Lucene search

K
ibmIBM65EDC6979FFB4C4B7EB0617BEE2354DA585EB2C409187E00A923B5C999E22271
HistorySep 08, 2022 - 12:26 a.m.

Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.3

2022-09-0800:26:26
www.ibm.com
64

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.224 Low

EPSS

Percentile

96.4%

Summary

Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.3, IBM WebSphere Application Server Hypervisor 8.5.5.3 and IBM HTTP Server 8.5.5.3.

Vulnerability Details

CVE ID:CVE-2014-3022**(APAR PI09594)

DESCRIPTION: WebSphere Application Server allows for an information disclosure when an error page is displayed using a specially crafted URL.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/93060 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8
  • Version 7

**
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI09594, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.2:**

  • Apply Fix Pack 3 (8.5.5.3), or later.

**
For V8.0.0.0 through 8.0.0.8:**

  • Apply Fix Pack 9 (8.0.0.9), or later.

**
For V7.0.0.0 through 7.0.0.31:**

  • Apply Fix Pack 33 (7.0.0.33), or later.

_
Workaround(s):_
None known**_
Mitigation(s):_** None known

**
CVE ID: CVE-2014-0965(APAR PI11434)** **

DESCRIPTION: WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper handling of SOAP responses.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/92878 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8
  • Version 7

**
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI11434, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.2:**

  • Apply Fix Pack 3 (8.5.5.3), or later.

**
For V8.0.0.0 through 8.0.0.8:**

  • Apply Fix Pack 9 (8.0.0.9), or later.

**
For V7.0.0.0 through 7.0.0.31:**

  • Apply Fix Pack 33 (7.0.0.33), or later.

**_
Workaround(s):None known
Mitigation(s):_**None known **


CVE ID: CVE-2014-0098(APAR PI13028)

DESCRIPTION: **IBM HTTP Server may be vulnerable to a denial of service, caused by certain cookies being logged in the access log. A remote attacker could exploit this vulnerability to cause the server process to hang or crash. This only affects users that have modified their configuration to add cookie logging.

CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91879 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to WebSphere Application Server Security bulletin for CVE-2014-0098 for remediation information.

CVE ID:CVE-2014-3070**(APAR PI16765)

DESCRIPTION: **WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by improper account creation with the Virtual Member Manager SPI Admin Task addFileRegistryAccount.

CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/93777 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to WebSphere Application Server Security bulletin for CVE-2014-3070 for remediation information.

**
CVE ID: CVE-2014-0963 (APAR PI17025)

DESCRIPTION: **IBM HTTP Server is affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the IBM HTTP Server and other software running on the affected system.

This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.

To determine if your systems are being affected by this issue, you can monitor the CPU utilization for IBM HTTP Server instances, or monitor the mod_mpmstats output written to the ErrorLog.

CVSS: _
CVSS Base Score: 7.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/92844 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to WebSphere Application Server Security bulletin for CVE-2014-0963 for remediation information.

CVE ID:CVE-2014-3083(APAR PI17768) **

DESCRIPTION: WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

CVSS:** _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/93954 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8.5 Liberty Profile if you have installed the Portlet Container feature from the WASdev Liberty Repository.
  • Version 8
  • Version 7

**
Remediation/Fixes: Remediation is needed for WebSphere Application Server as well as there may be a need for your own portlets to be updated to avoid this issue. The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI17768, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.2 (Full Profile):**

  • Apply Fix Pack 3 (8.5.5.3), or later.

-- Or –

For V8.5.0.0. through 8.5.5.2 (Liberty Profile): ** If you have the installed the Portlet Container Feature from WASdev Liberty Repository:**

  • Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:

usr\extension\dev\api\spec\com.ibm.websphere.appserver.api.portlet_2.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.ccpp_1.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.portlet_2.0.0.jar
usr\extension\lib\com.ibm.ws.portletcontainer_2.0.0.jar
usr\extension\lib\features\com.ibm.websphere.appserver.portlet-2.0.mf
usr\extension\lib\features\l10n\com.ibm.websphere.appserver.portlet-2.0.properties
usr\extension\lafiles\com.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories

Then install the most current version of the Portlet Container from the WASdev Liberty Repository.

