5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
There is a potential bypass security vulnerability in the expression language library used by WebSphere Application Server (CVE-2014-7810)
CVEID: CVE-2014-7810 DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103155> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APARs for each named product as soon as practical.
For WebSphere Application Server Liberty:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02063
--ORโ
ยท Apply Liberty Fix Pack 18.0.0.4 or later.
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:
For V9.0.0.0 through 9.0.0.9:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02063
--ORโ
ยท Apply Fix Pack 9.0.0.10 or later.
For V8.5.0.0 through 8.5.5.14:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02063
--ORโ
ยท Apply Fix Pack 8.5.5.15 or later.
For V8.0.0.0 through 8.0.0.15:
ยท Upgrade to 8.0.0.15 and then apply Interim Fix PH02063
For V7.0.0.0 through 7.0.0.45:
ยท Upgrade to 7.0.0.45 and then apply Interim Fix PH02063
_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _