7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Security vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, IBM Watson Content Analytics, IBM Content Analytics, and OmniFind Enterprise Edition. Not all vulnerabilites affect all products and versions.
CVEID: CVE-2016-0359**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2016-3092**
DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-3485**
DESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115273 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)
To see which vulnerabilities apply to your product and version, see the applicable row in the following table.
Affected Product
| Affected Versions|Applicable Vulnerabilities
—|—|—
Watson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1.0| CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Watson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Watson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1.0 | CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Watson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Watson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3092
CVE-2016-3485
IBM OmniFind Enterprise Edition| 9.1.0.0 - 9.1.0.5| CVE-2016-3092
IBM Content Analytics| 2.2.0.0 - 2.2.0.3| CVE-2016-3092
For information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>.
Affected Product | Affected Versions | Vulnerability | Fix |
---|---|---|---|
Watson Explorer Analytical Components | 11.0.0.0 - 11.0.0.3, 11.0.1 | CVE-2016-3092 | |
CVE-2016-0359 | |||
CVE-2016-3485 | Upgrade to Watson Explorer Analytical Components Version 11.0.2. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures. | ||
IBM Watson Explorer Foundational Components Annotation Administration Console | 11.0.0.0 - 11.0.0.3, 11.0.1 | CVE-2016-3092 | |
CVE-2016-0359 | |||
CVE-2016-3485 | Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures. | ||
Watson Explorer Analytical Components | 10.0.0.0 - 10.0.0.2 | CVE-2016-3092 |
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002 or later.
To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>.
Watson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-3485** **|
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
If you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.
Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 7 package for your edition (Enterprise or Advanced) and operating system from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<Edition>Analytical-<OS>[32|31]-7SR9FP60 or later. For example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux32-7SR9FP60.
To apply the fix, follow the steps in Updating IBM Java Runtime.
Rename $ES_INSTALL_ROOT/lib/activation.jar
to activation.jar.orig
Watson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-0359****|Important: Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin.
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002 or later and extract the contents of the fix into a temporary directory.
Stop Watson Explorer Analytical Components.
Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.
Remove or rename the $ES_INSTALL_ROOT/wlp directory.
Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT
Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp
Note: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.
Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be:
classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
After saving the changes, restart Watson Explorer Analytical Components.
IBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-3092|
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<edition>FoundationalAAC-IF002 or later.
To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>.
IBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-3485
** **|
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
If you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.
Download the 32-bit and 64-bit packages of IBM Java Runtime, Version 7 for your edition (Enterprise or Advanced) and your operating system from Fix Central: 10.0.0.2-WS-WatsonExplorer-AEFoundationallAAC-<OS>[32]-7SR9FP60or later. For example, 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux32-7SR9FP60.
To apply the fix, follow the steps in Updating IBM Java Runtime.
Rename $ES_INSTALL_ROOT/lib/activation.jar
to activation.jar.orig
IBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-0359
****|Important: Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin.
If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<edition>FoundationalAAC-IF002 or later and extract the contents of the fix into a temporary directory.
Stop Watson Explorer Annotation Administration Console.
Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.
Remove or rename the $ES_INSTALL_ROOT/wlp directory.
Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT
Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp
Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be:
classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
After saving the changes, restart Annotation Administration Console.
Watson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-3092
CVE-2016-3485
CVE-2016-0359| Upgrade to Watson Content Analytics Version 3.5.0.4. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
IBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3092|
If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack download document).
Download the package from Fix Central: interim fix 3.0.0.6-WT-ICA-IF002.
To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>.
IBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3485
** **|
If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack download document).
If you upgrade to Version 3.0.0.6 after you configure IBM Java Runtime, your changes are lost and you must repeat the steps.
Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from Fix Central: interim fix 3.0.0.6-WT-ICA-<OS>[32|31]-6SR16FP35 or later. For example, 3.0.0.6-WT-ICA-Linux-6SR16FP35 and 3.0.0.6-WT-ICA-Linux32-6SR16FP35.
To apply the fix, follow the steps in Updating IBM Java Runtime.
Rename $ES_INSTALL_ROOT/lib/activation.jar
to activation.jar.orig
IBM OmniFind Enterprise Edition| 9.1 - 9.1.0.5| CVE-2016-3092| Contact IBM Support.
IBM Content Analytics| 2.2 - 2.2.0.3| CVE-2016-3092| Contact IBM Support.
None.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C