WebSphere Application Server and IBM HTTP Server Security Bulletin List

Question

Is there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server?

Answer

The following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number not by the last one published.

Note the IBM Java runtime included with WebSphere Application Server provides an execution environment for non-IBM code. While the below table includes all IBM Java vulnerabilities related to the WebSphere Application Server product, there might be additional IBM Java vulnerabilities which impact non-IBM code running in your WebSphere Application Server environment. For a listing of all IBM Java security bulletins, refer to IBM Java Security Alerts. To determine the Java SDK version used with WebSphere Application Server, refer to the Verify Java SDK version shipped with WebSphere Application Server.

To avoid preventable security issues, it is recommended that you stay up-to-date on the most current maintenance options for your products. You can also subscribe to the security bulletins for each of your products as provided in this link, IBM Security Bulletins.

When significant updates have been made to security bulletins, it will be noted with the date of the last update in the bulletin columns.

Note: Starting 07/16/2020, the most recent fix published will be added to the top of this list below as well as in numerical order by year.

Recent CVEs (previous 15 published from most recent to least recent)

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2022-22477 | 6.1 | Cross-site Scripting | Not affected | 9.0,8.5
| CVE-2022-22473 | 3.7 | Information Disclosure | Not affected | 9.0,8.5,8.0,7.0
| CVE-2019-11777 | 7.5 | Spoofing vulnerability | Not affected | Liberty
| CVE-2022-22476 | 5.0 | Identity Spoofing | Not affected | Liberty
| CVE-2022-26377 | 7.3 | Not affected | HTTP Request Smuggling | 7.0,8.0,8.5,9.0
| CVE-2022-28614 | 5.3 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-28615 | 6.5 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-29404 | 5.3 | Not affected | Denial of Service | 7.0,8.0,8.5,9.0
| CVE-2022-30556 | 5.3 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-31813 | 5.3 | Not affected | Bypass Security | 7.0,8.0,8.5,9.0
| CVE-2022-21496 | 5.3 | IBM Java SDK for April 2022 | Not affected | 9.0,8.5,Liberty
| CVE-2022-21299 | 5.3 | IBM Java SDK for April 2022 | Not affected | 9.0,8.5,Liberty
| CVE-2022-22365 | 5.6 | Spoofing vulnerability | Not affected | 9.0,8.5,8.0,7.0
| CVE-2022-22475 | 7.1 | Identity Spoofing | Not affected | Liberty

2022 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2022-31813 | 5.3 | Not affected | Bypass Security | 7.0,8.0,8.5,9.0
| CVE-2022-30556 | 5.3 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-29404 | 5.3 | Not affected | Denial of Service | 7.0,8.0,8.5,9.0
| CVE-2022-28615 | 6.5 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-28614 | 5.3 | Not affected | Information Disclosure | 7.0,8.0,8.5,9.0
| CVE-2022-26377 | 7.3 | Not affected | HTTP Request Smuggling | 7.0,8.0,8.5,9.0
| CVE-2022-25315 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-25313 | 5.5 | Not affected | Denial of Service | 9.0,8.5,8.0,7.0
| CVE-2022-25236 | 5.3 | Not affected | Denial of Service | 9.0,8.5,8.0,7.0
| CVE-2022-25235 | 3.3 | Not affected | Denial of Service | 9.0,8.5,8.0,7.0
| CVE-2022-23990 | 9.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-23852 | 9.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-23307 | 9.8 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2022-23305 | 6.5 | SQL Injection | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2022-23302 | 8.8 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2022-22827 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22826 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22825 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22824 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22823 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22822 | 7.8 | Not affected | Remote Code Execution | 9.0,8.5,8.0,7.0
| CVE-2022-22721 | 7.3 | Not affected | Buffer Overflow | 9.0,8.5,8.0,7.0
| CVE-2022-22720 | 7.3 | Not affected | HTTP Request Smuggling | 9.0,8.5,8.0,7.0
| CVE-2022-22719 | 5.3 | Not affected | Denial of Service | 9.0,8.5,8.0,7.0
| CVE-2022-22477 | 6.1 | Cross-site Scripting | Not affected | 9.0,8.5
| CVE-2022-22476 | 5.0 | Identity Spoofing | Not affected | Liberty
| CVE-2022-22475 | 7.1 | Identity Spoofing | Not affected | Liberty
| CVE-2022-22473 | 3.7 | Information Disclosure | Not affected | 9.0,8.5,8.0,7.0
| CVE-2022-22393 | 3.1 | Information Disclosure | Not affected | Liberty
| CVE-2022-22365 | 5.6 | Spoofing vulnerability | Not affected | 9.0,8.5,8.0,7.0
| CVE-2022-22310 | 4.8 | Information Disclosure | Not affected | Liberty
| CVE-2022-21496 | 5.3 | IBM Java SDK for April 2022 CPU | | 9.0,8.5,Liberty
| CVE-2022-21340 | 5.3 | IBM Java SDK for January 2022 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2022-21229 | 5.3 | IBM Java SDK for April 2022 CPU | | 9.0,8.5,Liberty