For V8.0.0.0 through 8.0.0.9:

  • Apply Fix Pack 10 (8.0.0.10), or later.

-- Or –

For V7.0.0.0 through 7.0.0.33:

  • Apply Fix Pack 35 (7.0.0.35), or later.

-- Or –

Remediation for portlets:

All JSR 286 compliant portlets that derive from class javax.portlet.GenericPortlet must override method serveResource.
An overriding serveResource implementation must not call super.serveResource.
If the portlet does not use resource serving, a empty implementation of serveResource should be used.

Example: This empty implementation is correct for a portlet that does not use resource serving: @Override ** public** **void** serveResource(ResourceRequest request, ResourceResponse response) **throws** PortletException, IOException { // Empty implementation on purpose if (logger.isLoggable(Level.WARNING) { // Unexpected call to serveResource, therefore log a warning. logger.log(Level.WARNING, "Unexpected call to serveResource."); } }
Example of a WRONG fix:
@Override ** public** **void** serveResource(ResourceRequest request, ResourceResponse response) **throws** PortletException, IOException { // ``**FIXME**``This is wrong: Calling super.serveResource does not fix the security issue ! ** super** .serveResource(request, response); }
_
Workaround(s):None known
Mitigation(s):_
None known

CVE ID:CVE-2014-0076**(APAR PI19700)

DESCRIPTION: The GSKit component in IBM HTTP Server could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm).

CVSS:** _
CVSS Base Score: 2.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91990 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8

**
Remediation/Fixes: **No action is required unless all of these conditions are met:

  • SSL is enabled
  • IBM HTTP Server is Version 8 or later
  • SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
  • Configured certificate uses an ECC key rather than RSA
  • Configured certificate was created by a tool other than ikeyman or gskcapicmd

_
Fix:_

If all of the above conditions are met, then apply the appropriate Fix Pack, PTF, or Interim Fix containing APAR PI19700, as noted below. If the SSLFIPSEnable directive is specified, the vulnerability remains after applying the fix. As a remediation, disable SSLFIPSEnable, or change any of the above conditions. **

For affected IBM HTTP Server:

For V8.5.0.0 through 8.5.5.2:**

  • Apply Fix Pack 3 (8.5.5.3), or later.

-- Or –

**
For V8.0.0.0 through 8.0.0.8:**

  • Apply Fix Pack 9 (8.0.0.9), or later.

-- Or –

_
Workaround(s):_
None known**_
Mitigation(s):_**None known **
** CVE ID: CVE-2014-4764(APAR PI21189) **

DESCRIPTION: WebSphere Application Server on Windows using Load Balancer for IPv4 Dispatcher component may be vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the Load Balancer to crash.

CVSS:** _
CVSS Base Score: 7.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/94723 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8

**
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI21189, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.2:**

  • Apply Fix Pack 3 (8.5.5.3), or later.

**
For V8.0.0.0 through 8.0.0.9:**

  • Apply Fix Pack 10 (8.0.0.10), or later**.** _
    Workaround(s):_
    None known**_
    Mitigation(s):_** None known

CVE ID:CVE-2014-4767(APAR PI21284)****
**
DESCRIPTION: WebSphere Application Server Liberty Profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability to cause the installation of malicious code.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/94832 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
**

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5 Liberty Profile

**
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI21284, as noted below: **

For IBM WebSphere Application Server
** For V8.5.0.0 through 8.5.5.2:

  • Apply Fix Pack 3 (8.5.5.3), or later.

-- Or –

  • Apply Interim Fix PI21284

Workaround(s): None known**_
Mitigation(s):_** None known

**IBM SDK:**Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 8.5.5.3 _
_http://www-01.ibm.com/support/docview.wss?uid=swg21680418

7.1 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:N/I:N/A:C

0.224 Low

EPSS

Percentile

96.4%

Related for 65EDC6979FFB4C4B7EB0617BEE2354DA585EB2C409187E00A923B5C999E22271