Security Bulletin: Potential Denial of Service and Information Disclosure that affect IBM WebSphere Application Server for Bluemix (CVE-2016-8919, CVE-2016-9736)

Summary

There is a potential denial of service with WebSphere Application Server with SOAP connectors.
There is a potential information disclosure in WebSphere Application Server using malformed SOAP requests on WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2016-8919**
DESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118529 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)

CVEID: CVE-2016-9736**
DESCRIPTION:** IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/119780 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 9.0
• Version 8.5.5

Remediation/Fixes

To patch an existing service instance, update WebSphere Application Server by referring to the IBM WebSphere Application Server bulletins listed below:

Security Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)

Security Bulletin: Potential Information Disclosure in WebSphere Application Server (CVE-2016-9736)

Alternatively, delete the vulnerable service instance and create a new instance. The new maintenance will be included.