2021 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2021-46708 | 4.3 | Clickjacking vulnerability | Not affected | Liberty
| CVE-2021-46143 | 7.8 | Not affected | [Remote Code Execution](<https://Denial of Service>) | 7.0,8.0,8.5,9.0
| CVE-2021-45960 | 5.5 | Not affected | Denial of Service | 7.0,8.0,8.5,9.0
| CVE-2021-45105 | 7.5 | Denial of Service | Not affected | 9.0, 8.5
| CVE-2021-45046 | 9.0 | Denial of Service | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2021-44832 | 6.6 | Remote Code Execution | Not affected | 9.0, 8.5
| CVE-2021-44790 | 9.8 | Not affected | Buffer overflow | 9.0
Log4Shell | CVE-2021-44228 | 10 | Remote Code Execution | Not affected | 9.0, 8.5
| CVE-2021-44224 | 8.2 | Not affected | Denial of Service | 9.0
| CVE-2021-40438 | 9.0 | Not affected | Server-side request forgery | 9.0
| CVE-2021-39275 | 3.7 | Not affected | Buffer overflow | 9.0, 8.5, 8.0, 7.0
| CVE-2021-39038 | 4.4 | Clickjacking vulnerability | Not affected | 9.0, Liberty
| CVE-2021-39031 | 7.5 | LDAP Injection | Not affected | Liberty
| CVE-2021-38951 | 7.5 | Denial of Service | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2021-36090 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2021-35603 | 3.7 | IBM Java SDK for January 2022 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2021-35578 | 5.3 | IBM Java SDK for October 2021 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2021-35564 | 5.3 | IBM Java SDK for October 2021 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2021-35550 | 5.9 | IBM Java SDK for January 2022 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2021-35517 | 5.5 | Denial of Service | Not affected | Liberty
| CVE-2021-34798 | 5.9 | Not affected | Denial of service | 9.0
| CVE-2021-30641 | 5.3 | Not affected | Weaker Security | 9.0, 8.5, 8.0, 7.0
| CVE-2021-29842 | 3.7 | Information Disclosure | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2021-29754 | 4.2 | Privilege Escalation | Not affected | 9.0, 8.5, 8.0. 7.0
| CVE-2021-29736 | 5.0 | Privilege Escalation | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2021-26691 | 5.9 | Not affected | Heap Buffer Overflow | 9.0
| CVE-2021-26690 | 3.7 | Not affected | Denial of Service | 9.0
| CVE-2021-26296 | 8.8 | Cross-site request forgery | Not affected | 9.0, 8.5, 8.0, Liberty
| CVE-2021-23450 | 9.8 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2021-20517 | 6.4 | Directory Traversal | Not affected | 9.0, 8.5
| CVE-2021-20492 | 6.5 | XXE vulnerability | Not affected | 9.0, 8.5, 8.0, Liberty
| CVE-2021-20480 | 4.3 | Server-side request forgery | Not affected | 8.5, 8.0, 7.0
| CVE-2021-20454 | 8.2 | XXE vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2021-20453 | 8.2 | XXE vulnerability | Not affected | 9.0, 8.5, 8.0
| CVE-2021-20354 | 5.9 | Directory traversal | Not affected | 9.0, 8.5, 8.0
| CVE-2021-20353 | 8.2 | XXE vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2021-4104 | 8.1 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2021-2369 | 4.3 | IBM Java SDK for July 2021 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2021-2161 | 5.9 | IBM Java SDK for April 2021 CPU | Not affected | 9.0, 8.5, Liberty

