WebSphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:34:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Network Manager IP Edition (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:34:31", "id": "71BD98D15863867D1955C6BE20CE38B1FCD81182C4462C5AD7B097E20B1704EE", "href": "https://www.ibm.com/support/pages/node/290431", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:59", "type": "ibm", "title": "Security Bulletin: Denial of Service with IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:59", "id": "5DCFD439936E2F8A52E5C8672372D872D6A4B217ABE8891AB553B9118FD960DE", "href": "https://www.ibm.com/support/pages/node/290661", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:52:44", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of OpenPages GRC Platform. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nOpenPages GRC Platform Standard Edition 7.3| IBM WebSphere Application Server 8.5.5.9 \nOpenPages GRC Platform Standard Edition 7.2| IBM WebSphere Application Server 8.5.5.5 \nOpenPages GRC Platform Standard Edition 7.1| IBM WebSphere Application Server 8.5.5.2 \nOpenPages GRC Platform Standard Edition 7.0| IBM WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T22:48:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with OpenPages GRC Platform (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T22:48:26", "id": "860EED3D9CEA7E95A62905473DB727412A3D17D7F13C770B6FB6D63CC3CAD663", "href": "https://www.ibm.com/support/pages/node/291019", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:53:46", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5,9.0| [_Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:57", "id": "FA3C7B721E4B1CAF2DD4403DE9BF7931562B63D98C19B634C38865E05C45DF36", "href": "https://www.ibm.com/support/pages/node/289967", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-10-01T01:54:50", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM License Metric Tool 7.x and IBM Tivoli Asset Discovery for Distributed 7.x servers. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-8919_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8919>) \nDESCRIPTION: IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Asset Discovery for Distributed v7.5| WebSphere Application Server v7 \nIBM License Metric Tool v7.5| WebSphere Application Server v7 \n \n## Remediation/Fixes\n\nApply Interim Fix for a WebSphere Application Server as described in the following technote: <http://www-01.ibm.com/support/docview.wss?uid=swg21993797>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n24 February 2017 : Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM License Metric Tool 7.x and IBM Tivoli Asset Discovery for Distributed 7.x (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2021-04-26T21:17:25", "id": "E113332A5414D5938986A807B55833A60DA76B753C924BAD31BD440A18A61C93", "href": "https://www.ibm.com/support/pages/node/292859", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:51:26", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www.ibm.com/support/docview.wss?uid=swg21993797>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is/are shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T20:08:37", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T20:08:37", "id": "E9815A3B04E1EB0668298517258C04B83A614591F0C92919380E17504AB710DE", "href": "https://www.ibm.com/support/pages/node/293865", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:47:54", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.11 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:17:41", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T12:17:41", "id": "F7641FBFC3FEE710BEC608E58B5B1DE011444B647312DE547514C14638035FCC", "href": "https://www.ibm.com/support/pages/node/289885", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:47:53", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:17:42", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T12:17:42", "id": "25FD18258A26691264DEBBCCBA1D7490F913AE13FC136566A3F1377AB0AFBD37", "href": "https://www.ibm.com/support/pages/node/290695", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:53", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult: [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>)._ \n_[](<http://www-01.ibm.com/support/docview.wss?uid=swg21991469>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n \n---|--- \nIBM Business Monitor V8.5.7| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3| WebSphere Application Server V8.0 \n \n## Remediation/Fixes\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:49", "id": "8DD72BF6B48CC7E3A22134A69D2AE261895AD3165F7ABE79CDBBFB7F9422199F", "href": "https://www.ibm.com/support/pages/node/287323", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:38:45", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about a security vulnerability affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2020-02-11T21:31:00", "id": "86DB132AD151A8E40020A0B23000EE7EBA54ED84C7245575EF0890BC153DB650", "href": "https://www.ibm.com/support/pages/node/290999", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:47", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, and WebSphere Lombardi Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin \n\n * [](<http://www.ibm.com/support/docview.wss?uid=swg21992315>)[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>)\nfor vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V7.5.0.0 through V7.5.1.2 \n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3\n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0 \n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 CF 2017.03\n\n\\- WebSphere Process Server V7.0.x\n\n\\- WebSphere Lombardi Edition V7.2.0.x\n\nAt the time of shipping IBM Business Process Manager V8.5.7.0 CF 2017.03, WebSphere Application Server 8.5.5.11 is the latest available fixpack. CF 2017.03 installation instructions include a reference to this vulnerability and advise to manually install the required Interim Fix.\n\n \n_For__ earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:57", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:57", "id": "EE8BF9A0EF2479FC1B1957C736D189D791B61FA235FC54164370BEB1A326EBB9", "href": "https://www.ibm.com/support/pages/node/289933", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:51:56", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM ILOG ODM Enterprise. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Denial of Service with WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM ILOG ODM Enterprise v3.6 - v3.6.0.1| IBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {}, "published": "2018-06-16T13:45:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM ILOG Optimization Decision Manager Enterprise (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-16T13:45:22", "id": "38E3695C5B3EE4D15780660A89F4D26019A58543CF739F5287F581F2B2B6A7D3", "href": "https://www.ibm.com/support/pages/node/289909", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:56:21", "description": "## Summary\n\nThere is a potential denial of service with WebSphere Application Server with SOAP connectors. \nImportant information was added to the Remediation/Fixes section on February 22, 2017. \n\n## Vulnerability Details\n\n**Important information was added to the Remediation/Fixes section on February 22, 2017.** \n \n \n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5 \n * Version 8.0 \n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR [PI73519](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) for each named product as soon as practical. ** \nFor WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** \n** \nFor V9.0.0.0 through 9.0.0.3 traditional:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73519 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.4 or later. \n** \nFor V8.5.0.0 through 8.5.5.11 traditional:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73519](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later. \n** \nFor V8.0.0.0 through 8.0.0.12 traditional:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73519](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later. \n** \nFor V7.0.0.0 through 7.0.0.41 traditional:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73519](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later. \n \n \n**NOTE:** There was a potential regression in the interim fixes that were delivered prior to 16 February 2017. If you have the earlier version of the interim fix then you could see the following exception in your Systemout or trace outputs: \n` \nException in thread \"GetNotification_1\" java.lang.reflect. \n \nCaused by: SOAPException: faultCode=SOAP-ENV:ServerException; \nmsg=The Soap RPC call can't be unmarshalled.\u00a8 \nat com.ibm.ws.management.connector.soap.SOAPConnectorClient. \n` \nIf you see these exceptions, then download a version of the interim fix dated 17 February 2017 or later.\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:31", "type": "ibm", "title": "Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:31", "id": "B53AD5E2D2A2AF474127E24591478FB8781BD315607546C5DA3DE7FF21443FCD", "href": "https://www.ibm.com/support/pages/node/556537", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:52:17", "description": "## Summary\n\nA vulnerability has been identified in the IBM Websphere Application Server (WAS) that is embedded in IBM FSM. This update addresses this issue. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM using the instructions referenced in this table. \n \n\n\nProduct | \n\nVRMF | \n\nRemediation \n---|---|--- \n \nFlex System Manager | \n\n1.3.4.0 | \n\nInstall [fsmfix1.3.4.0_IT19246](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT19246&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.3.0 | \n\nInstall [fsmfix1.3.3.0_IT19246](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT19246&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.2.1 \n1.3.2.0 | \n\nInstall [fsmfix1.3.2.0_IT19246](<https://www-945.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT19246&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFor all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product. \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&amp;myns=purflex&amp;mync=E&amp;cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:35:34", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by a IBM Websphere Application Server (WAS) vulnerability (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-18T01:35:34", "id": "4A06B161C20E461A58FD910D4170D3E247E39F42D22748E77652F8DE561F969A", "href": "https://www.ibm.com/support/pages/node/630881", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:47", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin Security Bulletin : Potential Denial of Service in WebSphere Application Server with SOAP connectors (CVE-2016-8919) [www-01.ibm.com/support/docview.wss?uid=swg24043247](<http://www-01.ibm.com/support/docview.wss?uid=swg24043247>)\n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \nIBM Business Monitor V8.0.1.3\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:57", "id": "4C218E414C3F69864BE869919E7D9188BEF26A482ED359E714009D5232ED5570", "href": "https://www.ibm.com/support/pages/node/289921", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:53:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Service Registry and Repository. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin: \n \n[Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) \n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| \n\nAffected Supporting Product and Version \n \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server V8.0 \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:57", "type": "ibm", "title": "Security Bulletin: Vulnerability identified in IBM WebSphere Application Server shipped with IBM WebSphere Service Registry and Repository (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-15T07:06:57", "id": "DF1E9BDB92169D884822F099433AE49D99725BDE57D69AD10D1A2ADE2C7BF3E0", "href": "https://www.ibm.com/support/pages/node/289917", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:10", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin[ Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:34:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:34:04", "id": "E79B1CBF1524EDF0CFB25255419FAA5ADAFCD6176139338206646C7E39D87AC8", "href": "https://www.ibm.com/support/pages/node/289991", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:03", "description": "## Summary\n\nInside the Tivoli Integrated Portal there is a potential denial of service with WebSphere Application Server with SOAP connectors in the underlying eWAS. \n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console (CAC) 6.3.\n\n## Remediation/Fixes\n\n**FastBack for Workstations CAC 6.3** \nThe fix for FastBack for Workstations CAC 6.3 will be to update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 and then apply the WAS interim fix pack PI73519. \n \n**_Update embedded eWAS to 7.0.0.41_** \nTo update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41, click on the following link: \n[http://www.ibm.com/support/docview.wss?uid=swg21981056](<http://www-01.ibm.com/support/docview.wss?uid=swg21981056>) \nand then download 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak \n \nTo update the embedded eWAS, do the following: \n\n\n 1. If not already at the CAC 6.3.1.1 version upgrade to this version.\n 2. Stop the Tivoli Service: Tivoli Integrated Portal - V2.2_TIPProfile_Port_16310\n 3. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak file downloaded earlier \n\n**_Apply WAS interim fix pack PI73519_** \nIn order to obtain the PI73519 fix, refer to the WAS security bulletin:_ \n_[](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)<http://www-01.ibm.com/support/docview.wss?uid=swg24043247> \nClick on the Fix Central (FC) download link for 7.0.0.37-WS-WAS-IFPI73519. Once downloaded, there will be a Readme.txt file and a 7.0.0.37-WS-WAS-IFPI73519.pak file. \n \nTo apply the interim fix after having upgraded to eWAS 7.0.0.41, do the following: \n\n\n 1. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0.37-WS-WAS-IFPI73519.pak file downloaded earlier\n 2. Restart the Tivoli Service or reboot the machine \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:35:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Tivoli Integrated Portal shipped with IBM Tivoli Storage Manager FastBack for Workstations (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T15:35:51", "id": "94B4745A12693F764247E6D0E442D91B5CA4C4A7AE80BC5EC5B4AE245AFFE440", "href": "https://www.ibm.com/support/pages/node/292063", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:47:53", "description": "## Summary\n\nIBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources in IBM Content Collector for Email.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-8919](<https://vulners.com/cve/CVE-2016-8919>) \n**DESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118529> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email v3.0 \nIBM Content Collector for Email v4.0 \nIBM Content Collector for Email v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for Email | 3.0| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Email | 4.0| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Email | 4.0.1| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T12:17:44", "type": "ibm", "title": "Security Bulletin: WebSphere Application Server vulnerability in IBM Content Collector for Email", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2018-06-17T12:17:44", "id": "B75E162D2CBA6CF870D30FB620B711AB192ED67D9C447723E650911CCE5632AF", "href": "https://www.ibm.com/support/pages/node/291255", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:36:49", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM InfoSphere Global Name Management. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM InfoSphere Global Name Management 5.x\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM Embeddable WebSphere Application Server which is shipped with IBM InfoSphere Global Name Management. \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM InfoSphere Global Name Management 5.x| IBM Embeddable WebSphere Application Server version 8.0.0.4| [Potential Denial of Service in WebSphere Application Server with SOAP connectors](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n## ", "cvss3": {}, "published": "2022-04-20T17:04:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM InfoSphere Global Name Management (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-8919"], "modified": "2022-04-20T17:04:55", "id": "004A55EC5AFFF9F8642699A1B717B83364A3D2020F683FFBF6C8A3EF22CAC3EB", "href": "https://www.ibm.com/support/pages/node/294899", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T17:44:32", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919),](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n \n\n\n**Principal Product and Versions**| **Affected Supporting Products** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V7.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Transportation V1.5.0, or later \nIBM Intelligent Operations for Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www.ibm.com/support/docview.wss?uid=swg21993797>)[](<http://www.ibm.com/support/docview.wss?uid=swg21992315>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919"], "modified": "2022-08-19T21:04:31", "id": "11A48BDEC7C322728D5C38E2A65C6152345555E3DC5223860FFCEB2424F46D5E", "href": "https://www.ibm.com/support/pages/node/290021", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:50:19", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nTSPM 7.0| WAS 7.0 \nTSPM 7.1| WAS 7.0 \nWAS 8.0 \n \n## Remediation/Fixes\n\nIBM Tivoli Security Policy Manager (TSPM) is affected through IBM WebSphere Application Server. If you are running TSPM with one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin, [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>).\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:48:38", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T21:48:38", "id": "5D5511FB05FC37444DAD215E7692D2A296E9AEECC91702B6E9BD1D11BCFE5407", "href": "https://www.ibm.com/support/pages/node/287051", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:09", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security Identity Manager (ISIM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [IBM WebSphere deserialization of untrusted data (CVE-2016-5983)](<https://www-01.ibm.com/support/docview.wss?uid=swg21990060>) security bulletin for more details\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0 and IBM Tivoli Identity Manager version 5.1| IBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:47:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Websphere Application Server shipped with IBM Security Identity Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T21:47:59", "id": "0681C227FE92A8AB5C0594A63C254BCA7CA821D8AB7BAEB8A33FF0D16BFE06D6", "href": "https://www.ibm.com/support/pages/node/556837", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:12", "description": "## Summary\n\nIBM WebSphere Application Server and Liberty is shipped as a component of IBM Tivoli Netcool Impact. Information about a security vulnerability affecting IBM WebSphere Application Server and Liberty has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| IBM WebSphere Application Server 7.0 \nIBM Tivoli Netcool Impact 7.1.x| IBM WebSphere Application Server Liberty 8.5.5.x, 16.0.0.2 and 16.0.0.3 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| For V7.0.0.0 through 7.0.0.41: \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI70737](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017). \nIBM Tivoli Netcool Impact 7.1.x| For Liberty: \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI62375](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n\\--OR-- \n\u00b7 Apply Liberty Fix Pack 16.0.0.4 or later (targeted availability 9 December 2016). \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:32:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server and Liberty shipped with IBM Tivoli Netcool Impact (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:32:55", "id": "F4EFF02429AD4384CA34D223887849DF7B877D5977A34EE9E2677775B01FE19D", "href": "https://www.ibm.com/support/pages/node/288545", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:08:14", "description": "## Summary\n\nThe IBM Emptoris Contract Management product is affected by a vulnerability that exists in the IBM Websphere Application Server. The security bulletin includes issues disclosed as part of the IBM WebSphere Application Server updates. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.1.x\n\n## Remediation/Fixes\n\nAn interim fix has been issued for the IBM WebSphere Application Server (WAS) which is not susceptible to this vulnerability. Customers running any of the IBM Emptoris Contract Management should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris Contract Management. Please refer to [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for details. \n \nSelect the appropriate WebSphere Application Server fix based on the version being used for IBM Emptoris Contract Management product version. The following table lists the IBM Emptoris Contract Management along with the corresponding required version of IBM WebSphere Application Server and a link to the corresponding fix version where further installation instructions are provided. \n \n\n\n**Emptoris Product Version**\n\n| \n\n**WAS Version**\n\n| \n\n**Interim Fix** \n \n---|---|--- \n9.5.x.x| 8.0.0.x| Apply Interim Fix [_PI70737_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n \n10.0.0.x, 10.0.1.x| 8.5.0.x \n10.0.2.x , \n10.0.4| 8.5.5.x \n10.1.x| 8.5.5.x \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:10:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Contract Management (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T20:10:41", "id": "6788F1A96B921298C14A54FC3FE4C33EEAAC34E9DBECAF0ED22B8662EF114B62", "href": "https://www.ibm.com/support/pages/node/564101", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Workload Scheduler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>)<http://www-01.ibm.com/support/docview.wss?uid=swg21990060> for vulnerability details and information about fixes\n\n## Affected Products and Versions\n\nIBM Workload Scheduler is potentially impacted by the listed vulnerability since it potentially affects secure communications between eWAS and subcomponents. \n \nThe affected version is: \nTivoli Workload Scheduler Distributed 8.6.0 \nTivoli Dynamic Workload Console 8.6.0 \nTivoli Workload Scheduler z/OS Connector 8.6.0\n\n## Remediation/Fixes\n\nIBM has provided patches for all embedded WebSphere versions. \n \nFollow the instructions in the link below to install the fixes for eWAS 7.0.0.39 that is embedded in TWS 8.6 fixpack 04 : \n \n<http://www-01.ibm.com/support/docview.wss?uid=swg21990060> \n \nFor TWS 8.6 version, the fixes can be applied only on top of TWS 8.6 fixpack 04. \n \n_For__ unsupported versions, releases or platforms__ IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:31:53", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0IBM WebSphere Application Server\u00a0shipped with\u00a0Tivoli Workload Scheduler (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:31:53", "id": "87F9F17A2139C18ED1651C78BD6B6B9871F86AF41FBCB2650D11DD7F64C74352", "href": "https://www.ibm.com/support/pages/node/286913", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:46:31", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)._](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.4| IBM WebSphere Application Server 8.5.5.4 Full Profile \nNote : WAS needs 8.5.5.8 as the minimal level for fixing the vulnerability, Please upgrade to WAS 8.5.5.8 to apply the fix. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:31:32", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:31:32", "id": "B480569E9EAAF60928F07D6B15EF8300E13C83515E1DC170316E4A43855FB862", "href": "https://www.ibm.com/support/pages/node/286181", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:53:33", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM ILOG Optimization Decision Manager Enterprise, Developer Edition / IBM Decision Optimization Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM ILOG Optimization Decision Manager Enterprise v3.5 - v3.7.0.2 \nIBM Decision Optimization Center v3.8 - v3.9\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is/are shipped with IBM Decision Optimization Center. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM ILOG Optimization Decision Manager Enterprise v3.5 - v3.7| IBM WebSphere Application Server 7.0| [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \nIBM Decision Optimization Center v3.8 - v3.9| IBM WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:43:15", "type": "ibm", "title": "Security Bulletin: A potential security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Decision Optimization Center (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T13:43:15", "id": "0562A7C622FB9090483ADF1A395792B176E6127F2DE0622FB9F6EA76874B54B8", "href": "https://www.ibm.com/support/pages/node/552963", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:20", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Netcool Performance Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [**_Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nTivoli Netcool Performance Manager 1.4.2| IBM WebSphere Application Server 8.5.5.4 \nTivoli Netcool Performance Manager 1.4.1| IBM WebSphere Application Server 8.5.0.1 \nTivoli Network Performance Manager 1.4| IBM WebSphere version 8.5.0.1 (Bundled in the Jazz for Service Management version 1.1.0.2) \nTivoli Network Performance Manager 1.3.3| IBM WebSphere version 7.0.0.x (Bundled the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.2| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \nTivoli Network Performance Manager 1.3.1| IBM WebSphere version 7.0.0.x (Bundled in the TIP version 2.1.0.x) \n \n## Remediation/Fixes\n\nRemediation is available at the security bulletin [**_Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>)\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:30", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Tivoli Netcool Performance Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:30", "id": "778D5DFC07927E0976A1EE0D444F4B2AF071C29E58642C35B6240F099747720E", "href": "https://www.ibm.com/support/pages/node/554231", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nThere is a potential code execution vulnerability in WebSphere Application Server. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Liberty \n * Version 9.0 \n * Version 8.5.5 \n * Version 8.0 \n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI62375 or PI70737 for each named product as soon as practical. ** ** \n**Note: There was an issue with PI62375 for Traditional WebSphere Application Server. If you are using IBM Connections Desktop Client Plugin failures related to HTTP client may occur. If you have already downloaded the interim fix for PI62375 and have not had any issues you do not need to replace it with the new interim fixes for PI70737. This was an interim fix only issue relating to certain HTTP clients. \n \nFor WebSphere Application Server and WebSphere Application Server Hypervisor Edition:** ** \nFor Liberty:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI62375](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Liberty Fix Pack 16.0.0.4 or later. ** \n \nFor V9.0.0.0 through 9.0.0.1:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI70737](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.2 or later. ** \n \nFor V8.5.0.0 through 8.5.5.10 Full Profile:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI70737 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.11 or later. \n\n**For V8.0.0.0 through 8.0.0.12:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI70737](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.13 or later. \n\n**For V7.0.0.0 through 7.0.0.41:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI70737](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)\n\n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:14", "type": "ibm", "title": "Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983).", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T07:06:14", "id": "1434ACB4C48D9824B7B84B50841F02EBC26205F84E101711416B027D2557AD26", "href": "https://www.ibm.com/support/pages/node/551187", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:20", "description": "## Summary\n\nThere is a potential code execution vulnerability in WebSphere Application Server Liberty Profile used by IBM MessageSight\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM MessageSight 1.1 \u2013 2.0\n\n## Remediation/Fixes\n\n_Product_\n\n| \n_VRMF_| \n_APAR_| \n_Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| _1.1_| _IT18441_| [**_1.1.0.1-IBM-IMA-IF_****_IT18441_**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.1.0.1-IBM-IMA-IFIT18441&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \n_IBM MessageSight_| \n_1.2_| _IT18441_| [**_1.2.0.3-IBM-IMA-IF_****_IT18441_**](<http://www.ibm.com/support/docview.wss?uid=swg21996185>) \n_IBM MessageSight_| _2.0_| _IT18441_| [**_2.0.0.1-IBM-IMA-IF_****_IT18441_**](<http://www.ibm.com/support/docview.wss?uid=swg21996175>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:32:07", "type": "ibm", "title": "Security Bulletin: Code execution vulnerability in IBM MessageSight (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:32:07", "id": "21C98DE98E9374C4CF11A15D5C86502E772ED8CD0C2E42213CE01503AAB9766C", "href": "https://www.ibm.com/support/pages/node/287097", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin[ Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<https://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:48:02", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T21:48:02", "id": "F79F1906EA54AB2D37EF20E76EBAEA53E4E25BB3996B08D6FED860ECE70287DA", "href": "https://www.ibm.com/support/pages/node/557119", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:21", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21990060_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:29:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:26", "id": "237BBBA9548654864D2FE412BB3C8101EFD132E51D2D0A5101F8435F2DA56C43", "href": "https://www.ibm.com/support/pages/node/553867", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:39:38", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability affects only the server component.\n\n**Versions 7.1.x.x:**\n\nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 8.5.5, 8.5, 8.0, and 7.0| [](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2020-02-04T16:40:40", "id": "70DC2A30E72FE178C160BDBD013AC7631F1DE502FB35203760983EF33612E2E9", "href": "https://www.ibm.com/support/pages/node/553163", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:43:49", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nConsult the security bulletin: [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<www.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:28:37", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T22:28:37", "id": "0DF637B3284998466CF9C2A812E445BBD165260B4415CB473400F55711361A99", "href": "https://www.ibm.com/support/pages/node/552949", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:57", "description": "## Summary\n\nThe IBM\u00ae WebSphere\u2122 Application Server is shipped with IBM SPSS Analytic Server. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section \n\n## Affected Products and Versions\n\nIBM SPSS Analytic Server 2.0.0.0 \nIBM SPSS Analytic Server 2.1.0.0 \nIBM SPSS Analytic Server 3.0.0.0\n\n## Remediation/Fixes\n\nAffected IBM SPSS Analytic Server users need to update their IBM WebSphere Application Server instances. Please refer to the following security bulletin for a list of the IBM WebSphere Application Server fixpacks that the fix is delivered in and for links to the interim fixes: [_http://www-01.ibm.com/support/docview.wss?uid=swg21990060_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>)\n\n## ", "cvss3": {}, "published": "2018-06-16T13:44:47", "type": "ibm", "title": "Security Bulletin: Vulnerability in the IBM WebSphere Application Server that is bundled with IBM SPSS Analytic Server (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T13:44:47", "id": "B5983E7776B85F8B471BF41894D79B06B277D9375223AEB0B2B7060D59865A92", "href": "https://www.ibm.com/support/pages/node/287821", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:45:21", "description": "## Summary\n\nIBM WebSphere Application Server Liberty is shipped as a component of IBM Operations Analytics Predictive Insights. Information about a security vulnerability affecting IBM WebSphere Application Server Liberty has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Operations Analytics - Predictive Insights 1.3.5 and earlier\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \n_IBM Operations Analytics Predictive Insights_| _1.3.0, \n1.3.1,_ \n_1.3.2,_ \n_1.3.3,_ \n_1.3.4_| _Upgrade to IBM Operations Analytics Predictive Insights 1.3.5 _ \n_Then apply Interim Fix _[__16002-wlp-archive-IFPI62375__](<http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=16002-wlp-archive-IFPI62375&productid=WebSphere%20Liberty&brandid=5>)[](<https://www-945.ibm.com/support/fixcentral/swg/doSelectFixes?options.selectedFixes=16002-wlp-archive-IFPI67093&continue=1>)_ to the &lt;UI_HOME&gt;/wlp location, where UI_HOME is typically /opt/IBM/scanalytics/UI_ \n_BM Operations Analytics Predictive Insights_| _1.3.5_| _Apply Interim Fix _[__16002-wlp-archive-IFPI62375__](<http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=16002-wlp-archive-IFPI62375&productid=WebSphere%20Liberty&brandid=5>)_ to the &lt;UI_HOME&gt;/wlp location, where UI_HOME is typically /opt/IBM/scanalytics/UI_ \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Operations Analytics Predictive Insights (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:12", "id": "F4B686A2FC89EE4E34E6E541C4CAE723235017E1AB5323D2E4FB5831F7D1599D", "href": "https://www.ibm.com/support/pages/node/553209", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:41:58", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component. \n**Versions 7.1.x.x : Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 8.5.5, 8.5, 8.0, and 7.0| [](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-07-10T08:34:12", "id": "B37880F51576751375FE7D9EBE05F55C5D38BE8567056EF4ABA103092A7E8CF9", "href": "https://www.ibm.com/support/pages/node/552857", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:22", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \nWebGUI 8.1.0 GA and FP | Websphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:09", "id": "225BA36154E74070AF69A361EED7215084E8AB26B6C1580AE066C11B200C07AB", "href": "https://www.ibm.com/support/pages/node/552735", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:40", "description": "## Summary\n\nWebSphere Application Server is/are shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is/are shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0| [_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:05:31", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T20:05:31", "id": "B092A6E897951ECC10739C027B685833C755CC077686979313AFCEFA2A8170D2", "href": "https://www.ibm.com/support/pages/node/555217", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:37:45", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) Liberty profile is shipped as a component of IBM InfoSphere BigInsights Console. Information about a security vulnerabilities affecting WAS Liberty profile has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult security bulletin for vulnerability details and information about fix. \n\n[**Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM InfoSphere BigInsights 2.x \n\nIBM InfoSphere BigInsights 3.x \n\n| IBM WebSphere Application Server Version 8.5 Liberty profile \n \n## Remediation/Fixes\n\n**_Fix:_**\n\n 1. Stop all BigInsights Services\n 2. Apply Interim Fix [_PI62375_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)\n 3. Start all BigInsights Services\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-08T20:59:42", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server (WAS) Liberty profile shipped with IBM InfoSphere BigInsights (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2021-04-08T20:59:42", "id": "FCDE037DAB880EAB81EB1E606586B130B29C6D1FFE94F82FA3DEEC0CD62E087F", "href": "https://www.ibm.com/support/pages/node/287801", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:25", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin: [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \nIBM Business Monitor V8.0.1.3 \nIBM Business Monitor V7.5.1.2 \n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T07:06:17", "id": "95D35E61A150C874B7D72B4FC3E221BBD460380DC67B596F8578BB0BE5B6DD01", "href": "https://www.ibm.com/support/pages/node/552823", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:19", "description": "## Summary\n\nA vulnerability has been identified in IBM WebSphere Application Server, which could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. IBM Security Access Manager appliances are affected by this vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Security Access Manager for Web 8.0 appliances, all firmware versions. \n\nIBM Security Access Manager for Mobile 8.0 appliances, all firmware versions.\n\nIBM Security Access Manager 9.0 appliances, all firmware versions.\n\n## Remediation/Fixes\n\nIBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation** \n---|---|---|--- \nIBM Security Access Manager for Web| 8.0.0.0 - \n8.0.1.5| IV93187| 1\\. For versions prior to 8.0.1.5, upgrade to 8.0.1.5:[](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \n[_8.0.1-ISS-WGA-FP0005_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \n2\\. Upgrade to 8.0.1.5 IF1: \n[_8.0.1.5-ISS-WGA-IF0001_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.1.3&platform=All&function=all>) \nIBM Security Access Manager for Mobile| 8.0.0.0 - \n8.0.1.5| IV93249| 1\\. For versions prior to 8.0.1.5, upgrade to 8.0.1.5: \n[8.0.1-ISS-ISAM-FP0005](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0&platform=Linux&function=all>) \n2\\. Upgrade to 8.0.1.5. IF 1: \n[8.0.1.5-ISS-ISAM-IF0001](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Security+Access+Manager+for+Mobile&release=8.0&platform=Linux&function=all>) \nIBM Security Access Manager| 9.0 - \n9.0.2.1| IV93187| 1\\. For versions prior to 9.0.2.1, upgrade to 9.0.2.1: \n[9.0.2-ISS-ISAM-FP0001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.0.0&platform=All&function=all>) \n2\\. Upgrade to 9.0.2.1 IF 1: \n[9.0.2.1-ISS-ISAM-IF0001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.0.0&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:49:22", "type": "ibm", "title": "Security Bulletin: IBM Security Access Manager appliances are affected by a vulnerability in IBM WebSphere Application Server (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T21:49:22", "id": "352ED7C655303F942271C987E60E2A8EBE2D5119B7874AA215EC3C5E75DE5571", "href": "https://www.ibm.com/support/pages/node/289031", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:39", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Rational Asset Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Version **\n\n| **Status** \n---|--- \nIBM Rational Asset Manager \nV7.5.2, V7.5.1, V7.5| Affected \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:16:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational Asset Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T05:16:22", "id": "213CEE268FCEE3A0445A4848726479C5F86515B98D1F34B418FA107E77219997", "href": "https://www.ibm.com/support/pages/node/552737", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:13", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin, [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>).\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:48:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T21:48:59", "id": "EC9C4942DC6B13EB8A7D2C5ED6757C645B967E343E6EFF8AEBCB6CB67C0FF535", "href": "https://www.ibm.com/support/pages/node/287825", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:19", "description": "## Summary\n\nThere is a code execution vulnerability in IBM WebSphere Application Server that affects FastBack for Workstations Central Administration Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console (CAC) 7.1 and 6.3.\n\n## Remediation/Fixes\n\n**FastBack for Workstations CAC 7.1** \nThe fix for FastBack for Workstations CAC 7.1 will be to apply the Liberty interim fix pack PI62375. \n \nIn order to obtain the PI62375 fix, refer to the WAS security bulletin: \n[http://www.ibm.com/support/docview.wss?uid=swg21990060](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \nClick on the link for Liberty interim fix pack PI62375. Click the FC (Fix Central) link to download the 8559-wlp-archive-IFPI62375. Once downloaded, there will be a Readme.txt file and the 8559-wlp-archive-IFPI62375.jar file. \n \nTo apply the interim fix, do the following:| \n\n\n 1. Stop the TSM FastBack for Workstations Central Administration Console service (CAC_Service)\n 2. Open an elevated command window and direct it to the location of the iFix jar\n 3. Run the command: java -jar 8559-wlp-archive-IFPI62375.jar --installLocation \"C:\\Program Files\\Tivoli\\TSM\\CAC\\wlp\" (Default install location shown) \n \nThe following launch options are available for the jar: \n \n\\--installLocation [LibertyRootDir] by default the jar will look for a \"wlp\" directory in its current location. If your Liberty profile install location is different than \"wlp\" and/or is not in the same directory as the jar then you can use this option to change where the jar will patch. [LibertyRootDir] can either be relative to the location of the jar or an absolute file path. \n \n\\--suppressInfo hides all messages other than confirming the patch has completed or error messages. \n\n 4. Start TSM FastBack for Workstations Central Administration Console service (CAC_Service) and the fix will become active in your runtime environment. \n \n\n**FastBack for Workstations CAC 6.3**** \n**The fix for FastBack for Workstations CAC 6.3 will be to update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 and then apply the WAS interim fix pack PI70737. \n \n**_Update embedded eWAS to 7.0.0.41_** \nTo update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 click on the following link: \n[http://www.ibm.com/support/docview.wss?uid=swg21981056](<http://www-01.ibm.com/support/docview.wss?uid=swg21981056>) \nand then download 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak \n \nTo update the embedded eWAS, do the following: \n\n\n 1. If not already at the CAC 6.3.1.1 version upgrade to this version.\n 2. Stop the Tivoli Service: Tivoli Integrated Portal - V2.2_TIPProfile_Port_16310\n 3. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak file downloaded earlier \n\n**_Apply WAS interim fix pack PI70737_** \nIn order to obtain the PI70737 fix, refer to the WAS security bulletin:_ \n_[http://www.ibm.com/support/docview.wss?uid=swg21990060](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \nClick on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI70737. Click the HTTP download link for 7.0.0.41-WS-WAS-IFPI70737 . Once downloaded, there will be a Readme.txt file and a 7.0.0.41-ws-was-ifpi70737.pak file. \n \nTo apply the interim fix after having upgraded to WAS 7.0.0.41, do the following: \n\n\n 1. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0.41-ws-was-ifpi70737.pak file downloaded earlier\n 2. Restart the Tivoli Service or reboot the machine \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:55", "type": "ibm", "title": "Security Bulletin: Code execution vulnerability in IBM WebSphere Application Server affects FastBack for Workstations Central Administration Console (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:55", "id": "81C5F9612FE5B69910817E868D17BA14709C182C25FBF7736631690D62594BA3", "href": "https://www.ibm.com/support/pages/node/555153", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:39", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Partner Gateway. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Code execution vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| Product and Version shipped as a component \n---|--- \nWebSphere Partner Gateway Advanced/Enterprise Edition 6.2 through 6.2.1.4| WebSphere Application Server 6.1 \nWebSphere Application Server 7.0 \nWebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T20:05:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Partner Gateway Advanced/Enterprise Edition(CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T20:05:17", "id": "C6D3893A0A2AD210850BB8F4A26AB7C73EF4360C454D9EEA1A69850B46587C9E", "href": "https://www.ibm.com/support/pages/node/554233", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-11T15:10:18", "description": "## Summary\n\nCode Execution vulnerability in WebSphere Application Server bundled with IBM Jazz Team Server based Applications affects multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM), and Rational Software Architect (RSA DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0 - 6.0.2 \n \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.2 \n \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.2 \n \nRational DOORS Next Generation 4.0.1 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.2 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.2 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.2 \n \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.2\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server and IBM WebSphere Application Server Liberty with the available versions of the products, and in addition to the bundled version some previous versions of WAS are also supported. For a remediation follow the WAS security bulletin appropriately: \n\n\n 1. Review the [_Security Bulletin: __Code execution vulnerability in WebSphere Application Server (__CVE-2016-5983__)_](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details. \n\n 2. Check the version of WAS, if any, that your deployment is actually using, and compare it against the list of affected versions in the security bulletin. \n\n 3. Review the **Remediation/Fixes** section in the[](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) [_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) for available fixes in the version that you are using. \n\n * NOTE: When installing the fixed WAS Liberty package use &lt;JazzInstallLocation&gt;/server/liberty/wlp as the location of the WAS Liberty installation, where &lt;JazzInstallLocation&gt; is the root folder of your CLM installation. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Code execution vulnerability in WebSphere Application Server affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2021-04-28T18:35:50", "id": "120F89D786DAFCEA904CDFDE3CC03CC57195A6BA2C76C63F6B4A814C241B114B", "href": "https://www.ibm.com/support/pages/node/553253", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:52:28", "description": "## Summary\n\nA vulnerability has been addressed in the IBM WebSphere Application Server Liberty Profile component of IBM Cognos Metrics Manager.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Cognos Metrics Manager 10.2.2\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. As the fix is in a shared component across the Business Intelligence portfolio, applying the BI Interim Fix will resolve the issue. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version. \n\n \n| Version| Interim Fix \n---|---|--- \nIBM Cognos Metrics Manager| 10.2.2| [IBM Cognos Business Intelligence 10.2.2 Interim Fix 14 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T23:17:51", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Websphere Application Server affects IBM Cognos Metrics Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T23:17:51", "id": "2E5C896ED71A7C63BA6B6E389880C03978BFA04CC2678267E26B3E7321AF2F55", "href": "https://www.ibm.com/support/pages/node/293343", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:52:37", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of OpenPages GRC Platform. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [IBM WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nOpenPages GRC Platform Standard Edition 7.3| IBM WebSphere Application Server 8.5.5.9 \nOpenPages GRC Platform Standard Edition 7.2| IBM WebSphere Application Server 8.5.5.5 \nOpenPages GRC Platform Standard Edition 7.1| IBM WebSphere Application Server 8.5.5.2 \nOpenPages GRC Platform Standard Edition 7.0| IBM WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T22:48:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with OpenPages GRC Platform (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T22:48:15", "id": "3807634CE4F716938A9C964BADF32046049F08DE0F20E027C1152B93AF6316FC", "href": "https://www.ibm.com/support/pages/node/290249", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:56:24", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Service Registry and Repository. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin: \n \n[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983).](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| \n\nAffected Supporting Product and Version \n \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server V8.0 \nWebSphere Service Registry and Repository V7.5| WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:25", "type": "ibm", "title": "Security Bulletin: Vulnerability identified in IBM WebSphere Application Server shipped with IBM WebSphere Service Registry and Repository (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T07:06:25", "id": "056512202CC33AB21C4152EEC32EF3EE392ADAE1B891BC9D77AE9BD58B84F8D1", "href": "https://www.ibm.com/support/pages/node/555301", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:56", "description": "## Summary\n\nThere is a serialization vulnerability in IBM WebSphere Application Server which is used by IBM Streams. IBM Streams has addressed this vulnerability. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThe following versions may be impacted: \n\n * * IBM Streams Version 4.2.0.2 and earlier\n * IBM InfoSphere Streams Version 4.1.1.2 and earlier\n * IBM InfoSphere Streams Version 4.0.1.3 and earlier\n * IBM InfoSphere Streams Version 3.2.1.6 and earlier\n * IBM InfoSphere Streams Version 3.1.0.8 and earlier \n\n## Remediation/Fixes\n\nNOTE: Fix Packs are available on IBM Fix Central. \n\n\n * **Version 4.2.0:**\n * Apply [4.2.0 Fix Pack 3 (4.2.0.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.2.0.0&platform=All&function=all>)\n * **Version 4.1.1**:\n * Apply [4.1.1 Fix Pack 3 (4.1.1.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.1.1.0&platform=All&function=all>)\n * **Version 4.0.1:**\n * Apply [4.0.1 Fix Pack 4 (4.0.1.4) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.0.1.0&platform=All&function=all>)\n * **Versions 3.2.1 and 3.1.0:**\n * For versions earlier than 4.x.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T13:45:39", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM WebSphere Application Server may affect IBM Streams (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-16T13:45:39", "id": "FB60355B6CF5CA4E3D9A93696E60907CED58B5F39B8C42390AB3184786F3B132", "href": "https://www.ibm.com/support/pages/node/290581", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:55", "description": "## Summary\n\nA code execution vulnerability has been discovered in IBM Cognos Business Intelligence installed by IBM Tivoli Common Reporting (TCR). TCR is included in IBM Jazz for Service Management (JazzSM). IBM has addressed the applicable CVE.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nTivoli Common Reporting 3.1 \n\nTivoli Common Reporting 3.1.0.1\n\nTivoli Common Reporting 3.1.0.2\n\nTivoli Common Reporting 3.1.2\n\nTivoli Common Reporting 3.1.2.1\n\nTivoli Common Reporting 3.1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n \n\n\n**Tivoli Common reporting release**| **Remediation ** \n---|--- \n3.1.0.0 through 3.1.2| [Download 10.2-BA-CBI-&lt;OS&gt;64-IF0022](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2-BA-CBI-&lt;OS&gt;64-IF0022](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n3.1.2.1| [Download 10.2.1.1-BA-CBI-&lt;OS&gt;64-IF0018](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2.1.1-BA-CBI-&lt;OS&gt;64-IF0018](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n3.1.3| [Download 10.2.2-BA-CBI-&lt;OS&gt;64-IF0014](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2.2-BA-CBI-&lt;OS&gt;64-IF0014](<https://www.ibm.com/support/knowledgecenter/SSEKCU_1.1.3.0/com.ibm.psc.doc/tcr_original/ttcr_cognos_out_tcr.html>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:48", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management (Jazz SM) is affected by a code execution vulnerability in IBM Tivoli Common Reporting (TCR) (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:37:48", "id": "7D9A5F2991077AA9574FC57673D25FBF554D22D590E6151ED3F7D8BBBA3D434A", "href": "https://www.ibm.com/support/pages/node/294785", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:23", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5,9.0| [_Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:21", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T07:06:21", "id": "4C3E9BA47DD2FADD1D2F72920168275F04EE75E47AE79D74B1E9E7D48E8C5ADE", "href": "https://www.ibm.com/support/pages/node/554011", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:48:42", "description": "## Summary\n\nA vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center. IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVE. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983%5Ch>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468%5Ch>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n \nIBM Spectrum Control 5.2.8 through 5.2.11 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.12 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\n \nThe solution is to apply an appropriate Tivoli Storage Productivity Center fix maintenance for each named product. Follow the link below, select the correct product version. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. \n_Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control._\n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n \n \n**_IBM Spectrum Control 5.2.x and Tivoli Storage Productivity Center V5.1.x_** \n \n**Release**| **First Fixing VRM Level**| **Link to Fix/Fix Availability Target** \n---|---|--- \n5.2.x| 5.2.12| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n5.1.x| 5.1.1.13| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-22T19:27:34", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-5983", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2022-02-22T19:27:34", "id": "B3070CDC89694B6DDDE4CAF9B2A72605C462E75ECCFD37293A6ADF63D52940D9", "href": "https://www.ibm.com/support/pages/node/286535", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:43:15", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Aviation, Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2022-09-22T03:02:31", "id": "AC94B80CCBC2EB56618366A30B69B9EE44D076505868D027EF028C829EF45AA3", "href": "https://www.ibm.com/support/pages/node/553729", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-06-03T17:44:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Intelligent Operations Center and related products. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Remediation/Fixes\n\nConsult the security bulletin: [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<www.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T23:26:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Intelligent Operations Center products (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2022-08-19T23:26:06", "id": "43A6AB12EA2CF36465A8EA1AF578A0F7235298877A542981F53FF6ECF8555E96", "href": "https://www.ibm.com/support/pages/node/552945", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:33", "description": "## Summary\n\nIBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM eDiscovery Manager Version 2.2.2\n\n## Workarounds and Mitigations\n\nUpgrade to minimal fix pack levels as required OR apply Fix pack for WebSphere Application Server as mentioned in WebSphere Application Server security bulletin \n \n<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:08", "type": "ibm", "title": "Security Bulletin:IBM WebSphere deserialization of untrusted data in IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T12:17:08", "id": "0ED784332F1C687B91216DC2C17A7077E5BDDEBB4266C8F9FDF60C5EDF3EA448", "href": "https://www.ibm.com/support/pages/node/553689", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:47", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T12:17:54", "id": "8F79D2A58294872E907CD64EDEF102AC9A962D6A809E0F42914B355A2DC384F8", "href": "https://www.ibm.com/support/pages/node/294049", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:27", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin Potential security vulnerability in [_WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>). \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability with IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "9BE435454DACB8768FC256EDFA7E257961D1A1C3EA69888A96357F49067B254C", "href": "https://www.ibm.com/support/pages/node/294713", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:49:50", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nTSPM 7.0| WAS 7.0 \nTSPM 7.1| WAS 7.0 \nWAS 8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:51:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-16T21:51:14", "id": "87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "href": "https://www.ibm.com/support/pages/node/294889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:56", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [_http://www-01.ibm.com/support/docview.wss?uid=swg21996748_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:37:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T15:37:49", "id": "6510B32415FB6056A2624FB07DE2B42CCFF5953DB4CE49F4C978EC09BA079B38", "href": "https://www.ibm.com/support/pages/node/294801", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T17:45:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise edition. \n \nInformation about a potential security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n \nIn addition, security vulnerability has been identified in Jazz for Service Management that is shipped with IBM Cloud Orchestrator Enterprise edition. \n \nInformation about \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457 \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| ** Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator V2.5| IBM Business Process Manager Standard V8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nWebSphere Application Server V8.5.5 \nIBM Cloud Orchestrator V2.4 | IBM Business Process Manager Standard V8.5.5 \nIBM Tivoli System Automation Application Manager 4.1 \nWebSphere Application Server 8.5 \nIBM Cloud Orchestrator V2.3| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nWebSphere Application Server 8.0 \nIBM Cloud Orchestrator Enterprise V2.5, V2.4, V2.3| Jazz for Service Management 1.1.0.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Cloud Orchestrator, and supporting products IBM Business Process Manager Standard and IBM Tivoli System Automation Application Manager. \n \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator V2.5, through V2.5.0.2| IBM Business Process Manager Standard 8.5.6 - 8.5.7 \n \nIBM Tivoli System Automation Application Manager 4.1 - 4.1.0.1 \n \nWebSphere Application Server 8.5.5| [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \nIBM Cloud Orchestrator V2.4, through V2.4.0.4| IBM Business Process Manager Standard 8.5.0.1 \n \nIBM Tivoli System Automation Application Manager 4.1 \n \nWebSphere Application Server 8.0 \n \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Jazz for Service Management which is additionally shipped with IBM Cloud Orchestrator Enterprise edition. \n \n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator Enterprise V2.5, through V2.5.0.2| Jazz for Service Management 1.1.0.1| [Security Bulletin: Potential Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg22002464>) \nIBM Cloud Orchestrator Enterprise V2.4, through V2.4.0.4 \nIBM Cloud Orchestrator V2.3, V2.3.0.1 All editions | IBM Business Process Manager Standard 8.5.0.1 \n \nIBM Tivoli System Automation Application Manager 4.1 \n \nWebSphere Application Server 8.0 \n \nJazz for Service Management 1.1.0| Contact _IBM Support_ \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T22:33:31", "id": "AFCC8D64778E095307228BB2EFC0BA7EFE364EEFBCC328895796C30B8AE8C830", "href": "https://www.ibm.com/support/pages/node/609295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:41:37", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server. \n**Versions 7.1.x.x : Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) \n \n\n\n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-07-10T08:34:12", "id": "7CACEC65AE1B6A93658FC1036992E1D68660EBEBF809E8F5624C791B2264E7F9", "href": "https://www.ibm.com/support/pages/node/294115", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:44:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>)[](<http://www.ibm.com/support/docview.wss?uid=swg21992315>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:28:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T22:28:40", "id": "AA78017E77C6DE25EC48E196CEC49E926CC723505037966B91429F257DA144D2", "href": "https://www.ibm.com/support/pages/node/293973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:36", "description": "## Summary\n\nWebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability. \n \n\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nPlease consult the security bulletin [IBM WebSphere MQ JMS client deserialization RCE vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=swg21983457>) for more details \n.\n\n## Affected Products and Versions\n\nIBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus| V10.0.0.0 to V10.0.0.9| IT21160 | The APAR is available in fix pack 10.0.0.10 \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043943> \nIBM Integration Bus| V9.0.0.0 to V9.0.0.8| IT21160 | The APAR is available in fix pack 9.0.0.9 \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043947> \n \n_Remediation for users of __ versions V9.0.0.7, V10.0.0.8__ and above:_ \nIf MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required \n1\\. Apply the fix for IBM Integration Bus APAR IT21160 \n2\\. Specify the whiltelist classes as below \n \nmqsichangeproperties &lt;INode&gt; -e &lt;IServer&gt; -o ComIbmJVMManager -n jvmSystemProperty -v &lt;full qualified class names in comma separated form&gt; \n \neg : mqsichangeproperties &lt;INode&gt; -e &lt;IServer&gt; -o ComIbmJVMManager -n jvmSystemProperty -v \\ \"-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn\\\" \n \n_Remediation for users of versions prior to V10.0.0.8__ __and V9.0.0.7:_ \nYou will need to update MQ. Consult the security bulletin [IBM WebSphere MQ JMS client deserialization RCE vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=swg21983457>) for details. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2020-03-23T20:41:52", "id": "0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F", "href": "https://www.ibm.com/support/pages/node/297039", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:34", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5,9.0| [_Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:09", "id": "7387456ACC07F9EBAAAF5AD5995B47629294A79264AE158FEE795E098E30CB66", "href": "https://www.ibm.com/support/pages/node/294019", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:18", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:08:58", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-16T20:08:58", "id": "50265EDE25BA65FCC20843B6501DB78AE1C7807F2BF5AD72A39FC8D805AF2A85", "href": "https://www.ibm.com/support/pages/node/294811", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:32", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, and WebSphere Lombardi Edition. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V7.5.0.0 through V7.5.1.2 \n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3\n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0\n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03\n\nNote that 8.5.7.0 Cumulative Fix 2017.03 cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed.\n\n \n_For__ earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (BPM), WebSphere Process Server (WPS) and WebSphere Lombardi Edition (WLE) (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:10", "id": "C5589143DA30D86428255EFD2ADF121F96FF8D82C17B89DAF84BE0F7EC959B3C", "href": "https://www.ibm.com/support/pages/node/294141", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:50", "description": "## Summary\n\nThere is a potential security vulnerability with the WebSphere Application Server MQ JCA Resource adapter. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional: \n\n * Version 9.0 \n * Version 8.5 and Version 8.5.5\n * Version 8.0 \n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical. **After applying the Interim Fix or moving up to the fix pack level with fix, follow the ClassName allowlisting instructions in the Reference section****. **** \n** \n \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** \n** \nFor V9.0.0.0 through 9.0.0.2:** \n\u00b7 Upgrade to Fix Pack 9.0.0.1 or later and then apply Interim Fix [PI74874](<http://www-01.ibm.com/support/docview.wss?uid=swg24043423>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.3 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V8.5.0.0 through 8.5.5.11:** \n\u00b7 Upgrade to Fix Pack Level 8.5.5.9 or later and then apply Interim Fix [PI74862](<http://www-01.ibm.com/support/docview.wss?uid=swg24043427>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V8.0.0.0 through 8.0.0.13:** \n\u00b7 Upgrade to Fix Pack 8.0.0.12 or later and then apply Interim Fix [PI74468](<http://www-01.ibm.com/support/docview.wss?uid=swg24043424>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V7.0.0.0 through 7.0.0.41:** \n\u00b7 Upgrade to Fix Pack 7.0.0.41 and then apply Interim Fix [PI74468](<http://www-01.ibm.com/support/docview.wss?uid=swg24043424>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognized senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:53", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:06:53", "id": "AD8E83B84BF33E4577A1D24CA6F2F237A0256DC3326C80B484D27451A6A17B82", "href": "https://www.ibm.com/support/pages/node/288853", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:56", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by potential vulnerability \n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** ** \n**DESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:39:39", "type": "ibm", "title": "Security Bulletin: Potential Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T15:39:39", "id": "F69FE9789E75790A2606EEC4962F65D29A41EAB974BD13AE6241AFEF9E23156D", "href": "https://www.ibm.com/support/pages/node/559379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:33", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult this Security Bulletin: \nPotential security vulnerability in WebSphere Application Server MQ JCA Resource adapter ([CVE-2016-0360](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)) \n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Product and Versions** \n---|--- \nIBM Business Monitor V8.5.7 | WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3| WebSphere Application Server V8.0 \nIBM Business Monitor V8.0| WebSphere Application Server V8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:09", "id": "28D594CDC7AC4D58CD521E460CE5103A7C34B637D887E2835F3EB2025D7850CA", "href": "https://www.ibm.com/support/pages/node/293867", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:30", "description": "## Summary\n\nThere is a potential security vulnerability with the WebSphere Application Server MQ JCA Resource adapter. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5 \n\n## Remediation/Fixes\n\nTo **patch an existing service instance** **or a new instance**, you must apply the following maintenance manually. Refer to the IBM WebSphere Application Server bulletin listed below: \n \n[**Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognized senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server in Bluemix MQ JCA Resource adapter (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "44DE506953329B74EBC446F3472B7B0F72221881CBEDE9145D187CE5F0BE1B2C", "href": "https://www.ibm.com/support/pages/node/294977", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:18", "description": "## Summary\n\nA potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.\n\n## Vulnerability Details\n\nJMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage. \n\n** **\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**_IBM MQ 9.0_**\n\nIBM MQ 9.0.0.0 only\n\n**_IBM WebSphere MQ 8.0_**\n\nIBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels\n\n**_IBM WebSphere MQ 7.5_**\n\nIBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels\n\n**_IBM WebSphere MQ 7.1_**\n\nIBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels\n\n**_IBM WebSphere MQ 7.0.1_**\n\nIBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels\n\n## Remediation/Fixes\n\n**_IBM MQ 9.0 (Long Term Support)_**\n\nApply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=9.0.0.0-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n**_IBM MQ 9.0 (Continuous Delivery)_**\n\nSerialization allowlisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply [ClassName allowlisting in JMS ObjectMessage](<http://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>).\n\n**_IBM WebSphere MQ 8.0_**\n\nApply [8.0.0.6](<http://www-01.ibm.com/support/docview.wss?uid=swg21995100>) maintenance level and follow instructions in the IBM Knowledge Center to apply [ClassName allowlisting in JMS ObjectMessage](<https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q127290_.htm>).