Security Bulletin: vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Performance Management products

Summary

The vulnerabilities could allow a remote attacker to conduct phishing attacks or obtain sensitive information, or allow cross-site scripting in OpenID Connect clients.

Vulnerability Details

CVEID: CVE-2016-3040**
DESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites.
CVSS Base Score: 6.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114636 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N)

CVEID: CVE-2016-3042**
DESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114638 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-0378**
DESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112240 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Monitoring 8.1.2 and 8.1.3

IBM Application Diagnostics 8.1.2 and 8.1.3

IBM Application Performance Management 8.1.2 and 8.1.3

IBM Application Performance Management Advanced 8.1.2 and 8.1.3

IBM Performance Management on Cloud

Remediation/Fixes

Product

| Product
VRMF| Remediation
—|—|—
IBM Monitoring

IBM Application Diagnostics

IBM Application Performance Management

IBM Application Performance Management Advanced

| 8.1.3

_ _
_ _| The vulnerabilities can be remediated by applying the following patches:

• Apply the IBM Performance Management 8.1.3.0 Interim Fix 07 patch to the Performance Management server. The patch is available from Fix Central:
  https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003073
• Apply the Hybrid Gateway for IBM Performance Management 8.1.3.0 Interim Fix 04 patch to the Hybrid Gateway. The patch is available from Fix Central:
  https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003074
  IBM Monitoring

IBM Application Diagnostics

IBM Application Performance Management

IBM Application Performance Management Advanced

| 8.1.2| The vulnerabilities can be remediated by applying the following patches:

• Apply the IBM Performance Management 8.1.2.0 Interim Fix 35 patch to the Performance Management server. The patch is available from Fix Central:
  https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003145

• Apply the Hybrid Gateway for IBM Performance Management 8.1.2.0 Interim Fix 36 patch to the Hybrid Gateway. The patch is available from Fix Central:
  https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003146
  IBM Application Performance Management on Cloud| N/A| The vulnerabilities can be remediated by applying the following patch:

• Apply the Hybrid Gateway for IBM Performance Management 8.1.3.1 Interim Fix 01 patch to the Hybrid Gateway. The patch is available from Fix Central: https://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001355