2020 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2020-27221 | 9.8 | IBM Java SDK for January 2021 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14797 | 3.7 | IBM Java SDK for October 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14782 | 3.7 | IBM Java SDK for January 2021 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14781 | 3.7 | IBM Java SDK for January 2021 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14621 | 5.3 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14581 | 3.7 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14579 | 3.7 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14578 | 3.7 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-14577 | 3.7 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-13938 | 6.2 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2020-11985 | 5.3 | Not affected | Spoofing Vulnerability | 9.0
| CVE-2020-10693 | 5.3 | Bypass security | Not affected | Liberty
| CVE-2020-5258 | 7.5 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, Liberty
| CVE-2020-5016 | 5.3 | Directory traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4949 | 8.2 | XXE vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4782 | 6.5 | Directory Traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4643 | 7.5 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4629 | 2.9 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4590 | 5.3 | Denial of Service | Not affected | Liberty
| CVE-2020-4589 | 8.1 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-4578 | 5.4 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4576 | 5.3 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2020-4575 | 4.7 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0VE, 7.0VE
| CVE-2020-4534 | 7.8 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-4464 | 8.8 | Remote Code Execution | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-4450 | 9.8 | Remote Code Execution | Not affected | 9.0,8.5
| CVE-2020-4449 | 7.5 | Information Disclosure | Not affected | 9.0, 8.5, 8.0,7.0
| CVE-2020-4448 | 9.8 | Remote Code Execution | Not affected | 9.0, 8.5, 8.0VE, 7.0VE
| CVE-2020-4421 | 5.0 | Identity spoofing | Not affected | Liberty
| CVE-2020-4365 | 5.3 | Server-side request forgery | Not affected | 8.5
| CVE-2020-4362 | 7.5 | Privilege Escalation | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-4329 | 4.3 | Information Disclosure | Not affected | 9.0,8.5,8.0,7.0,Liberty
| CVE-2020-4304 | 6.1 | Cross-site scripting | Not affected | Liberty
| CVE-2020-4303 | 6.1 | Cross-site scripting | Not affected | Liberty
| CVE-2020-4276 | 7.5 | Privilege Escalation | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-4163 | 6.6 | Command Execution | Not affected | 9.0,8.5,8.0,7.0
| CVE-2020-2800 | 4.8 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2781 | 5.3 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2773 | 3.7 | IBM Java SDK for January 2021 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2755 | 3.7 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2754 | 3.7 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2654 | 3.7 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2601 | 6.8 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2593 | 4.8 | IBM Java SDK for January 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-2590 | 3.7 | IBM Java SDK for July 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2020-1934 | 8.1 | Not affected | Denial of Service | 9.0,8.5,8.0,7.0
| CVE-2020-1927 | 7.4 | Not affected | Phishing attack | 9.0,8.5,8.0,7.0

2019 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2019-17573 | 6.1 | Cross-site Scripting | Not affected | Liberty
| CVE-2019-17566 | 7.5 | Server-side request forgery | Not affected | 9.0,8.5,8.0
| CVE-2019-17495 | 5.3 | Information Disclosure | Not affected | Liberty
| CVE-2019-12402 | 4.3 | Denial of Service | Not affected | Liberty
| CVE-2019-12406 | 5.3 | Denial of Service | Not affected | 9.0,Liberty
| CVE-2019-11777 | 7.5 | Spoofing vulnerability | Not affected | Liberty
| CVE-2019-10098 | 3.7 | Not affected | Phishing attack | 9.0, 8.5, 8.0, 7.0
| CVE-2019-10092 | 4.7 | Not affected | Cross-site scripting | 9.0, 8.5, 8.0, 7.0
| CVE-2019-10086 | 5.3 | Unauthorized Access | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-9518 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-9517 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-9515 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-9514 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-9513 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-9512 | 7.5 | Denial of Service | Not affected | Liberty
| CVE-2019-4732 | 7.2 | IBM Java SDK for January 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2019-4720 | 7.5 | Denial of Service | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty
| CVE-2019-4670 | 6.5 | Information Disclosure | Not affected | 9.0,8.5,8.0,7.0
| CVE-2019-4663 | 5.4 | Cross-site scripting | Not affected | Liberty
| CVE-2019-4505 | 3.7 | Information Disclosure | Not affected | 9.0, 8.5, 7.0Virtual Enterprise
| CVE-2019-4477 | 5.3 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-4442 | 4.3 | Path Traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-4441 | 5.3 | Information disclosure | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty
| CVE-2019-4305 | 5.3 | Information disclosure | Not affected | Liberty
| CVE-2019-4304 | 6.3 | Bypass security | Not affected | Liberty
| CVE-2019-4285 | 5.4 | Clickjacking vulnerability | Not affected | Liberty
| CVE-2019-4279 | 9.0 | Remote Code Execution | Not affected | 9.0, 8.5, 7.0Virtual Enterprise
| CVE-2019-4271 | 3.5 | HTTP Parameter Pollution | Not affected | 9.0, 8.5, 7.0Virtual Enterprise
| CVE-2019-4270 | 5.4 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-4269 | 5.3 | Information Disclosure | Not affected | 9.0
| CVE-2019-4268 | 5.3 | Path Traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-4080 | 6.5 | Denial of Service | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2019-4046 | 5.9 | Denial of Service | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2019-4030 | 5.4 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0VE, 7.0VE
| CVE-2019-2989 | 6.8 | IBM Java SDK for October 2019 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2019-2949 | 6.8 | IBM Java SDK for April 2020 CPU | Not affected | 9.0,8.5,Liberty
| CVE-2019-2426 | 3.7 | IBM Java SDK for January 2019 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2019-0220 | 5.3 | Not affected | Weaker Security | 9.0, 8.5, 8.0, 7.0
| CVE-2019-0211 | 8.2 | Not affected | Privilege Escalation | 9.0

2018 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| N/A | 8.1 | Remote code execution in JSF | Not affected | 8.5, 8.0, 7.0
| CVE-2018-25031 | 5.4 | Spoofing vulnerability | Not affected | Liberty
| CVE-2018-20843 | 3.3 | Not affected | Denial of service | 9.0, 8.5, 8.0, 9.0
| CVE-2018-17199 | 5.3 | Not affected | Bypass security | 9.0
| CVE-2018-12547 | 9.8 | IBM Java SDK for January 2019 CPU | Not affected | 9.0, 8.5, Liberty
| CVE-2018-12539 | 8.4 | IBM Java SDK for July 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-10237 | 7.5 |

Denial of service

| Not affected | 9.0, 8.5, Liberty
| CVE-2018-8039 | 7.5 | Man-in-the-Middle | Not affected | 9.0 Liberty
| CVE-2018-3180 | 5.6 | IBM Java SDK for October 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-3139 | 3.1 | IBM Java SDK for October 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2800 | 4.2 | IBM Java SDK for April 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2783 | 7.4 | IBM Java SDK for April 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2637 | 7.4 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2634 | 6.8 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2633 | 8.3 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2603 | 5.3 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2602 | 4.5 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-2579 | 3.7 | IBM Java SDK for January 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-1996 | 5.3 | Weaker Security | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1957 | 4.0 | Information Disclosure | Not affected | 9.0
| CVE-2018-1926 | 4.3 | Cross-site Request Forgery | Not affected | 9.0, 8.5
| CVE-2018-1905 | 7.1 | XXE vulnerability | Not affected | 9.0
| CVE-2018-1904 | 8.1 | Remote Code execution | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1902 | 3.1 | Spoofing Vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-1901 | 5.0 | Privilege Escalation | Not affected | 9.0, 8.5, Liberty
| CVE-2018-1890 | 5.6 | IBM Java SDK for January 2019 CPU | Not affected | 9.0, 8.5, Library
| CVE-2018-1851 | 7.3 | Code execution | Not affected | Liberty
| CVE-2018-1840 | 6.0 | Privilege escalation | Not affected |

9.0, 8.5

| CVE-2018-1798 | 6.1 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1797 | 6.3 | Directory traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1794 | 6.1 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1793 | 6.1 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1777 | 5.4 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1770 | 6.5 | Directory traversal | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1767 | 6.1 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-1755 | 5.9 | Information Disclosure | Not affected | Liberty
| CVE-2018-1719 | 5.9 | Weaker security | Not affected | 9.0, 8.5
| CVE-2018-1695 | 7.3 | Spoofing vulnerability | Not affected | 8.5, 8.0, 7.0
| CVE-2018-1683 | 5.9 | Information disclosure | Not affected | Liberty
| CVE-2018-1656 | 7.4 | IBM Java SDK for July 2018 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2018-1643 | 6.1 | Cross-site Scripting | Not affected | 9.0, 8.5, 8.0
| CVE-2018-1626 | 4.3 | Cross-site Request Forgery | Not affected | 9.0, 8.5
| CVE-2018-1621 | 4.4 | Information disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1614 | 5.8 | Information disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1567 | 9.8 | Code execution | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1553 | 5.3 | Information disclosure | Not affected | Liberty
| CVE-2018-1447 | 5.1 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1427 | 6.2 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
| CVE-2018-1426 | 7.4 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
ROBOT | CVE-2018-1388 | 9.1 | Not affected | Information Disclosure | 7.0
| CVE-2018-1301 | 5.3 | Not affected | Denial of service | 9.0, 8.5, 8.0, 7.0