\n\n**_IBM WebSphere MQ 7.5_**\n\nApply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.5.0.7-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n** ****_IBM WebSphere MQ 7.1_**\n\nApply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.1.0.7-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n** ****_IBM WebSphere MQ 7.0.1_**\n\nApply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.0.1.14-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:05:39", "type": "ibm", "title": "Security Bulletin: IBM WebSphere MQ JMS client deserialization RCE vulnerability (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:05:39", "id": "AE2A68E4F8401A456362A564ED54B4CEAC0C39CE22C8CC2EE89E0E27D1E479C0", "href": "https://www.ibm.com/support/pages/node/279485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:29", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server shipped with WebSphere Patterns. IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.\n\n## Vulnerability Details\n\nConsult the security bulletin: Security Bulletin: [Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5\n * Version 8.0 \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "9AB12E3E5A1E352D1EDD0AC6C89B0F13E8D11390EC630593D74A0E54BE01423A", "href": "https://www.ibm.com/support/pages/node/294769", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:58", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>)[Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:22", "id": "DCFBC967CAEFE6FF899B971BBA64A8091F1B74E3F469ADEA929AD9389A85883C", "href": "https://www.ibm.com/support/pages/node/557929", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-07T21:52:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin,[ Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V7.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Transportation V1.5.0, or later \nBM Intelligent Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2022-08-19T21:04:31", "id": "4EBA50C07BC037765C73A48B2FDA84919C2AD90247E0A724ED8571079559C261", "href": "https://www.ibm.com/support/pages/node/293897", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:49:55", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2022-09-22T03:02:31", "id": "0082EF69136DDF52FD30A1AD87BA70E90CD302F865DB0A1399F55BFA017CDC49", "href": "https://www.ibm.com/support/pages/node/557665", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:58", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server ](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:22", "id": "3E5F6D838B50632034BF7E67BCEB2D724189D53BF12F6055B9B362CCB99B9414", "href": "https://www.ibm.com/support/pages/node/557931", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:54:38", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of OpenPages GRC Platform. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [IBM WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nOpenPages GRC Platform Standard Edition 7.3| IBM WebSphere Application Server 8.5.5.9 \nOpenPages GRC Platform Standard Edition 7.2| IBM WebSphere Application Server 8.5.5.5 \nOpenPages GRC Platform Standard Edition 7.1| IBM WebSphere Application Server 8.5.5.2 \nOpenPages GRC Platform Standard Edition 7.0| IBM WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T22:48:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with OpenPages GRC Platform (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T22:48:14", "id": "20A55E42E337FB65FD5A5C952D64105AF460AF02F0F9D2F936473CAA5A9FB7C7", "href": "https://www.ibm.com/support/pages/node/558041", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:56", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [_http://www-01.ibm.com/support/docview.wss?uid=swg21999293_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:37:48", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:37:48", "id": "27C3A52871836133D5312CCDBC3812D323A3609FA0DC9142701333F1EA057227", "href": "https://www.ibm.com/support/pages/node/294799", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:00", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with BM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>),[](<http://www.ibm.com/support/docview.wss?uid=swg21991469>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1, and V1.5.0.2| IBM WebSphere Application Server \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:28:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T22:28:40", "id": "4D438A3B2A5B98652ED5EFCAC7E346399FE5B15FB6EC9F7DFEA3A376D4BA2904", "href": "https://www.ibm.com/support/pages/node/294573", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:31", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult this Security Bulletin : **Privilege Escalation Vulnerability in WebSphere Application Server** ([CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)) \n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Product and Versions** \n---|--- \nIBM Business Monitor V8.5.7| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3 | WebSphere Application Server V8.0 \nIBM Business Monitor V8.0| WebSphere Application Server V8.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: \u00a0A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:10", "id": "FE28FDD1ABECE35D04E6C20DAF0FDDBD033B4E422F1A982B7583C25FF919F568", "href": "https://www.ibm.com/support/pages/node/294099", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T12:17:55", "id": "238C94A76C35B9E28D5EEC3382672C79D675E8074B52AC9B27881CAEDC44DA7D", "href": "https://www.ibm.com/support/pages/node/294461", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:57", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:43", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:37:43", "id": "B8E29C1A22B44FD5885063AA1EC199F8FACE7810C68C738CFE28848D0ECBC504", "href": "https://www.ibm.com/support/pages/node/294545", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>). \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Privilege escalation vulnerability with IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:12", "id": "8ED1793CA771BC0716D3207C034E4E856DBFA7BCA5969C297D05D82458D53725", "href": "https://www.ibm.com/support/pages/node/294725", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:32", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager (BPM). Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. \n \nThe affected component is only available in case optional support for OpenID Connect has been configured.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<https://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3 \n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0\n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03\n\nNote that 8.5.7.0 Cumulative Fix 2017.03 cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and to manually ensure that recommended security fixes are installed.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:10", "id": "C4E2D8C57E54799CB038AA5522DC01329EEA1DECA150D909511519365D0BBC4C", "href": "https://www.ibm.com/support/pages/node/294135", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:49:48", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Security Identity Manager (ISIM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nISIM 6.0| WAS v7.0, v8.5, v8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:07:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0IBM Websphere Application Server\u00a0shipped with\u00a0IBM Security Identity Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-16T22:07:11", "id": "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C", "href": "https://www.ibm.com/support/pages/node/571535", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:16", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin..\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www.ibm.com/support/docview.wss?uid=swg21999293>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:08:58", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-16T20:08:58", "id": "058DDC2F33F50DAD4A23F7AD1136D68A3C420F854E4FC1399C8340811395D507", "href": "https://www.ibm.com/support/pages/node/294819", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:29", "description": "## Summary\n\nWebSphere Application Server traditional \u3067\u3001OpenID Connect (OIDC) Trust Association Interceptor (TAI)\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u3001\u7ba1\u7406\u8005\u304c\u610f\u56f3\u3057\u306a\u3044\u6a29\u9650\u6607\u683c\u304c\u767a\u751f\u3059\u308b\u8106\u5f31\u6027\u304c\u5831\u544a\u3055\u308c\u307e\u3057\u305f\u3002 \n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001WebSphere Application Server Liberty\u306b\u306f\u5f71\u97ff\u3057\u307e\u305b\u3093\u3002 \n \n\u6700\u65b0\u306e\u60c5\u5831\u306f\u4e0b\u8a18\u306e\u6587\u66f8\uff08\u82f1\u8a9e\uff09\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002 \nSecurity Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151) \nhttp://www.ibm.com/support/docview.wss?uid=swg21999293\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** OpenID Connect (OIDC) Trust Association Interceptor (TAI)\u304c\u69cb\u6210\u3055\u308c\u305fIBM WebSphere Application Server\u3067\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30e6\u30fc\u30b6\u30fc\u304c\u6607\u683c\u3057\u305f\u6a29\u9650\u3092\u53d6\u5f97\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002 \nCVSS Base Score: 8.1 \nCVSS Temporal Score: \u73fe\u5728\u306e\u30b9\u30b3\u30a2\u306f[_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002 \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001WebSphere Application Server \u306e\u4e0b\u8a18\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304a\u3088\u3073\u30ea\u30ea\u30fc\u30b9\u3067\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059\u3002 \nVersion 9.0 \nVersion 8.5 \nVersion 8.0 \n\n## Remediation/Fixes\n\n\u89e3\u6c7a\u7b56\u3068\u3057\u3066\u3001APAR PI74857\u3092\u542b\u3080\u500b\u5225\u4fee\u6b63\u3001\u307e\u305f\u306f\u3001Fix Pack\u30fbPTF\u3092\u9069\u7528\u3059\u308b\u3053\u3068\u3092\u63a8\u5968\u3057\u307e\u3059\u3002 \n \n**\u203b1\uff1a**\u30af\u30e9\u30b9\u30bf\u30fc\u69cb\u6210\u306e\u5834\u5408\u306f\u3001\u305d\u308c\u305e\u308c\u306e\u30af\u30e9\u30b9\u30bf\u30fc\u30fb\u30e1\u30f3\u30d0\u30fc\u306b\u500b\u5225\u4fee\u6b63\u3092\u9069\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002 \n \n**\u203b2\uff1a**\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR PI74857\u9069\u7528\u306b\u95a2\u3057\u3066\u3001\u304a\u4f7f\u3044\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u3001v8.0.0.12\u4ee5\u4e0b\u3001\u307e\u305f\u306fv8.5.5.9\u4ee5\u4e0b\u306e\u5834\u5408\u306f\u3001\u524d\u63d0\u6761\u4ef6\u3068\u3057\u3066[PI57465](<http://www-01.ibm.com/support/docview.wss?uid=swg24042452>)\u3092\u5408\u308f\u305b\u3066\u9069\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002 \n\uff08v8.5.5.10\u4ee5\u964d\u3001v9\u3092\u304a\u4f7f\u3044\u306e\u5834\u5408\u3001PI57465\u306f\u3059\u3067\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u305f\u3081\u9069\u7528\u306e\u5fc5\u8981\u306f\u3042\u308a\u307e\u305b\u3093\u3002\uff09 \nPI57465: OIDC: Remove session cookie after logout ENABLEMENT FIXES \n<http://www-01.ibm.com/support/docview.wss?uid=swg24042452> \n \n**WebSphere Application Server traditional \u3068 Hypervisor Edition:**\n\n**\u30d0\u30fc\u30b8\u30e7\u30f3**| **\u5bfe\u5fdc\u7b56** \n---|--- \nV9.0.0.0\uff5eV9.0.0.3| \n\n * \u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 9.0.0.4\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 9.0.0.4\u306f\u3001 2017\u5e746\u670823\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \nV8.5.0.3\uff5eV8.5.5.11| \n\n * \u500b\u5225\u4fee\u6b63\u3067\u5fc5\u8981\u3068\u3055\u308c\u308bFix Pack 8.5.5.3\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u3001\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 8.5.5.12\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 8.5.5.12\u306f\u3001 2017\u5e748\u67084\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \nV8.0.0.10\uff5eV8.0.0.13| \n\n * \u500b\u5225\u4fee\u6b63\u3067\u5fc5\u8981\u3068\u3055\u308c\u308bFix Pack 8.0.0.10\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u3001\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>)[](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>)[](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042637>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042357>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041971>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042637>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 8.0.0.14\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 8.0.0.14\u306f\u30012017\u5e7410\u670816\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \n \n## Workarounds and Mitigations\n\n\u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30fb\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc \"com.ibm.websphere.security.InvokeTAIbeforeSSO\"\u306e\u5024\u306bOIDC TAI\u30af\u30e9\u30b9\u540d:\"com.ibm.ws.security.oidc.client.RelyingParty\" \u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5834\u5408\u3001\u305d\u306e\u5024\u3092\u524a\u9664\u3057\u3066\u304f\u3060\u3055\u3044\u3002 \n \n\u3053\u306e\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306f\u3001\u7ba1\u7406\u30b3\u30f3\u30bd\u30fc\u30eb : \u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc &gt; \u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u304b\u3089\u5909\u66f4\u3067\u304d\u307e\u3059\u3002 \nInvokeTAIbeforeSSO\u304cOIDC TAI\u30af\u30e9\u30b9\u306b\u5bfe\u3057\u3066\u6709\u52b9\u3067\u306a\u3044\u5834\u5408\u3001\u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u306f\u3001LTPA\u30c8\u30fc\u30af\u30f3\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u5024\u306b\u306a\u308a\u307e\u3059\u3002 \n \n\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306e\u5909\u66f4\u306b\u3064\u3044\u3066\u306e\u8a73\u3057\u3044\u60c5\u5831\u306f\u3001\u4e0b\u8a18knowledge center\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002 \n \n\u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u69cb\u6210\u307e\u305f\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30fb\u30c9\u30e1\u30a4\u30f3\u69cb\u6210\u5185\u306e \u65e2\u5b58\u306e\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306e\u524a\u9664 \n<https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_custprop_del.html>\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: traditional WebSphere Application Server\u3067\u306e\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027(CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "A0F1D691A598C5E1F797B1E1D411F088FA56A3C79C6DE77F020B5D040678C45B", "href": "https://www.ibm.com/support/pages/node/294215", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:50", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by privilege escalation vulnerability \n\n\n## Vulnerability Details\n\nCVEID: CVE-2017-1151 \nDESCRIPTION: IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/122292> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:39:39", "type": "ibm", "title": "Security Bulletin: Privilege Escalation Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:39:39", "id": "8CA02EF42F5013CB0697B9E5AC09B6EE56FB242D567CFCD579D0D9302A025F7F", "href": "https://www.ibm.com/support/pages/node/559369", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:36", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in WebSphere Application Server traditional when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional: \nVersion 9.0 \nVersion 8.5 \nVersion 8.0 \n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI74857 for each named product as soon as practical. **NOTE: **If you are operating in a cluster, the interim fix must be applied to each cluster member. ** \n** \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** \n** \nFor V9.0.0.0 through 9.0.0.3:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.4 or later. \n** \nFor V8.5.5.3 through 8.5.5.11:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later. \n** \nFor V8.0.0.10 through 8.0.0.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later. \n** \n****REMINDER: **If you are operating in a cluster, the interim fix must be applied to each cluster member. \n\n## Workarounds and Mitigations\n\nChange the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO custom property to not include the OIDC TAI class name: com.ibm.ws.security.oidc.client.RelyingParty. This property can be updated from the Administrative Console &gt; Global Security &gt; Custom Properties panel. When InvokeTAIbeforeSSO is not enabled for the OIDC TAI class, the timeout for the user login will be that of the LTPA token. \n \nFor more information about changing custom properties please refer to the knowledge center: <https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_custprop_del.html>\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:05", "type": "ibm", "title": "Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:05", "id": "73DBAAF76446700805D453AE802FCD87DBA6C6B1E9B33DE8A099FC433EBDFE3D", "href": "https://www.ibm.com/support/pages/node/292703", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:31", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 8.5| WebSphere Application Server 8.0, 8.5, 8.5.5, 9.0| [_Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "EF9F63F010095739C07233F9C717ADF8FF540A4F2057023CF95B9A0C3CE4240C", "href": "https://www.ibm.com/support/pages/node/294403", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:52:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>), [](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>)for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V8.0, V8.5, and V9.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Transportation V1.5.0, or later \nIBM Intelligent Operations for Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2022-08-19T21:04:31", "id": "EC05240EE77DDC84E58CE34E9DAA5BAA0AE07AC1B1E54421F5BD689DFB14DB26", "href": "https://www.ibm.com/support/pages/node/294161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:49:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2022-09-22T03:02:31", "id": "36BA5A9CF6B059E5B55E9376E4E9E87769F2597E8D12EE0B8E70E1D709D9B1A2", "href": "https://www.ibm.com/support/pages/node/559055", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:39:06", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability only applies to the server component.\n\n**Versions 7.1.x.x: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<https://www.ibm.com/support/docview.wss?uid=swg21997743>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2020-02-04T16:40:40", "id": "D6D01193465D0489CF18524A794AA59CC76D91403E1F923FB9E1F5CD46E21E8A", "href": "https://www.ibm.com/support/pages/node/292005", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2022-06-28T22:04:58", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of OpenPages GRC Platform. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [IBM Websphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nOpenPages GRC Platform Standard Edition 7.3| IBM WebSphere Application Server 8.5.5.9 \nOpenPages GRC Platform Standard Edition 7.2| IBM WebSphere Application Server 8.5.5.5 \nOpenPages GRC Platform Standard Edition 7.1| IBM WebSphere Application Server 8.5.5.2 \nOpenPages GRC Platform Standard Edition 7.0| IBM WebSphere Application Server 8.5.5 \n \n\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n02 March 2017 : Original Version Published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSFUEU\",\"label\":\"IBM OpenPages with Watson\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.3;7.2;7.1;7.0\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB10\",\"label\":\"Data and AI\"}}]", "cvss3": {}, "published": "2018-06-15T22:49:10", "type": "ibm", "title": "A security vulnerability has been identified in IBM WebSphere Application Server shipped with OpenPages GRC Platform (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T22:49:10", "id": "C46BF4200B36B22461916E9FBF0EA67604946795AF498449A8067A89DEC8E5F4", "href": "https://www.ibm.com/support/pages/node/293383", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:44:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Netcool Impact. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [`Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)`](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| IBM WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nIBM Tivoli Netcool Impact 6.1.x| This vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* Tivoli Business Service Manager Fix Pack readme. \n\\--OR-- \nApply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017). \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:39:51", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Netcool Impact (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:39:51", "id": "A1907953628F052A8D862BBA6332A8418C4E0C8826FD9B3064449756F7540110", "href": "https://www.ibm.com/support/pages/node/559741", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:50:00", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nTSPM 7.0| WAS 7.0 \nTSPM 7.1| WAS 7.0 \nWAS 8.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-16T21:50:27", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T21:50:27", "id": "C1450674E414C248C8B4650F7BC6D613589F7A314921C62363FD799A2F1FD089", "href": "https://www.ibm.com/support/pages/node/292219", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:45:59", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:37:04", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:37:04", "id": "9089C63EA075732A2F18A9DEF551E15CB6F40EA0AE9BD8F8C0605D12A3FBDE92", "href": "https://www.ibm.com/support/pages/node/293207", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:49", "description": "## Summary\n\nIBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1121](<https://vulners.com/cve/CVE-2017-1121>) \n**DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121173> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email v3.0 \nIBM Content Collector for Email v4.0 \nIBM Content Collector for Email v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for Email | 3.0| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Email | 4.0| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Email | 4.0.1| Use IBM Content Collector for Email 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T12:17:47", "type": "ibm", "title": "Security Bulletin:Cross-site scripting vulnerability in WebSphere Application Server admin console in IBM Content Collector for Email", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T12:17:47", "id": "3EFFB027C3E17E54A0E59F1021E1E46FE4B8BFD117C62AA5245F5B8DC93B6556", "href": "https://www.ibm.com/support/pages/node/292419", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:49:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, Security Bulletin: [Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2, 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2, 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-16T21:50:36", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T21:50:36", "id": "B4010B4E21B127AA0A6CACC8E96F2406EAE6CDF71E449DF6FCA304D4DC567ADE", "href": "https://www.ibm.com/support/pages/node/292735", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:44:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Business Service Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [`Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)`](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| IBM WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\n_Principal Product and Version(s)_\n\n| _Affected Supporting Product and Version_ \n---|--- \nTivoli Business Service Manager 6.1.x| This vulnerability requires IBM WebSphere Application Server fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) \nFor instruction on how to upgrade IBM WebSphere Application Server see the latest 6.1.