2017 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2017-15715 | 3.7 | Not affected | Weaker security | 9.0, 8.5, 8.0, 7.0
| CVE-2017-15710 | 5.3 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2017-12624 | 5.3 | Denial of Service | Not affected | 9.0, Liberty
| CVE-2017-12618 | 5.5 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2017-12613 | 9.1 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2017-10388 | 7.5 | IBM Java SDK for October 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-10356 | 6.2 | IBM Java SDK for October 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-10116 | 8.3 | IBM Java SDK for July 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-10115 | 7.5 | IBM Java SDK for July 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-10102 | 9.0 | IBM Java SDK for July 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-9798 | 7.5 | Not affected | Information Disclosure | 9.0, 8.5, 8.0, 7.0
| CVE-2017-7679 | 5.3 | Not affected | Information Disclosure | 9.0, 8.5, 8.0, 7.0
| CVE-2017-7668 | 5.3 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2017-5638 | 7.3 | Not affected bulletin | Not affected bulletin |
| CVE-2017-3736 | 5.9 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
| CVE-2017-3732 | 5.3 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
| CVE-2017-3511 | 7.7 | IBM Java SDK for April 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-3167 | 5.3 | Not affected | Bypass security | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1788 | 5.3 | Spoofing | Not affected | 9.0, Liberty
| CVE-2017-1743 | 4.3 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1741 | 4.3 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1731 | 8.8 | Privilege escalation | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1681 | 4.0 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-1583 | 5.3 | Information Disclosure | Not affected | 8.5, 8.0, Liberty
| CVE-2017-1504 | 5.3 | Weaker security | Not affected | 9.0
| CVE-2017-1503 | 6.1 | HTTP response splitting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1501 | 5.9 | Weaker security | Not affected | 9.0, 8.5, 8.0
| CVE-2017-1382 | 5.1 | Insecure file permissions | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1381 | 2.9 | Information disclosure | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1380 | 5.4 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2017-1194 | 4.3 | Cross-site request forgery | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2017-1151 | 8.1 | Privilege escalation | Not affected | 9.0, 8.5, 8.0
| CVE-2017-1137 | 5.9 | Weaker security | Not affected | 8.5, 8.0
| CVE-2017-1121 | 5.4 | Cross-site scripting vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0

2016 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2016-1000031 | 9.8 | Execute Code | Not affected | 9.0, 8.5, 8.0, Liberty
| CVE-2016-9736 | 3.7 | Information Disclosure | Not affected | 9.0, 8.5, 8.0
| CVE-2016-8934 | 5.4 | Cross-site scripting vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2016-8919 | 5.9 | Denial of service | Not affected | 9.0,8.5, 8.0, 7.0
| CVE-2016-8743 | 6.1 | Not affected | Response splitting attack | 9.0,8.5, 8.0, 7.0
| CVE-2016-7056 | 4.0 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0, 7.0
| CVE-2016-5986 | 3.7 | Information Disclosure | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5983 | 7.5 | Gain Privileges | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5597 | 5.9 | IBM Java SDK for October 2016 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5573 | 8.3 | IBM Java SDK for October 2016 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5549 | 6.5 | IBM Java SDK for January 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5548 | 6.5 | IBM Java SDK for January 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5547 | 5.3 | IBM Java SDK for January 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-5546 | 7.5 | IBM Java SDK for January 2017 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
HTTPOXY | CVE-2016-5387 | 8.1 | Not affected | Redirect HTTP traffic | 9.0, 8.5, 8.0, 7.0
| CVE-2016-4975 | 6.1 | Not affected | Superseded by CVE-2016-8743 | 9.0, 8.5, 8.0, 7.0
| CVE-2016-4472 | 5.3 | Not affected | Denial of Service with Expat | 9.0, 8.5, 8.0, 7.0
| CVE-2016-3485 | 2.9 | IBM Java SDK for July 2016 CPU | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-3427 | 10 | IBM Java SDK for April 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-3426 | 4.3 | IBM Java SDK for April 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-3092 | 5.3 | Apache Commons FileUpload Vulnerability | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-3042 | 5.4 | Cross-site scripting vulnerability | Not affected | Liberty
| CVE-2016-3040 | 6.3 | Open Redirect Vulnerability | Not affected | Liberty
| CVE-2016-2960 | 3.7 | Denial of Service with SIP Services | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-2945 | 5.0 | Weaker security in Liberty API discovery feature | Not affected | Liberty
| CVE-2016-2923 | 5.3 | Information Disclosure vulnerability | Not affected | Liberty
SWEET32 | CVE-2016-2183 | 3.7 | IBM Java SDK for January 2017 CPU | IBM HTTP Server and Sweet32 (21 Dec 2017) | 9.0 8.5, 8.0, 7.0, Liberty
| CVE-2016-1182

CVE-2016-1182 | 4.8

4.8 | Bypass Security Restrictions
Bypass Security Restrictions UDDI (21 June 2018) | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2016-1181

CVE-2016-1181 | 8.1

8.1 | Execute Code

Execute Code UDDI (21 June 2018) | Not affected

Not affected | 9.0, 8.5, 8.0, 7.0
9.0, 8.5. 8.0, 7.0
DROWN | CVE-2016-0800 | | Not affected bulletin | Not affected bulletin |
| CVE-2016-0718 | 9.8 | Not affected | Denial of Service with Expat (13 Sept 2016) | 9.0, 8.5, 8.0, 7.0
| CVE-2016-0702 | 2.9 | Not affected | Vulnerability in GSKit Component | 9.0, 8.5, 8.0
| CVE-2016-0488 | 4.0 | IBM Java SDK for January 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-0475 | 5.8 | IBM Java SDK for January 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-0466 | 5.0 | IBM Java SDK for January 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-0389 | 5.3 | Information Disclosure Vulnerability | Not affected | Liberty
| CVE-2016-0385 | 3.1 | Bypass security restrictions | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty
| CVE-2016-0378 | 3.7 | Information Disclosure Vulnerability | Not affected | Liberty
| CVE-2016-0377 | 4.3 | Information Disclosure vulnerability | Not affected | 8.5, 8.0, 7.0
| CVE-2016-0360 | 8.1 | Deserialize objects with MQ Resource adapter 14.03.2017 | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2016-0359 | 6.1 | HTTP Response Splitting | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2016-0306 | 3.7 | Security vulnerability if FIPS 140-2 is enabled | Not affected | 8.5, 8.0,7.0, Liberty
| CVE-2016-0283 | 6.1 | Cross-site scripting vulnerability | Not affected | Liberty
| CVE-2016-0201 | 5.9 | Not affected | Vulnerability in GSKit component | 8.5, 8.0, 7.0

2015 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
SLOTH | CVE-2015-7575 | 7.1 | IBM Java SDK for January 2016 CPU | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2015-7450 | 9.8 |

Vulnerability in Apache Commons affects IBM WebSphere Application Server (21 Dec 2017)

Knowledge Center updates (14 Nov 2019)