* Tivoli Business Service Manager Fix Pack readme. \n\\--OR-- \nApply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017). \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:39:50", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Business Service Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:39:50", "id": "065043A4F97D98BC08FD9CAA5BD98D88FD7572B7D4428A44CB505172C0223BB0", "href": "https://www.ibm.com/support/pages/node/559735", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:41:37", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server. \n**Versions 7.1.x.x : Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<https://www.ibm.com/support/docview.wss?uid=swg21997743>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-07-10T08:34:12", "id": "53DE79EA36CC70E39ED3ADEDDF7B03288CE0A5AA43A75E91EB31074E052AF91C", "href": "https://www.ibm.com/support/pages/node/291923", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:42", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult Security Bulletin : \n[Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>)\n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \nIBM Business Monitor V8.0.1.3 \n\n**Principal Product and Versions**| **Affected Supporting Product and Version** \n---|--- \nIBM Business Monitor V8.5.7 | WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3| WebSphere Application Server V8.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:02", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:07:02", "id": "9A2D4C1EC195390B272F126E69E1B55B908EBE9D951C7D586FF0AE36740528B8", "href": "https://www.ibm.com/support/pages/node/291733", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T12:17:46", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T12:17:46", "id": "0CCEC8ABD558DD7449BDDAB9E84F5DFA8520B9A0B5853305AF14F28B174BE11F", "href": "https://www.ibm.com/support/pages/node/292107", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:44:58", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Potential cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>)[](<http://www.ibm.com/support/docview.wss?uid=swg21992315>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T22:28:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T22:28:40", "id": "26381738404F7B6DE24D6998858764B65A9EB4B83330310F854A9041D835DD8D", "href": "https://www.ibm.com/support/pages/node/292081", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:42", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:06", "type": "ibm", "title": "Security Bulletin: There is a potential cross-site scripting vulnerability in the Admin Console of IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:07:06", "id": "DB9BA983E7D2FAC653E24BEBCF41FC8BAB8D997E65F48954297E2FCB8153E17F", "href": "https://www.ibm.com/support/pages/node/293231", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:46:05", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:35:16", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:35:16", "id": "8937CBA3426FCE31295ADA0BA5DCA9E051C3D3F6491200BA2153E80CAABAFBCC", "href": "https://www.ibm.com/support/pages/node/291693", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:46:06", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Tivoli Network Manager IP Edition. Information about a security vulnerability affecting Tivoli Network Manager IP Edition has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [**Potential Cross-site scripting vulnerability in WebSphere Application Server**](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n \n\n\n**Principal Product and Version(s)**| ** Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n| \n \n \n## ", "cvss3": {}, "published": "2018-06-17T15:35:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application shipped with Tivoli Network Manager IP Edition (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:35:17", "id": "B5F14721CB3CF1C884B72C16A99A8A84B07CD516016A63172B73890E30DDF2B6", "href": "https://www.ibm.com/support/pages/node/291769", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:49:52", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \nIBM Security Key Lifecycle Manager (SKLM) v2.7 on distributed platforms | WebSphere Application Server v9.0.0.1 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-16T21:51:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T21:51:06", "id": "6943EBF756F3E60DFD08A92A9555CEFCB7E709C96CF139AF025DB30FC1740DB0", "href": "https://www.ibm.com/support/pages/node/294303", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:49:51", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security/Tivoli Directory Server. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease see the following security bulletin for vulnerability details: \n[Potential Cross-site scripting vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \\- (CVE-2017-1121)\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nIBM Security Directory Server Version 6.4| IBM WebSphere Application Server Version 8.5.5.9 \nIBM Security Directory Server Version 6.3.1 and \nTivoli Directory Server Version 6.3| IBM WebSphere Application Server Version 7.0.0.41 \n \n## Remediation/Fixes\n\nApply the WebSphere Application Server Interim Fix, Fix Pack or PTF containing APAR [_PI73367_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) . This is applicable for Full WebSphere Application Server ONLY and is not applicable for embedded WebSphere Application Server V7.0 as the admin console is not provided with it. \nAfter the above we can refer to SDS [recommended fixes](<http://www.ibm.com/support/docview.wss?uid=swg27009778>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-16T21:51:18", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM Websphere Application Server shipped with IBM Security/Tivoli Directory Server (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T21:51:18", "id": "17778B43D8F84CA62AA64E76208DDA152AA82F96A219944D7B74EB069542AA67", "href": "https://www.ibm.com/support/pages/node/294941", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:33", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM WebSphere Service Registry and Repository. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin: \n \n[Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) \n \nfor vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| \n\nAffected Supporting Product and Version \n \n---|--- \n \nWebSphere Service Registry and Repository V8.5\n\n| \n\nWebSphere Application Server V8.5.5 \n \nWebSphere Service Registry and Repository V8.0\n\n| \n\nWebSphere Application Server V8.0 \n \n \n\n\n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:07", "type": "ibm", "title": "Security Bulletin: Vulnerability identified in IBM WebSphere Application Server shipped with IBM WebSphere Service Registry and Repository (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:07:07", "id": "8550C30C4A56D3070A2109BE13555117FD37487C131991DA553C8B5CDFAE2259", "href": "https://www.ibm.com/support/pages/node/293251", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:39", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, and WebSphere Lombardi Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin \n\n * [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>)\n \nfor vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V7.5.0.0 through V7.5.1.2 \n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3\n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0 \n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 CF 2017.03\n\n\\- WebSphere Process Server V7.0.x\n\n\\- WebSphere Lombardi Edition V7.2.0.x\n\nAt the time of shipping IBM Business Process Manager V8.5.7.0 CF 2017.03, WebSphere Application Server 8.5.5.11 is the latest available fixpack. CF 2017.03 installation instructions include a reference to this vulnerability and advise to manually install the required Interim Fix.\n\n \n_For__ earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:03", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:07:03", "id": "06B457F7339BCCC23DA8DF77B3A4D0C81A2ADB588E02898CD44F146C3A9B22BF", "href": "https://www.ibm.com/support/pages/node/291735", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:54", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM ILOG ODM Enterprise. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [There is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM ILOG ODM Enterprise v3.4 - v3.6.0.1| IBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {}, "published": "2018-06-16T13:46:07", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM ILOG Optimization Decision Manager Enterprise (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T13:46:07", "id": "8532AD1C55503FF56DC3398C3EBD7DF43A159B31C56E1AB52687FA4654D3FECB", "href": "https://www.ibm.com/support/pages/node/291745", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2022-10-01T01:54:49", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM License Metric Tool 7.x and IBM Tivoli Asset Discovery for Distributed 7.x servers. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-1121_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1121>) \nDESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Asset Discovery for Distributed v7.5| WebSphere Application Server v7 \nIBM License Metric Tool v7.5| WebSphere Application Server v7 \n \n## Remediation/Fixes\n\nApply Interim Fix for a WebSphere Application Server as described in the following technote: <http://www-01.ibm.com/support/docview.wss?uid=swg21997743>\n\n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n24 February 2017 : Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM License Metric Tool 7.x and IBM Tivoli Asset Discovery for Distributed 7.x (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2021-04-26T21:17:25", "id": "10B4A1ECB227E231649BE8E4A32C8374549DAC9A952EBB0FCFB544E37F9A647A", "href": "https://www.ibm.com/support/pages/node/292843", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:17", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www.ibm.com/support/docview.wss?uid=swg21997743>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-16T20:08:57", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T20:08:57", "id": "AF41BE48B7388AC88C7B7B04DE51E720BFB46F49D0B57B55AF8F7E065CF0DA02", "href": "https://www.ibm.com/support/pages/node/294803", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:46:04", "description": "## Summary\n\nInside the Tivoli Integrated Portal there is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server in the underlying eWAS\n\n## Vulnerability Details\n\nPlease consult the[ Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121) f](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>)or vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console (CAC) 6.3.\n\n## Remediation/Fixes\n\n**FastBack for Workstations CAC 6.3** \nThe fix for FastBack for Workstations CAC 6.3 will be to update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41 and then apply the WAS interim fix pack PI73367. \n \n**_Update embedded eWAS to 7.0.0.41_** \nTo update the embedded eWAS included with the Tivoli Integrated Portal to 7.0.0.41, click on the following link: \n[http://www.ibm.com/support/docview.wss?uid=swg21981056](<http://www-01.ibm.com/support/docview.wss?uid=swg21981056>) \nand then download 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak \n \nTo update the embedded eWAS, do the following: \n\n\n 1. If not already at the CAC 6.3.1.1 version upgrade to this version.\n 2. Stop the Tivoli Service: Tivoli Integrated Portal - V2.2_TIPProfile_Port_16310\n 3. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0-WS-WASEmbeded-WinX32-FP0000041.pak file downloaded earlier \n\n**_Apply WAS interim fix pack_****_PI73367_** \nIn order to obtain the PI73367 fix, refer to the WAS security bulletin:_ \n_[_http://www-01.ibm.com/support/docview.wss?uid=swg24043318_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) \nClick on the Fix Central (FC) download link for 7.0.0.29-WS-WAS-IFPI73367. Once downloaded, there will be a Readme.txt file and a 7.0.0.29-WS-WAS-IFPI73367.pak file. \n \nTo apply the interim fix after having upgraded to eWAS 7.0.0.41, do the following: \n\n\n 1. Using the Update Installer application (update.exe) found in the Tivoli Integrated Portal installation directory (default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the 7.0.0.29-WS-WAS-IFPI73367.pak file downloaded earlier\n 2. Restart the Tivoli Service or reboot the machine \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:35:52", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Tivoli Integrated Portal shipped with IBM Tivoli Storage Manager FastBack for Workstations (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:35:52", "id": "16A27B2A86BA89A686BECF2C885006A9BAAACF9F9B3C3EC2CFE91D241C4A44A5", "href": "https://www.ibm.com/support/pages/node/292067", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:38", "description": "## Summary\n\nThere is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server. \n\n## Vulnerability Details\n\nPlease consult the security bulletin for vulnerability details and information about fixes: \n\n * [**Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM WebSphere Application Server that IBM WebSphere Application Server Patterns supports: \n\n * Version 8.0 traditional\n * Version 8.5.5 traditional \n * Version 9.0 traditional\n\n## Remediation/Fixes\n\nTo patch an existing PureApplication Virtual System Instance, apply the patch using the PureApplication Maintainence fix process. \n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:04", "type": "ibm", "title": "Security Bulletin: Security vulnerability affects IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server on Cloud", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:07:04", "id": "B14493BB2DFC1B0D42462E58ACAF3D90223A9CA8F0C73B89AB0DFD3753B7166F", "href": "https://www.ibm.com/support/pages/node/291883", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:46:01", "description": "## Summary\n\nThere is a potential cross-site scripting vulnerability in the Admin Console of IBM WebSphere Application Server that is used by IBM Tivoli Netcool Configuration Manager (ITNCM).\n\n## Vulnerability Details\n\nCVEID: [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>) \nDESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n## Affected Products and Versions\n\nThe following releases are affected: \nITNCM 6.4.2.0 - 6.4.2.4 \nITNCM 6.4.1.0 - 6.4.1.4\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nITNCM| 6.4.2.4| none| For WebSphere Application Server Traditional V8.5.5, install the relevant interim fix detailed at [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \nITNCM| 6.4.1.4| none| Install [interim fix: 6.4.1.4-TIV-ITNCM-IF006](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Netcool+Configuration+Manager&fixids=6.4.1.4-TIV-ITNCM-IF006&source=SAR&function=fixId&parent=ibm/Tivoli>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-17T15:36:12", "type": "ibm", "title": "Security Bulletin: Potential Cross-site scripting vulnerability in IBM WebSphere Application Server affects IBM Tivoli Netcool Configuration Manager (ITNCM) (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:36:12", "id": "5FFFABE6C27976E004859C11D0A20CA6A695745A0BC02907B56701FD667FC57F", "href": "https://www.ibm.com/support/pages/node/292553", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:45:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Tivoli Workload Scheduler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>)<http://www-01.ibm.com/support/docview.wss?uid=swg21997743> for vulnerability details and information about fixes\n\n## Affected Products and Versions\n\nIBM Workload Scheduler is potentially impacted by the listed vulnerability since it potentially affects secure communications between eWAS and subcomponents. \n \nThe affected version is: \nTivoli Workload Scheduler Distributed 8.6.0 \nTivoli Dynamic Workload Console 8.6.0 \nTivoli Workload Scheduler z/OS Connector 8.6.0\n\n## Remediation/Fixes\n\nBM has provided patches for all embedded WebSphere versions. \n \nFollow the instructions in the link below to install the fixes for eWAS 7.0.0.39 that is embedded in TWS 8.6 fixpack 04 : \n \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>)<http://www-01.ibm.com/support/docview.wss?uid=swg21997743> \n \nFor TWS 8.6 version, the fixes can be applied only on top of TWS 8.6 fixpack 04. \n \n_For__ unsupported versions, releases or platforms__ IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:46:23", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0IBM WebSphere Application Server\u00a0shipped with\u00a0Tivoli Workload Scheduler (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-17T15:46:23", "id": "B907DA0F3696F949D350768CF81A7E26D19494D84E8C4C72E66014F34E409C6B", "href": "https://www.ibm.com/support/pages/node/297417", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-08T14:26:20", "description": "## Summary\n\nCross-site scripting vulnerability in WebSphere Application Server bundled with IBM Jazz Team Server based Applications affects multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Rhapsody Design Manager (Rhapsody DM) and Rational Software Architect Design Manager (RSA DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0 - 6.0.3 \n \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.3 \n \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.3 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.3 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.3 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.3 \n \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.3\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of IBM WebSphere Application Server with the available versions of the products, and in addition to the bundled version some previous versions of WAS are also supported. For a remediation follow the WAS security bulletin appropriately: \n\n\n 1. Review the [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details. \n\n 2. Check the version of WAS, if any, that your deployment is actually using, and compare it against the list of affected versions in the security bulletin. \n\n 3. Review the **Remediation/Fixes** section in the[](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for available fixes in the version that you are using.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in WebSphere Application Server affects multiple IBM Rational products based on IBM Jazz technology (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2021-04-28T18:35:50", "id": "FD942787DB7C05823C3BFCBB721E269B5810D06151CEBF8E45B4B69122D837D7", "href": "https://www.ibm.com/support/pages/node/294605", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:50:40", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Identity Manager. Information about a security vulnerability affecting IBM Security Identity Manager has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Potential Cross-site scripting vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0 and IBM Tivoli Identity Manager version 5.1| IBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T21:59:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Identity Manager (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-16T21:59:06", "id": "990A0947B346D27E9EFAFE9E60CD230F937AAFF139879297F40C6C040F57EB70", "href": "https://www.ibm.com/support/pages/node/559085", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:53:45", "description": "## Summary\n\nThere is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5 and Version 8.5.5 \n * Version 8.0 \n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) for each named product as soon as practical. ** \nFor WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: \n \nFor V9.0.0.0 through 9.0.0.2:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.3 or later. ** \n \nFor V8.5.0.0 through 8.5.5.11:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later. ** \n \nFor V8.0.0.0 through 8.0.0.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later. ** \n \nFor V7.0.0.0 through 7.0.0.41:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI73367](<http://www-01.ibm.com/support/docview.wss?uid=swg24043318>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later. \n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:06:58", "type": "ibm", "title": "Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2018-06-15T07:06:58", "id": "B9C89E72E9D84B18C1E33CE0348547ECBF9D3A77277DA7873F7B7DBA156E7290", "href": "https://www.ibm.com/support/pages/node/290351", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:38:45", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2020-02-11T21:31:00", "id": "7CA25B1EC003F3EC4251CC48661D2C1C1605AB32921651FD207AFBA860EF2063", "href": "https://www.ibm.com/support/pages/node/292679", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-07T21:52:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Security Bulletin: Potential cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V7.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Transportation V1.5.0, or later \nBM Intelligent Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www.ibm.com/support/docview.wss?uid=swg21997743>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2022-08-19T21:04:31", "id": "808466038C0E6A9D6277192338DF41535AF3F030D86409338429391D7DFBCB8E", "href": "https://www.ibm.com/support/pages/node/292069", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-07T21:49:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2022-09-22T03:02:31", "id": "41206CDD0B1940C1ECA32E18D5D69FC0995009A0B3A5366A3DC124B7606BA25E", "href": "https://www.ibm.com/support/pages/node/293881", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-07T21:59:44", "description": "## Summary\n\nA vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center). There is a potential cross-site scripting vulnerability in the Admin Console of WebSphere Application Server. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVE. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1121_](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121173_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121173>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM Spectrum Control 5.2.8 through 5.2.13 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.14 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate IBM Spectrum Control (Tivoli Storage Productivity Center) fix maintenance for each named product. Follow the link below, select the correct product version. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. \n \n_Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control._\n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n \n \n**_IBM Spectrum Control 5.2.x and Tivoli Storage Productivity Center V5.1.x_** \n \n**Release**| **First Fixing VRM Level**| **Link to Fix/Fix Availability Target** \n---|---|--- \n5.2.x| 5.2.14| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n5.1.x| 5.1.1.15| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n \n \n**For Tivoli Storage Productivity Center V5.1.x, these manual steps are required in addition to applying the 5.1.1.15 fixpack:** \n \nTivoli Integrated Portal embeds Websphere Application Server 7.0 and requires the following interim fix. Follow these steps to apply the interim fix: \n \n1) Download Websphere interim fix **PI73367** for WAS 7.0.0.X \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043318> \n \n2) Apply the WebSphere Application Server 7.0 interim fix to Tivoli Integrated Portal using the preinstalled WAS Update Installer _ _ \n_On Windows, the default location for WAS Update Installer is:_ [TPC_Install_Location]\\IBM\\tipv2\\WebSphereUpdateInstallerV7\\ \n \n3) Following Tivoli Storage Productivity Center upgrade, review the Legacy Protocol configuration (SSLv3 &amp; MD5 hash) \n \nTo resolve connection problems between some supported devices and Tivoli Storage Productivity Center, Tivoli Storage Productivity Center can be configured to use a legacy connection protocol (SSLv3 and MD5 hash) to maintain compatibility with those devices. Following an upgrade of Tivoli Storage Productivity Center, it is strongly recommended to review the legacy protocol settings to confirm your current configuration. Additional details, including how to check the current settings, are covered in this Technote: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21697904> \n \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2022-02-22T19:50:07", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2017-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1121"], "modified": "2022-02-22T19:50:07", "id": "7655E911C4B5C15A4CCD0F1A20473B81F6CC77E75CE6CF711D4B46EC3E025649", "href": "https://www.ibm.com/support/pages/node/564785", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:47", "description": "## Summary\n\nThere is a potential denial of service with WebSphere Application Server with SOAP connectors. \nThere is a potential information disclosure in WebSphere Application Server using malformed SOAP requests on WebSphere Application Server. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \n**CVEID:** [_CVE-2016-9736_](<https://vulners.com/cve/CVE-2016-9736>)** \nDESCRIPTION:** IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119780_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119780>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5 \n\n## Remediation/Fixes\n\nTo **patch an existing service instance**, update WebSphere Application Server by referring to the IBM WebSphere Application Server bulletins listed below: \n \n[**Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)** ](<https://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \n \n[**Security Bulletin: Potential Information Disclosure in WebSphere Application Server (CVE-2016-9736)** ](<https://www-01.ibm.com/support/docview.wss?uid=swg21991469>) \n \nAlternatively, delete the vulnerable service instance and create a new instance. The new maintenance will be included.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:57", "type": "ibm", "title": "Security Bulletin: Potential Denial of Service and Information Disclosure that affect IBM WebSphere Application Server for Bluemix (CVE-2016-8919, CVE-2016-9736)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919", "CVE-2016-9736"], "modified": "2018-06-15T07:06:57", "id": "6C44FB8DE7BA47B0FB7593FD0681DB2B2DF890A07E9349198B9AE86F22F6DC82", "href": "https://www.ibm.com/support/pages/node/290215", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T17:45:49", "description": "## Summary\n\nThere is a security vulnerability in IBM WebSphere Application Server, Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition. In addition, there is a security vulnerability in IBM Tivoli Monitoring that is shipped with IBM Cloud Orchestrator Enterprise Edition. \n \nIBM Cloud Orchestrator and WebSphere Application Server have addressed this vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1501_](<https://vulners.com/cve/CVE-2017-1501>)** \nDESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security after using the Admin Console to update the web services security bindings settings. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/129576_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/129576>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2, V2.5.0.3| IBM WebSphere Application Server V8.5.5 through 8.5.5.11 \nBusiness Process Manager 8.5.5 through V8.5.7 CF201703 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM WebSphere Application Server V8.5.5 through 8.5.5.12 \nIBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Cloud Orchestrator V2.3| IBM WebSphere Application Server V8.0.1 through V8.0.0.11 \nIBM Business Process Manager V8.5, 8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.0.3, V2.5.0.4| IBM WebSphere Application Server V8.5.5 through 8.5.5.11 \nBusiness Process Manager 8.5.5 through V8.5.7 CF201703 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2 \nIBM Cloud Orchestrator Enterprise Edition V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM WebSphere Application Server V8.5.5 through 8.5.5.7 \nIBM Business Process Manager Standard V8.5.0.1 through 8.5.6 CF2 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Tivoli Monitoring 6.3.0.1 through V6.3.0.2 \nIBM Cloud Orchestrator Enterprise Edition V2.3| IBM WebSphere Application Server V8.0.1 through V8.0.0.11 \nIBM Business Process Manager V8.5, 8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nIBM Tivoli Monitoring V6.3.0.1 \n \n## Remediation/Fixes\n\nThis issue has been addressed by IBM Cloud Orchestrator (Standard and Enterprise Edition) and through IBM WebSphere Application Server that is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition. \n \nFix delivery details for IBM Cloud Orchestrator: \n \n\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise| V2.5, V2.5.0.1 IFix1, V2.5.0.2, V2.5.0.3| For 2.5 versions, upgrade to Fix Pack 4 (2.5.0.4) of IBM Cloud Orchestrator. \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>) \nAfter you upgrade, apply the appropriate Interim to your environment as soon as practical. For details, see [Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) \nIBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise| V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| For 2.4 versions, IBM recommends upgrading to Fix Pack 5 (2.4.0.5) of IBM Cloud Orchestrator. \n[_https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049_](<https://www-01.ibm.com/support/docview.wss?uid=swg2C4000049>)For 2.4 versions, upgrade to Fix Pack 4 (2.4.0.5) of IBM Cloud Orchestrator. \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>) \nIBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise| V2.3, V2.3.0.1| [Notice product withdrawal announcement as per ENUS917-138](<https://www-01.ibm.com/common/ssi/ShowDoc.wss?docURL=/common/ssi/rep_ca/8/897/ENUS917-138/index.html&request_locale=en>)\n\nContact [IBM Support ](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:35", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2017-1501)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919", "CVE-2017-1501"], "modified": "2018-06-17T22:33:35", "id": "61F486566FF688900DE83839638E8A1F3A54A1C41EBC1B25CE0E2A5D8B27365D", "href": "https://www.ibm.com/support/pages/node/609311", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:44:42", "description": "## Summary\n\nThe following security issues have been identified in WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2017-1121](<https://vulners.com/cve/CVE-2017-1121>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/121173> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [CVE-2016-8919](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118529> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n \nCVEID: [_CVE-2016-5546_](<https://vulners.com/cve/CVE-2016-5546>) \nDESCRIPTION: An unspecified vulnerability related to the Libraries component has no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120869_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120869>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \nCVEID: [_CVE-2016-5548_](<https://vulners.com/cve/CVE-2016-5548>) \nDESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120864_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120864>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \nCVEID: [_CVE-2016-5549_](<https://vulners.com/cve/CVE-2016-5549>) \nDESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120863_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120863>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \nCVEID: [_CVE-2016-5547_](<https://vulners.com/cve/CVE-2016-5547>) \nDESCRIPTION: An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120871_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120871>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \nCVEID: [_CVE-2016-2183_](<https://vulners.com/cve/CVE-2016-2183>) \nDESCRIPTION: OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116337_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116337>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above. \n \nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE's above.\n\n## Remediation/Fixes\n\n**Portal Server-****embedded WebSphere Application Server** \n \n\n\n**_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.X.X-TIV-ITM_EWAS_ALL_8.00.12.04| 6.3.0.x| <http://www.ibm.com/support/docview.wss?uid=swg24043781> \nTechnote| 6.2.3.x| <http://www.ibm.com/support/docview.wss?uid=swg21633722> \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The link gives instructions to install** **eWAS 7.0 Fix Pack 43 (7.0.0.43). \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:41:00", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2183", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-8919", "CVE-2017-1121"], "modified": "2018-06-17T15:41:00", "id": "88C8CF9B1989865EFD1C55095D4AB790C6DC1A4D65C5E126172ABE0EBC926E98", "href": "https://www.ibm.com/support/pages/node/561953", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:42:16", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a Security Bulletin.\n\n## Vulnerability Details\n\nConsult the Security Bulletin [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes. \n\nConsult the Security Bulletin [Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nAffected Products and versions\n\n| Affected Components \n---|--- \nISAM ESSO 8.2, 8.2.1, 8.2.2| IBM Websphere Application Server 7.0, 8.5.0 \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-25T05:54:54", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities have been identified in IBM Websphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-25T05:54:54", "id": "36EAF631AD2195D87F303F82AFF5E7B7CFA7545A0A6B18A6E83CF844C469D54D", "href": "https://www.ibm.com/support/pages/node/553731", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:50:40", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security/Tivoli Directory Server. Information about a security vulnerabilities affecting IBM Websphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease see following security bulletins for vulnerabilities details: \n[Code execution vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) (CVE-2016-5983) and \n[Potential Information Disclosure vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) (CVE-2016-5986).\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nIBM Security Directory Server Version 6.4| IBM WebSphere Application Server Version 8.5.5.9 \nIBM Security Directory Server Version 6.3.1 and \nTivoli Directory Server Version 6.3| IBM WebSphere Application Server Version 7.0.0.41 \n \n## Remediation/Fixes\n\nApply WebSphere Application Server Interim Fix [_PI70737_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) for Vulnerability - (CVE-2016-5983) and [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) for Vulnerability -(CVE-2016-5986). \nAfter the above we can refer to SDS [recommended fixes](<http://www.ibm.com/support/docview.wss?uid=swg27009778>) . \nNote: 8.5.5.11 has already included both the vulnerabilty fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:58:56", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in IBM Websphere Application Server shipped with IBM Security/Tivoli Directory Server (CVE-2016-5983 and CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-16T21:58:56", "id": "BA00D2D757BAAC274D87A18224BEBB9CAB187A87A5111B7900F36CE8500DC305", "href": "https://www.ibm.com/support/pages/node/558755", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:33", "description": "## Summary\n\nSecurity vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, and IBM Watson Content Analytics.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nTo see which vulnerabilities apply to your product and version, see the applicable row in the following table. \n\n**Affected Product**\n\n| **Affected Versions**| **Applicable Vulnerabilities** \n---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983 \nWatson Content Analytics| 3.5.0.4| CVE-2016-5983 \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-5986 \nCVE-2016-5983 \n \n## Remediation/Fixes\n\nFor information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>. \n \n\n\n**Affected Product**| **Affected Versions**| **Vulnerability**| **Fix** \n---|---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983| Upgrade to Watson Explorer Analytical Components Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042893>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nWatson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983| Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042892>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983| **Important:** Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Analytical Components.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Watson Explorer Analytical Components. \nWatson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983| **Important:** Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<www.ibm.com/support/docview.wss?uid=swg24039429>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-&lt;edition&gt;FoundationalAAC-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Annotation Administration Console.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Annotation Administration Console. \nWatson Content Analytics| 3.5.0.4| CVE-2016-5983| **Important:** Perform these steps as a Watson Content Analytics administrative user, typically esadmin. \n\n 1. Download 16.0.0.3-WS-WLP-IFPI62375 from <http://www.ibm.com/support/docview.wss?uid=swg24042712> and extract the contents of the fix into a temporary directory.\n 2. Stop Watson Content Analytics.\n 3. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n 4. Restart Watson Content Analytics. \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-5986| Upgrade to Watson Content Analytics Version 3.5.0.4. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042836>). For information about upgrading, see the [upgrade procedures](<https://www.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.in.doc/iiysiupover.htm>). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T13:07:33", "type": "ibm", "title": "Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Explorer Annotation Administration Console, and Watson Content Analytics", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T13:07:33", "id": "F9C7ACF2002F6F3FDF193E4C427570D3991980C9A65D31E141CF3787E2A33C07", "href": "https://www.ibm.com/support/pages/node/287719", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:39:16", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-5983, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2020-02-11T21:31:00", "id": "5E18DDFEF42C9E454FD2B7F4F9F8E06973E1051692FB5605975B9AA96CB79617", "href": "https://www.ibm.com/support/pages/node/553823", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:39", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server shipped with WebSphere Patterns when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. \n\n## Vulnerability Details\n\nConsult the security bulletin: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5 \n * Version 8.0 \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2016-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1151", "CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "1AFAEA5C5F4B46AA3B2C5CA93EE062A1E8CE0DB25F687322C578A8B11458B9A6", "href": "https://www.ibm.com/support/pages/node/294143", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:41", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5,9.0| [_Potential Cross-site scripting vulnerability in WebSphere Application Server (CVE-2017-1121)_](<http://www.ibm.com/support/docview.wss?uid=swg21997743>) \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "baseScore": 5.4, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 2.7}, "published": "2018-06-15T07:07:03", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-1121)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.5, "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1121", "CVE-2017-1121"], "modified": "2018-06-15T07:07:03", "id": "1381B98ABA6B880EAF88AF4EF55B330BFD425893F93C59EA19BE8351ADF9DDE4", "href": "https://www.ibm.com/support/pages/node/291771", "cvss": {"score": 3.5, "vector": "AV:N/AC:M/Au:S/C:N/I:P/A:N"}}, {"lastseen": "2023-06-03T17:48:43", "description": "## Summary\n\nMultiple vulnerabilities in IBM WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVEs. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9736_](<https://vulners.com/cve/CVE-2016-9736>)** \nDESCRIPTION:** IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119780_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119780>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-8934_](<https://vulners.com/cve/CVE-2016-8934>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118594_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118594>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\nIBM Spectrum Control 5.2.8 through 5.2.13 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.13 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM Smart Cloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\nThe solution is to apply an appropriate Tivoli Storage Productivity Center (IBM Spectrum Control) fix maintenance for each named product. Follow the link below, select the correct product version. Click on the download link and follow the Installation Instructions. The solution should be implemented as soon as practicable. Starting with 5.2.8, Tivoli Storage Productivity Center has been renamed to IBM Spectrum Control. \n\n**Note:** It is always recommended to have a current backup before applying any update procedure.\n\n \n \n**_IBM Spectrum Control _****_5_****_.2.x and Tivoli Storage Productivity Center V5.1.x_** \n \n**Release**| **First Fixing VRM Level**| **Link to Fix/Fix Availability Target** \n---|---|--- \n5.2.x| 5.2.14| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n5.1.x| 5.1.1.14| <http://www.ibm.com/support/docview.wss?uid=swg21320822> \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-02-22T19:27:34", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Spectrum Control and Tivoli Storage Productivity Center (CVE-2016-9736, CVE-2016-8934, CVE-2016-8919)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-8919", "CVE-2016-8934", "CVE-2016-9736"], "modified": "2022-02-22T19:27:34", "id": "EE31FC377D70F6E35C21A71191A7230C6A2677EB248387944F83CA0C5657975F", "href": "https://www.ibm.com/support/pages/node/293071", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:50:41", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae WebSphere Application Server Liberty shipped with IBM Security Directory Suite. Those issues were disclosed as part of the IBM WebSphere Application Server Liberty updates and it includes all vulnerabilities details.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>) \nDESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \nCVEID: [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \nDESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \nCVEID: [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \nDESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Security Directory Suite 8.0 and 8.0.1 which consumes IBM WebSphere Application Server Liberty 8.5.5\n\n## Remediation/Fixes\n\nRecent release contains IBM WebSphere Application Server Liberty 16.0.0.4 which has fix for all above vulnerabilities. \n\n**Product**\n\n| **Remediation** \n---|--- \nIBM Security Directory Suite 8.0| _Contact IBM Support_ \nIBM Security Directory Suite 8.0.1| [IBM Security Directory Suite 8.0.1.2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Security+Directory+Suite&fixids=8.0.1.2-ISS-ISDS_20170607-0918.pkg&function=fixId&parent=IBM%20Security>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:58:56", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM\u00ae WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-16T21:58:56", "id": "F24B112BBE3CAF70D3670CF507447BF00710A6E0550400417450D66CDE852B96", "href": "https://www.ibm.com/support/pages/node/558753", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T17:45:56", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nThe deserialization of untrusted data vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19| [Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21994209>) \n \n[Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T22:33:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Manager (CVE-2016-5983 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983"], "modified": "2018-06-17T22:33:14", "id": "CE3EB460B9647ACCA093825A27E5BECCC421E5D4A48BE26AB3F174E9509AEE7D", "href": "https://www.ibm.com/support/pages/node/599241", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:39:20", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple vulnerabilities have been addressed.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n** ** \n**CVEID:** [_CVE-2016-2923_](<https://vulners.com/cve/CVE-2016-2923>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty using JAX-RS API could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Control Center 6.1.0.0 through 6.1.0.1 iFix01 \nIBM Control Center 6.0.0.0 through 6.0.0.1 iFix07 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix09\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nIBM Control Center| 6.1.0.1| iFix02| [_Fix Central - 6.1.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.1.0.1&platform=All&function=all>) \nIBM Control Center| 6.0.0.1| iFix08| [_Fix Central - 6.0.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nSterling Control Center| 5.4.2.1| iFix10| [_Fix Central - 5.4.2.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center \n(CVE-2016-5983, CVE-2016-2923, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2923", "CVE-2016-3092", "CVE-2016-5983"], "modified": "2019-12-17T22:47:42", "id": "E8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7", "href": "https://www.ibm.com/support/pages/node/287363", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:52:24", "description": "## Summary\n\nThere are multiple vulnerabilities identified in IBM Websphere Application Server (WAS) that is embedded in IBM Systems Director Storage Control. This update addresses these issues. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM Systems Director command line enter **smcli lsver** to determine the level of IBM Systems Director installed. \n\n**Affected Product and Version(s)**| **Product and Version shipped as a component** \n---|--- \nIBM System Director Storage Control 4.2.6| IBM Systems Director 6.3.5 \nIBM System Director Storage Control 4.2.7| IBM Systems Director 6.3.6 \nIBM System Director Storage Control 4.2.8| IBM Systems Director 6.3.7 \n \n## Remediation/Fixes\n\n**WARNING:** Before installing the fix for this issue, you must install the fix described in Technote [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>) or [**_793147997_**](<http://www-01.ibm.com/support/docview.wss?uid=nas75cc6d09c7c17de078625803b0056876b>) found in the [_Support Portal_](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nAfter installing the fix listed in [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>), or [**_793147997_**](<http://www-01.ibm.com/support/docview.wss?uid=nas75cc6d09c7c17de078625803b0056876b>) resolve this issue by following the instructions in Technote [**804133974**](<http://www-01.ibm.com/support/docview.wss?uid=nas77b4dfae046510ab5862580a6004ff0ca>) which is also found in the [**_Support Portal_**](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nIBM Systems Director Storage Control versions pre-4.2.6 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:34:56", "type": "ibm", "title": "Security Bulletin: IBM Systems Director Storage Control is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-18T01:34:56", "id": "E9CDC7558DA989941146B3A84A11854BD9E2194AC94082893AAD204FB055A96A", "href": "https://www.ibm.com/support/pages/node/630559", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:52:35", "description": "## Summary\n\nMultiple vulnerabilities have been identified in the IBM Websphere Application Server (WAS) that is embedded in IBM FSM. This update addresses these issues.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| \n\nAPAR | Remediation \n---|---|---|--- \nFlex System Manager| 1.3.4.0| \n\nIT17940 | This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing this update for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.0| \n\nIT17940\n\n| This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.0 \n1.3.2.1| \n\nIT17940\n\n| This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \n \nFor all VRMF not listed in this table IBM recommends upgrading to a fixed, supported version/release of the product. \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:34:17", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 )", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-18T01:34:17", "id": "06C8D02C038247F15E4D79EC7F9664B27635450E908F240B3E0213DF1114F10D", "href": "https://www.ibm.com/support/pages/node/630101", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:19", "description": "## Summary\n\nThe following security issues have been identified in WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-0306](<https://vulners.com/cve/CVE-2016-0306>)** \nDESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111423> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above. \n \nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE's above except CVE-2016-0306.\n\n## Remediation/Fixes\n\n**Portal Server-****embedded WebSphere Application Server** \n \n\n\n**_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.X.X-TIV-ITM_EWAS_ALL_8.00.12.02| 6.3.0| <http://www.ibm.com/support/docview.wss?uid=swg24043156> \nContains a patch for the embedded WebSphere Application Server (eWAS) 8.0 Fix Pack 12 plus Interim Fix Block 2. \neWAS-7.00.00.41.02| 6.2.3| <http://www.ibm.com/support/docview.wss?uid=swg21633722> \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.2.3. The link gives instructions to install** **eWAS 7.0 Fix Pack 41 (7.0.0.41) and Interim Fix block 2 (or later). \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:32:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0306", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:32:10", "id": "04C68A4154F53DB70F6CF2A187509A3F1147E665A6C89FADCEBAB6E7F5E3009D", "href": "https://www.ibm.com/support/pages/node/287357", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:16", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) v7.0.x is shipped as a component of Tivoli Integrated Portal (TIP v2.1 and v2.2). The version of eWAS has been affected by multiple security vulnerabilities, as described below.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5573_](<https://vulners.com/cve/CVE-2016-5573>)** \nDESCRIPTION:** An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118070_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118070>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-5597_](<https://vulners.com/cve/CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5 \n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.17\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.17\n\n| embedded Websphere Application Server version 7.0.x| [PI70737:UNNECESSARY SETCOOKIE HEADER MIGHT BE SET AFTER APPLYING PI62375](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \n[PI71259: SHIP JAVA 6 SR16 FP35 FOR WSAS V70.0.X](<http://www-01.ibm.com/support/docview.wss?uid=swg24042976>) \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \n \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin. \n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T15:31:07", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983"], "modified": "2018-06-17T15:31:07", "id": "CA204EAF8EB6773570243C27B9318F4C27C4261EA57DB67E645543CB983B7B3B", "href": "https://www.ibm.com/support/pages/node/557171", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:56", "description": "## Summary\n\nThere are multiple vulnerabiltities in the IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed as part of the IBM SDK for Java updates in October 2016. These may affect some configurations of IBM WebSphere Application Server Liberty. There is a potential code execution vulnerability in WebSphere Application Server. \n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201c`IBM SDK for Java` Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n \n**CVEID:** [_CVE-2016-5573_](<https://vulners.com/cve/CVE-2016-5573>)** \nDESCRIPTION:** An unspecified vulnerability related to the VM component has high confidentiality impact, high integrity impact, and high availability impact. \nCVSS Base Score: 8.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118070_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118070>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-5597_](<https://vulners.com/cve/CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n\n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v3.4.1.\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java v3.5-20161114-1152 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the \"Files\" menu item for your application through the Bluemix UI. In the \"logs\" directory, check the \"staging_task.log\". \n \nYou can also find this file through the command-line Cloud Foundry client by running the following command: \n \n**cf files &lt;appname&gt; logs/staging_task.log** \n \nYou can see \n \n\\-----&gt; Liberty Buildpack Version: _________ \n \nTo re-stage your application using the command-line Cloud Foundry client, use the following command: \n \n**cf restage &lt;appname&gt;** \n \nTo re-push your application using the command-line Cloud Foundry client, use the following command: \n \n**cf push &lt;appname&gt;**\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-15T07:06:45", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix (CVE-2016-5573, CVE-2016-5597, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983"], "modified": "2018-06-15T07:06:45", "id": "E70120C165876F69BFB2C09908AC0EB9592A96A4EE7DF139E3FEA8B8E849302E", "href": "https://www.ibm.com/support/pages/node/286257", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:21", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in security bulletins. \n\n\n## Vulnerability Details\n\nConsult the security bulletins:[](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) \n[ **Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)** ** \n[**Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n[**Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) \nfor vulnerabilities details and information about fixes.\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nTivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which includes IBM WebSphere version 7.0.0.x \nTivoli Network Manager 4.1| Bundled the TIP version 2.2.0.x which includes IBM WebSphere version 7.0.0.x. \nTivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which includes IBM WebSphere version 7.0.0.x. \nTivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes. \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:12", "type": "ibm", "title": "Security Bulletin:Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition (CVE-2016-5986, CVE-2016-5983, CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:29:12", "id": "F377EB02DAEA61BF9CA5FA8E0CC0F3E1F167BF16C536210BB423500CBF3E31FC", "href": "https://www.ibm.com/support/pages/node/553031", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:29", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Rational Asset Manager. Information about security vulnerability affecting the WebSphere Application Server is published in this security bulletin. \n\n## Vulnerability Details\n\nYou must refer to the following security bulletins for vulnerability details and information about fixes: \n\n\n * [Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>)\n * [Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>)\n\n## Affected Products and Versions\n\n \nIBM Rational Asset Manager 7.5, 7.5.1, 7.5.2, and 7.5.3. \n\n\n## Remediation/Fixes\n\nYou must refer to the appropriate security bulletin for fix pack releases or an iFix listed in the following table and apply it. \n \n\n\nRAM| Embedded WAS?| WAS 7.0| WAS 8.0| WAS 8.5 \n---|---|---|---|--- \n7.5| \n\nYes | See the [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix.| \n\nN/A | \n\nN/A \n7.5.1| See the [Security Bulletin - CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>), [Security Bulletin CVE-2017-1137](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) and [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix. \n7.5.2| \n\nNo | \n\nN/A | See the [Security Bulletin - CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>), [Security Bulletin CVE-2017-1137](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) and [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix. \n7.5.3 \n \n\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-17T05:21:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server that ships with Rational Asset Manager (CVE-2017-1151, CVE-2017-1137, CVE-2017-1194)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194"], "modified": "2018-06-17T05:21:09", "id": "126537C1F8F0F30E3E1F51F743F09DF0CD7BE1FC4C806F6317B231F16161C1D7", "href": "https://www.ibm.com/support/pages/node/560521", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:52", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. There is a potential for weaker than expected security with the Administrative Console in WebSphere Application Server. There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-1137_](<https://vulners.com/cve/CVE-2017-1137>)** \nDESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to the admin console. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121549_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121549>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2017-1194_](<https://vulners.com/cve/CVE-2017-1194>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/123669_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123669>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM WebSphere Application Server Version 8.5.5 is affected by vulnerabilities listed. \nIBM WebSphere Application Server Version 9 is only affected by CVE-2017-1151 and CVE-2017-1194. \nIBM WebSphere Application Server Liberty is only affected by CVE-2017-1194.\n\n## Remediation/Fixes\n\nTo **patch an existing service instance** requires two steps: \n \n1\\. To update WebSphere Application Server refer to the IBM WebSphere Application Server bulletins listed below: \n \n[**Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n[**Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) \n \n[**Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)**](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) \n \n2\\. To apply the RHEL OS updates, run **yum update.** \n \nAlternatively, delete the vulnerable service instance and create a new instance. \n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:36", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix (CVE-2017-1151, CVE-2017-1137, CVE-2017-1194 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194"], "modified": "2018-06-15T07:07:36", "id": "F4CBE0BEFD1DA8501A4EEEFE2185F79E326C343FB6859A3E2FE3486A19C907D6", "href": "https://www.ibm.com/support/pages/node/561987", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:17", "description": "## Summary\n\nWebsphere Application Server - Liberty profile is shipped as a component of IBM Operations Analytics - Log Analysis. Information about a cross-site scripting vulnerability affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Fix details \n---|---|--- \nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5| Websphere Application Server 8.5.5.6 - Liberty Profile| Fix available in fix central - [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BOperations%2BAnalytics&amp;product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&amp;release=1.3.5&amp;platform=All&amp;function=fixId&amp;fixids=1.3.5-TIV-IOALA-IF001-IV90770&amp;includeRequisites=1&amp;includeSupersedes=0&amp;downloadMethod=http&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BOperations%2BAnalytics&product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&release=1.3.5&platform=All&function=fixId&fixids=1.3.5-TIV-IOALA-IF001-IV90770&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \n \nPlease note: \n1) DO NOT install WAS 8.5.5.9 or later fix packs as they are NOT supported by Log Analysis 1.3.x \n\n## Workarounds and Mitigations\n\nPlease refer to the interim fix from WAS available in fix central, link provided above\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:31:11", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with IBM Operations Analytics - Log Analysis (CVE-2016-0378, CVE-2016-3040, CVE-2016-5986, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:31:11", "id": "044AFEE40BF36BB3EE75709DF1CC1873FA73A33D95D8EC711E22E4A2F6E2FCF7", "href": "https://www.ibm.com/support/pages/node/557305", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:16", "description": "## Summary\n\nThere are vulnerabilities addressed in IBM WAS, IBM Runtime Environment Java\u2122Technology Edition, and OpenSSL that are used by ISD Storage Control. The Java issues were disclosed as part of the IBM Java updates for January 2017.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-2183_](<https://vulners.com/cve/CVE-2016-2183>)** \nDESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DES/3DES cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116337_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116337>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5546_](<https://vulners.com/cve/CVE-2016-5546>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component has no confidentiality impact, high integrity impact, and no availability impact. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120869_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120869>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-5548_](<https://vulners.com/cve/CVE-2016-5548>) \n**DESCRIPTION: **An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120864_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120864>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5549_](<https://vulners.com/cve/CVE-2016-5549>) \n**DESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 6.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120863_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120863>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) \n\n**CVEID:** [_CVE-2016-5547_](<https://vulners.com/cve/CVE-2016-5547>)** \nDESCRIPTION:** An unspecified vulnerability related to the Libraries component could allow a remote attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120871_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120871>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-8919_](<https://vulners.com/cve/CVE-2016-8919>)** \nDESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118529_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118529>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) \n\n## Affected Products and Versions\n\nFrom the IBM Systems Director command line enter **smcli lsver** to determine the level of IBM Systems Director installed. \n\n**Affected Product and Version(s)**| **Product and Version shipped as a component** \n---|--- \nIBM System Director Storage Control 4.2.6| IBM Systems Director 6.3.5 \nIBM System Director Storage Control 4.2.7| IBM Systems Director 6.3.6 \nIBM System Director Storage Control 4.2.8| IBM Systems Director 6.3.7 \n \n## Remediation/Fixes\n\nTo resolve this issue follow the instructions in table below. \n\n**Affected Product and Version(s)**| **Remediation Instructions** \n---|--- \nIBM System Director Storage Control 4.2.6| Technote [**812452926**](<http://www-01.ibm.com/support/docview.wss?uid=nas7048b55bc567477a3862580f90053c118>) in the [**Support Portal**](<https://www-947.ibm.com/support/entry/portal/support/>) \nIBM System Director Storage Control 4.2.7| Technote [**812452926**](<http://www-01.ibm.com/support/docview.wss?uid=nas7048b55bc567477a3862580f90053c118>) in the [**Support Portal**](<https://www-947.ibm.com/support/entry/portal/support/>) \nIBM System Director Storage Control 4.2.8| Technote [**812452926**](<http://www-01.ibm.com/support/docview.wss?uid=nas7048b55bc567477a3862580f90053c118>) in the [**Support Portal**](<https://www-947.ibm.com/support/entry/portal/support/>) \n \nIBM Systems Director Storage Control versions pre-4.2.6 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:35:36", "type": "ibm", "title": "Security Bulletin: IBM Systems Director (ISD) Storage Control is affected by vulnerabilities in IBM Websphere Application Server (WAS), OpenSSL and IBM Java Runtime.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2183", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-8919"], "modified": "2018-06-18T01:35:36", "id": "69A6EA281AC4328BC81447DEAF94CFCF026681260E4F53E94DBA50F99D58DCC7", "href": "https://www.ibm.com/support/pages/node/630947", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:55:57", "description": "## Summary\n\nIBM Tivoli Monitoring is shipped as a component of IBM Cloud Orchestrator Enterprise. \nInformation about security vulnerabilities affecting IBM Tivoli Monitoring has been published in the security bulletins below.\n\n## Vulnerability Details\n\nConsult the following security bulletins for IBM Tivoli Monitoring for vulnerability details and information about fixes. \n\n\n**CVE-IDs**| **Security Bulletin** \n---|--- \nCVE-2017-1121 \nCVE-2016-8919 \nCVE-2016-5546 \nCVE-2016-5548 \nCVE-2016-5549 \nCVE-2016-5547 \nCVE-2016-2183| [Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg22004242>) \nCVE-2017-1183 \nCVE-2017-1182| [Security Bulletin: IBM Tivoli Monitoring TEP Server vulnerabilities](<http://www.ibm.com/support/docview.wss?uid=swg22003402>) \nCVE-2016-6083| [Security Bulletin: IBM Tivoli Monitoring Soap Server (CVE-2016-6083)](<http://www.ibm.com/support/docview.wss?uid=swg22000909>) \nCVE-2016-5573 \nCVE-2016-5597 \nCVE-2016-8934 \nCVE-2016-9736| [Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21997882>) \nCVE-2016-5933| [Security Bulletin: IBM Tivoli Monitoring Basic Services Vulnerability (CVE-2016-5933)](<http://www-01.ibm.com/support/docview.wss?uid=swg21997223>) \n \n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator Enterprise 2.5 through 2.5.0.4 \n\nIBM Cloud Orchestrator Enterprise 2.4 through 2.4.0.4\n\n| IBM Tivoli Monitoring 6.3.0.2 \nIBM Cloud Orchestrator Enterprise 2.3 and 2.3.0.1| IBM Tivoli Monitoring 6.3.0.1 \n \n\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T22:33:29", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been identified in IBM Tivoli Monitoring shipped with IBM Cloud Orchestrator Enterprise", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2183", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5933", "CVE-2016-6083", "CVE-2016-8919", "CVE-2016-8934", "CVE-2016-9736", "CVE-2017-1121", "CVE-2017-1182", "CVE-2017-1183"], "modified": "2018-06-17T22:33:29", "id": "191ED0FC710CC29D37F2021F055C5B6E215B0D429C955179B8D16255149183CC", "href": "https://www.ibm.com/support/pages/node/619381", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:43:00", "description": "## Summary\n\nIBM i Integrated Web Application Server version 8.5 is affected by multiple security vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>) \n**DESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n**CVEID:** [_CVE-2016-1546_](<https://vulners.com/cve/CVE-2016-1546>) \n**DESCRIPTION:** Apache HTTP Server is vulnerable to a denial of service, caused by the failure to limit the number of simultaneous stream workers for a single HTTP/2 connection when mod_http2 is enabled. A remote attacker could exploit this vulnerability using modified flow-control windows, to cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114793_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114793>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n \n\n\n**CVEID:** [_CVE-2016-4979_](<https://vulners.com/cve/CVE-2016-4979>) \n**DESCRIPTION:** Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the improper validation of X509 client certificate when experimental module for the HTTP/2 protocol is used to access a resource. An attacker could exploit this vulnerability to allow a third party to access resources on the web server without providing proper credentials and obtain sensitive information. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114720_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114720>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRelease 6.1, 7.1, 7.2 and 7.3 of IBM i are affected. \n\n## Remediation/Fixes\n\nThe issue can be fixed by applying a PTF to IBM i. \n \nReleases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed. \n \n**Release 6.1 \u2013 SI62166** \n**Release 7.1 \u2013 SI62167 &amp; SI62590** \n**Release 7.2 \u2013 SI62168** \n**Release 7.3 \u2013 SI62169** \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0385", "CVE-2016-1546", "CVE-2016-2960", "CVE-2016-3092", "CVE-2016-4979", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2019-12-18T14:26:38", "id": "52B4D9D8F0C35A8ED4BF1E8C6B7007F0F22DE6776296FCD8048C0DB7F18162CD", "href": "https://www.ibm.com/support/pages/node/667557", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:48:24", "description": "## Summary\n\nThere is a potential code execution vulnerability in WebSphere Application Server. OpenSSL vulnerabilities were disclosed on September 22 and 26, 2016 by the OpenSSL Project. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-2180_](<https://vulners.com/cve/CVE-2016-2180>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an out-of-bounds read in the TS_OBJ_print_bio function. A remote attacker could exploit this vulnerability using a specially crafted time-stamp file to cause the application to crash. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115829_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115829>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2016-2183](<https://vulners.com/cve/CVE-2016-2183>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the in the Triple-DES on 64-bit block cipher, used as a part of the SSL/TLS protocol. By capturing large amounts of encrypted traffic between the SSL/TLS server and the client, a remote attacker able to conduct a man-in-the-middle attack could exploit this vulnerability to recover the plaintext data and obtain sensitive information. This vulnerability is known as the SWEET32 Birthday attack. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116337> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n \n**CVEID:** [_CVE-2016-6304_](<https://vulners.com/cve/CVE-2016-6304>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by multiple memory leaks in t1_lib.c during session renegotiation. By sending an overly large OCSP Status Request extension, a remote attacker could exploit this vulnerability to consume all available memory resources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/117110_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/117110>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)\n\n**CVEID:** [CVE-2016-6303](<https://vulners.com/cve/CVE-2016-6303>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by an integer overflow in the MDC2_Update function. By using unknown attack vectors, a remote attacker could exploit this vulnerability to trigger an out-of-bounds write and cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117023> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2016-2178](<https://vulners.com/cve/CVE-2016-2178>) \n**DESCRIPTION:** OpenSSL could allow a remote attacker to obtain sensitive information, caused by an error in the DSA implementation that allows the following of a non-constant time codepath for certain operations. An attacker could exploit this vulnerability using a cache-timing attack to recover the private DSA key. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113889> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [CVE-2016-6306](<https://vulners.com/cve/CVE-2016-6306>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by missing message length checks when parsing certificates. A remote authenticated attacker could exploit this vulnerability to trigger an out-of-bounds read and cause a denial of service. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/117112> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server:\n\n * Liberty\n * Version 9.0\n * Version 8.5.5\n\n## Remediation/Fixes\n\nTo **patch an existing service instance** requires two steps: \n \n1\\. To update WebSphere Application Server refer to the IBM WebSphere Application Server bulletin listed below: \n \n[**Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)**](<https://www-01.ibm.com/support/docview.wss?uid=swg21990060>)**. ** \n \n2\\. To apply the RHEL OS updates, run **yum update.** \n \nAlternatively, delete the vulnerable service instance and create a new instance. The new maintenance will be included.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-16T17:48:41", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2178", "CVE-2016-2180", "CVE-2016-2183", "CVE-2016-5983", "CVE-2016-6303", "CVE-2016-6304", "CVE-2016-6306"], "modified": "2018-08-16T17:48:41", "id": "A126A145E69CBBC87108F9848562481E6F22BB79D162EC867EB21CB2178D3468", "href": "https://www.ibm.com/support/pages/node/714779", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-28T22:13:46", "description": "## Summary\n\nThe IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by multiple security vulnerabilities that exist in IBM SDK Java Technology Edition and IBM WebSphere Application Server. The security bulletin includes issues disclosed as part of the IBM Java SDK updates in October 2016 and includes the following additional vulnerabilities: \n1\\. Potential HTTP response splitting vulnerability in IBM WebSphere Application Server \n2\\. Apache Struts vulnerabilities affect WebSphere Application Server Administration Console \n3\\. Potential information disclosure in WebSphere Application Server \n4\\. Potential code execution vulnerability in WebSphere Application Server. \n5\\. Potential information disclosure in WebSphere Application Server using malformed SOAP requests.\n\n## Vulnerability Details\n\n \nThis bulletin covers all applicable Java SE CVE's published by Oracle as part of their October 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK and IBM WebSphere Application Server bulletins, but IBM Emptoris products are not vulnerable to them. Additionally, this bulletin covers other security vulnerabilities reported on WebSphere Application Server. \n \n**CVEID:** [_CVE-2016-0359_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [_CVE-2016-5986_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5597_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-9736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9736>)** \nDESCRIPTION:** IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119780_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119780>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.1.2 \nIBM Emptoris Program Management 10.0.0 through 10.1.2 \nIBM Emptoris Sourcing 10.0.0 through 10.1.2 \nIBM Emptoris Spend Analysis 10.0.0 through 10.1.2 \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.1.2 \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.1.2 \nIBM Emptoris Services Procurement 10.0.0\n\n## Remediation/Fixes\n\nInterim fixes have been issued for the IBM WebSphere Application Server (WAS) which will apply the needed fixes on WebSphere and also upgrade the IBM Java Development Kit to a version which is not susceptible to these vulnerabilities. \n \nCustomers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. See the references section for specific Java and WebSphere Security bulletins. \n \n \n\n\n**IBM Emptoris Product Version**| **IBM WebSphere Version**| **Interim Fix** \n---|---|--- \nIBM Emptoris Suite \n9.5.0.0 through 9.5.0.6 \n9.5.1.0 through 9.5.1.3 \n \n \n \nIBM Emptoris Services Procurement \n10.0.0.0 through 10.0.0.5| 8.0.0.0 through 8.0.0.12| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737_](<http://www.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Apply Interim Fix[_ PI71257_](<http://www.ibm.com/support/docview.wss?uid=swg24042977>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 35 \n \nStep 6. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.0.0.13 or later (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \n \nIBM Emptoris Suite \n10.0.0.0 through 10.0.0.3 \n10.0.1.0 through 10.0.1.5 \n10.0.2.0 through 10.0.2.12 \n10.0.3| 8.5.0.0 through 8.5.5.10| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Upgrade to WebSphere Application Server Traditional Fix Pack 8.5.5.1 or later then apply Interim Fix [_PI71255_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042968>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 35 \n \nStep 6. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.5.5.11 or later. (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \nIBM Emptoris Suite \n10.0.4 \n10.1.0.0 through 10.1.0.7 \n10.1.1.0 through 10.1.1.5 \n10.1.2| 8.5.5.0 through 8.5.5.10| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Upgrade to WebSphere Application Server Traditional Fix Pack 8.5.5.2 or later then apply Interim Fix [_PI71253_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042957>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 60 \n \nStep 6. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.5.5.11 or later. (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[WebSphere Security Bulletin: HTTP Response Splitting in WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21982526>)\n\n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>)\n\n[Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983).](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597)](<http://www.ibm.com/support/docview.wss?uid=swg21993440>)\n\n \n[_IBM Java SDK Security Bulletin_](<http://www.ibm.com/support/docview.wss?uid=swg21985393>) \n \n[Security Bulletin: Potential Information Disclosure in WebSphere Application Server (CVE-2016-9736)](<http://www.ibm.com/support/docview.wss?uid=swg21991469>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Jan 2017 - Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-16T20:07:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-9736"], "modified": "2018-06-16T20:07:17", "id": "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "href": "https://www.ibm.com/support/pages/node/288965", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:23", "description": "## Summary\n\nIBM WebSphere Application Server patterns are shipped as a component of IBM PureApplication System. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in security bulletins (CVE-2016-0377, CVE-2016-0385, CVE-2016-2960, CVE-2016-0718, CVE-2016-3092, CVE-2016-5986, CVE-2016-5983, CVE-2016-3485). \n\n## Vulnerability Details\n\nConsult the security bulletin \n\n\n[\u00b7 Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www.ibm.com/support/docview.wss?uid=swg21980645>)\n\n[\u00b7 Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www.ibm.com/support/docview.wss?uid=swg21982588>)\n\n[\u00b7 Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)](<http://www.ibm.com/support/docview.wss?uid=swg21984796>)\n\n[\u00b7 Security Bulletin: Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server (CVE-2016-0718)](<http://www.ibm.com/support/docview.wss?uid=swg21988026>)\n\n[\u00b7 Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>)\n\n[\u00b7 Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[\u00b7 Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)\n\n[\u00b7 Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>)\n\nfor vulnerability details and information about fixes. \n\n \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:20", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM PureApplication System", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-0718", "CVE-2016-2960", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-15T07:06:20", "id": "7E2F62106B895325A750D4AC20BF018E0EF2AE3D85B9685ADBC3048C8D7487CA", "href": "https://www.ibm.com/support/pages/node/553679", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:50:11", "description": "## Summary\n\nThere are multiple security vulnerabilities in various components fixed in the IBM Security Privileged Identity Manager Virtual Appliance\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-5958](<https://vulners.com/cve/CVE-2016-5958>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116135> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5966](<https://vulners.com/cve/CVE-2016-5966>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116177> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5988](<https://vulners.com/cve/CVE-2016-5988>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance could disclose sensitive information in generated error messages that would be available to an authenticated user. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116558> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-5990](<https://vulners.com/cve/CVE-2016-5990>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance allows an authenicated user to upload malicious files that would be automatically executed by the server. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116561> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [CVE-2016-5597](<https://vulners.com/cve/CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Security Privileged Identity Manager 2.0.2 and 2.1\n\n## Remediation/Fixes\n\nProduct\n\n| Remediation/First Fix \n---|--- \nISPIM 2.0.2| [2.0.2 ISPIM Interim Fix 9](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.0.2&platform=Linux&function=fixId&fixids=2.0.2-ISS-ISPIM-VA-IF0009&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nISPIM 2.1| Available via Passport Advantage \n_Passport Advantage is a secure Web site that requires an account ID and password. It makes all of the component and platform images associated with a product available for download._ \n \n_You can locate images on the Passport Advantage Online Web site by using the part number as the search query. For example, to locate the IBM Security Privileged Identity Manager version 2.1 use CNFX7ML as the search query _\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:49:17", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3092", "CVE-2016-5597", "CVE-2016-5958", "CVE-2016-5966", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-5988", "CVE-2016-5990"], "modified": "2018-06-16T21:49:17", "id": "B4ACC50FB3EFBFCDCC381ED7E344E2F40C781747A414909444C31FECCA264613", "href": "https://www.ibm.com/support/pages/node/288687", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2021-12-30T21:39:49", "description": "## Question\n\nSecurity Bulletins for Emptoris Services Procurement\n\n## Answer\n\n**This article tracks all Security Bulletins for Emptoris Services Procurement.** \n \nIBM's Product Security Incident Response Team (PSIRT) follows the NIST guidelines for determining the severity rating of the reported vulnerability - see \"[**NVD Vulnerability Severity Ratings**](<http://nvd.nist.gov/cvss.cfm\">)\" for details.? Please use this information to take the appropriate actions. \n \nIn our effort to serve you better we recommend that you subscribe to this article for notification of new Security Bulletins and advisories posted here. \n\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM _**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)[**_Emptoris_**](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)**_[ Strategic Supply Management and IBM Emptoris Services Procurement products](<http://www.ibm.com/support/docview.wss?uid=swg22008401>)_**\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Potential security vulnerability in selected fixpacks of WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1501)_**](<http://www.ibm.com/support/docview.wss?uid=swg22008410>)\n\nOctober 13th 2017\n\n * [**_Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management suite of products and IBM Emptoris Services Procurement (CVE-2017-1380 CVE-2017-1382)_**](<http://www.ibm.com/support/docview.wss?uid=swg22007774>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: IBM Emptoris Services Procurement is affected by Information leakage vulnerability (CVE-2017-1547)_**](<http://www-01.ibm.com/support/docview.wss?uid=swg22007770>)\n\n \nOctober 13th 2017\n\n * [**_Security Bulletin: Open Source Apache Tomcat Vulnerabilities affect the IBM Emptoris Strategic Supply Management suite of products (CVE-2016-3092)_**](<http://www.ibm.com/support/docview.wss?uid=swg22005604>)\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22004442>)**\n \nJuly 14th 2017?\n\n * **[Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products.](<http://www.ibm.com/support/docview.wss?uid=swg22003479>)**\n \nJune 13th 2017?\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2016-8919)](<http://www-01.ibm.com/support/docview.wss?uid=swg22004642>)**\n \nJune 13th 2017\n\n * **[Security Bulletin: Vulnerability in IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1121](<http://www.ibm.com/support/docview.wss?uid=swg22004706>)**\n \nJune 12th 2017\n\n * **[Security Bulletin: Vulnerability in IBM Websphere Application Server affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2017-1137)](<http://www.ibm.com/support/docview.wss?uid=swg22004666>)**\n \nJun 12 2017??????\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products. **](<http://www-01.ibm.com/support/docview.wss?uid=swg22004666&myns=swgother&mynp=OCSSYQ72&mynp=OCSSYR6U&mynp=OCSSYQAR&mynp=OCSSYR8W&mynp=OCSSYRER&mynp=OCSSYQ89&mync=E&cm_sp=swgother-_-OCSSYQ72-OCSSYR6U-OCSSYQAR-OCSSYR8W-OCSSYRER-OCSSYQ89-_-E>)\n \n \nJan 18 2017\n\n * **[S](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)**[**ecurity Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement** ](<http://www-01.ibm.com/support/docview.wss?uid=swg21996820>)\n \n \nJuly 14 2016\n\n * [**Security Bulletin: A JMX component vulnerability in IBM Java SDK and IBM WebSphere Application Server affects IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement (CVE-2016-3427)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21986797>)\n \n \nMarch 7 2016\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply **](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[Management](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)**[** and IBM Emptoris Services Procurement (CVE-2015-7575 CVE-2016-0466 CVE-2015-7417)?**](<http://www-01.ibm.com/support/docview.wss?uid=swg21978028>)\n \nDecember 15 2015\n\n * [**Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server used with IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement products (CVE-2015-4872)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21972272>)\n \nDecember 1st 2015\n\n * **[Security Bulletin: Vulnerability in Apache Commons affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement. (CVE-2015-7450)](<http://www-01.ibm.com/support/docview.wss?uid=swg21971731>)**\n \nNovember 06 2015\n\n * [**Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**](<http://www-01.ibm.com/support/docview.wss?uid=swg21969875>)\n \nAugust 26th 2015\n\n * **Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement.**\n \nJune 24th 2015\n\n * **[Security Bulletin: Vulnerability reported in WebSphere Application Server management port affects IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement (CVE-2015-1920)](<https://emptoris.support.ibmcloud.com/ics/support/default.asp?deptID=31019&task=knowledge&questionID=21574&languageID=>)**\n \nApril 8th 2015\n\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-6593 CVE-2015-0410)](<http://www-01.ibm.com/support/docview.wss?uid=swg21700707>)**\n?January 27th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-3566 CVE-2014-6457)](<http://www-01.ibm.com/support/docview.wss?uid=swg21695096>)**\n?January 20th 2015\n * **[IBM Security Bulletin: Multiple vulnerabilities related to XML DoS attack IBM Emptoris Services Procurement (CVE-2014-3529 CVE-2014-3574)](<http://www-01.ibm.com/support/docview.wss?uid=swg21694987>)**\nSeptember 17th 2014\n * **[IBM Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM Emptoris Strategic Supply Management IBM Emptoris Rivermine Telecom Expense Management and IBM Emptoris Services Procurement (CVE-2014-4263 CVE-2014-4244)](<http://www-01.ibm.com/support/docview.wss?uid=swg21684482>)**\n\" \n\n[{\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Component\":\"\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"All Versions\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-12-08T16:15:01", "type": "ibm", "title": "Security Bulletins for Emptoris Services Procurement", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-3529", "CVE-2014-3566", "CVE-2014-3574", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-6457", "CVE-2014-6593", "CVE-2015-0410", "CVE-2015-1920", "CVE-2015-4872", "CVE-2015-7417", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0466", "CVE-2016-3092", "CVE-2016-3427", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1380", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1547"], "modified": "2018-12-08T16:15:01", "id": "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "href": "https://www.ibm.com/support/pages/node/783543", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T01:52:26", "description": "## Summary\n\nThis bulletin addresses several security vulnerabilities. \n \nIBM Cognos Business Intelligence has addressed a vulnerability where sensitive information can be revealed in its logs files. \n \nThere is a vulnerabilitiy in IBM\u00ae WebSphere Application Server Liberty. Liberty is used by IBM Cognos Business Intelligence version 10.2.2. This issue was disclosed as part of the IBM WebSphere Application Server Liberty updates. \n \nIBM Cognos Business Intelligence has addressed several Apache Tomcat vulnerabilities. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-9985_](<https://vulners.com/cve/CVE-2016-9985>)** \nDESCRIPTION:** IBM Cognos Server stores highly sensitive information in log files that could be read by a local user. \nCVSS Base Score: 6.2 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/120391_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/120391>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) \n** ** \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-0762_](<https://vulners.com/cve/CVE-2016-0762>)** \nDESCRIPTION:** Apache Tomcat could allow a remote attacker to obtain sensitive information, caused by the failure to process the user supplied password if the specified user name does not exist by the Realm implementation. An attacker could exploit this vulnerability to conduct a timing attack and determine valid usernames on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118407_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118407>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-5018_](<https://vulners.com/cve/CVE-2016-5018>)** \nDESCRIPTION:** Apache Tomcat could allow a local attacker to bypass security restrictions. An attacker could exploit this vulnerability using a Tomcat utility method to bypass a configured SecurityManager. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118406_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118406>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-6794_](<https://vulners.com/cve/CVE-2016-6794>)** \nDESCRIPTION:** Apache Tomcat could allow a local attacker to obtain sensitive information, caused by an error in the system property replacement feature. An attacker could exploit this vulnerability to bypass the SecurityManager and read system properties. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118405_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118405>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n**CVEID:** [_CVE-2016-6796_](<https://vulners.com/cve/CVE-2016-6796>)** \nDESCRIPTION:** Apache Tomcat could allow a local attacker to bypass security restrictions. By modifying configuration parameters for the JSP Servlet, an attacker could exploit this vulnerability to bypass a configured SecurityManager. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118404_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118404>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-6797_](<https://vulners.com/cve/CVE-2016-6797>)** \nDESCRIPTION:** Apache Tomcat could allow a local attacker to gain unauthorized access to the system, caused by an error in the ResourceLinkFactory. An attacker could exploit this vulnerability to gain access to arbitrary global JNDI resources. \nCVSS Base Score: 4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118403_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118403>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [_CVE-2016-6816_](<https://vulners.com/cve/CVE-2016-6816>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to HTTP response splitting attacks, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability to inject arbitrary HTTP headers and cause the server to re