| Not affected |

8.5, 8.0, 7.0, Liberty

9.0

| CVE-2015-7420 | 3.7 | Not affected | Vulnerability in GSKit component | 8.5, 8.0, 7.0
| CVE-2015-7417 | 5.4 | Cross-site scripting with OAuth | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2015-5262 | 5.3 | Denial of Service | Not affected | 9.0, 8.5, 8.0
| CVE-2015-5006 | 4.6 | IBM Java SDK for October 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-4947 | 7.5 | Not affected | Stack buffer overflow | 8.5, 8.0, 7.0, 6.1
| CVE-2015-4938 | 3.5 | Spoof servlet vulnerabilities | | 8.5, 8.0, 7.0, Liberty
| CVE-2015-4872 | 5.0 | IBM Java SDK for October 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-4749 | 4.3 | IBM Java SDK for July 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-4734 | 5.0 | IBM Java SDK for October 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
Log Jam | CVE-2015-4000 | 4.3 | Logjam with Diffie-Hellman ciphers | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-3183 | 6.1 | Not affected | HTTP Request smuggling | 8.5, 8.0, 7.0, 6.1
Bar Mitzvah | CVE-2015-2808 | 5.0 | Vulnerability in RC4 stream cipher affects WebSphere Application Server | Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-2625 | 2.6 | IBM Java SDK for July 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-2613 | 5.0 | IBM Java SDK for July 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-2601 | 5.0 | IBM Java SDK for July 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-2017 | 5.0 | HTTP response splitting attack | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2015-1946 | 4.1 | Gain elevated privileges | Not affected | 8.5, 8.0, 7.0
| CVE-2015-1936 | 4 | Hijack users session vulnerability | Not affected | 8.5, 8.0
| CVE-2015-1932 | 5 | Information Disclosure vulnerability | Not affected | 8.5, 8.0, 7.0
| CVE-2015-1931 | 2.1 | IBM Java SDK for July 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-1927 | 6.8 | Gain elevated privileges vulnerability | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2015-1920 | 9.3 | Security vulnerability with management port in WebSphere Application Server | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2015-1916 | 5.0 | IBM Java SDK for April 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-1885 | 9.3 | Gain elevated privileges with OAuth grant password | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2015-1882 | 8.5 | Gain elevated privileges with EJB | Not affected | Liberty
| CVE-2015-1829 | 5.0 | Not affected | Denial of Service on Windows with IBM HTTP Server | 8.5, 8.0, 7.0, 6.1
| CVE-2015-1788 | 5.0 | Not affected | Denial of Service in GSKIT with IBM HTTP Server | 8.5, 8.0
| CVE-2015-1283 | 6.8 | Not affected | Denial of Service with IBM HTTP Server | 8.5, 8.0, 7.0, 6.1
| CVE-2015-0899 | 4.3 | Bypass security | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2015-0488 | 5.0 | IBM Java SDK for April 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-0478 | 4.3 | IBM Java SDK for April 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-0410 | 5.0 | IBM Java SDK for January 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2015-0400 | 5.0 | IBM Java SDK for January 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2015-0254 | 7.5 | Security vulnerability in Apache Standard Taglibs | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-0250 | 4.3 | Security vulnerability in Apache Batik | Not affected | 8.5, 8.0, 7.0, 6.1
Ghost | CVE-2015-0235 | | Not affected | Not affected |
| CVE-2015-0226 | 5.0 | Security vulnerability in Apache WSS4J | Not affected | 8.5
| CVE-2015-0204 | 4.3 | IBM Java SDK for April 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2015-0174 | 3.5 | Information disclosure with SNMP | Not affected | 8.5
| CVE-2015-0175 | 4.0 | Gain elevated privileges with authData elements | Not affected | Liberty
FREAK | CVE-2015-0138 | 4.3 | Vulnerability with RSA export Keys affects WebSphere Application Server | Vulnerability with RSA export keys affects IBM HTTP Server | 8.5, 8.0, 7.0, 6.1, Liberty

2014 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2014-8917 | 4.3 | Cross-site Scripting in Dojo Toolkit | Not affected | 8.5, 8.0
| CVE-2014-8890 | 5.1 | Elevated Privileges in Liberty | Not affected | Liberty
TLS Padding | CVE-2014-8730 | 4.3 | Not affected bulletin | TLS Padding in IBM HTTP Server | 8.5, 8.0, 7.0, 6.1
| CVE-2014-7810 | 5.0 | Bypass security | Bypass security | 9.0, 8.5, 8.0, 7.0, Liberty
Shell shock | CVE-2014-7189
CVE-2014-7186
CVE-2014-7169
CVE-2014-6278
CVE-2014-6277
CVE-2014-6271 | | Bash Vulnerabilities

Not affected but applications could be | Bash Vulnerabilities

Not affected but applications could be | Customer application might be vulnerable
| CVE-2014-6593 | 4.0 | IBM Java SDK for January 2015 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-6558 | 2.6 | IBM Java SDK for October 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-6512 | 4.3 | IBM Java SDK for October 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-6457 | 4.0 | IBM Java SDK for October 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-6174 | 4.3 | Click jacking vulnerability | Not affected | 8.5, 8.0, 7.0
| CVE-2014-6167 | | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2014-6166 | 5.0 | Obtain sensitive information | Not affected | 8.5, 8.0
| CVE-2014-6164 | 4.3 | Spoofing vulnerability | Not affected | 8.5
| CVE-2014-4816 | 3.5 | Not affected | Cross-site scripting vulnerability | 8.5, 8.0, 7.0, 6.1, 6.0
| CVE-2014-4770 | 3.5 | Not affected | Cross-site request forgery | 8.5, 8.0, 7.0, 6.1, 6.0
| CVE-2014-4767 | 4.3 | Weaker than expected security | Not affected | Liberty
| CVE-2014-4764 | 7.1 | Denial of service | Not affected | 8.5, 8.0
| CVE-2014-4263 | 4.0 | IBM Java SDK for July 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-4244 | 4.0 | IBM Java SDK for July 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-3603 | 6.5 | Spoofing | Not affected | Liberty
| CVE-2014-3577 | 4.3 | Spoofing Vulnerability | Not affected | 9.0, 8.5, 8.0
POODLE | CVE-2014-3566 | 4.3 | IBM Java SDK for October 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-3083 | 5.0 | Obtain sensitive information | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2014-3070 | 5.0 | Obtain sensitive information | Not affected | 8.5, 8.0
| CVE-2014-3068 | 2.4 | IBM Java SDK for July 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-3022 | 5.0 | Bypass security | Not affected | 8.5, 8.0
| CVE-2014-3021 | 5.0 | Obtain sensitive information | Not affected | 8.5, 8.0, 7.0
| CVE-2014-0965 | 4.3 | Obtain sensitive information | Not affected | 8.5, 8.0, 7.0
| CVE-2014-0964 | 7.1 | Denial of service | Not affected | 6.1
| CVE-2014-0963 | 7.1 | Not affected | CPU exhaustion | 8.5, 8.0, 7.0, 6.1, 6.0
| CVE-2014-0896 | 4.3 | Obtain sensitive information | Not affected | Liberty
| CVE-2014-0891 | 5.0 | Obtain sensitive information | Not affected | 8.5, 8.0, 7.0
| CVE-2014-0878 | 5.8 | IBM Java SDK for April 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-0859 | 5.0 | Denial of service | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2014-0857 | 4.0 | Obtain Information | Not affected | 8.5, 8.0
| CVE-2014-0823 | 4.3 | View Files | Not affected | 8.5, 8.0, Liberty
| CVE-2014-0460 | 5.8 | IBM Java SDK for April 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-0453 | 4.0 | IBM Java SDK for April 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-0411 | 4.0 | IBM Java SDK for January 2014 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2014-0231 | 5.0 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1, 6.0
| CVE-2014-0226 | 7.5 | Not affected | Heap buffer overflow | 8.5, 8.0, 7.0, 6.1, 6.0
Heartbleed | CVE-2014-0160 | | Not affected Bulletin | Not affected Bulletin |
| CVE-2014-0118 | 5.0 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1, 6.0
| CVE-2014-0114
CVE-2014-0114 | 7.5
7.5 | Execute code
Execute code UDDI (21 June 2018) | Not affected | 7.0, 6.1
9.0, 8.5, 8.0, 7.0
| CVE-2014-0098 | 5.0 | Not affected | Denial of service | 8.5, 8.0, 7.0, 6.1
| CVE-2014-0076 | 2.1 | Not affected | Information Disclosure | 8.5, 8.0
| CVE-2014-0050 | 5.0 | Denial of service | Not affected | 8.5, 8.0, 7.0, 6.1

2013 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2013-6747 | 7.1 | Not affected | Denial of Service | 8.5, 8.0, 7.0
| CVE-2013-6738 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2013-6725 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0
| CVE-2013-6440 | 4.3 | XML External Entity | Not affected | Liberty
| CVE-2013-6438 | 4.3 | Not affected | Buffer overflow | 8.5, 8.0, 7.0
| CVE-2013-6330 | 2.1 | Obtain sensitive information | Not affected | 7.0
| CVE-2013-6329 | 7.8 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1
| CVE-2013-6325 | 4.3 | Denial of Service | Not affected | 8.5, 8.0, 7.0
| CVE-2013-6323 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0
| CVE-2013-5802 | 2.6 | IBM Java SDK for Oct 2013 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-5780 | 4.3 | IBM Java SDK for Oct 2013 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-5704 | 5 | Not affected | Bypass security | 8.5, 8.0, 7.0, 6.1
| CVE-2013-5425 | 3.5 | Cross-site scripting | Not affected | 8.5
| CVE-2013-5418 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0
| CVE-2013-5417 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0 Liberty
| CVE-2013-5414 | 3.5 | Privilege escalation | Not affected | 8.5, 8.0, 7.0
| CVE-2013-5372 | 4.3 | IBM Java SDK for Oct 2013 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-4053 | 6.8 | Privilege escalation | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-4052 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-4039 | 4 | Obtain sensitive information | Not affected | 8.5
| CVE-2013-4006 | 3.5 | Obtain sensitive information | Not affected | Liberty
| CVE-2013-4005 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-4004 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0
| CVE-2013-3029 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-3024 | 6.9 | Execute code | Not affected | 8.5
| CVE-2013-2976 | 1.9 | Obtain sensitive information | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-2967 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-1896 | 4.3 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1
| CVE-2013-1862 | 5.1 | Not affected | Command execution | 8.5, 8.0, 7.0, 6.1
| CVE-2013-1768 | 10 | Deserialization | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2013-1571 | 4.3 | Clickjacking | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0599 | 5 | Obtain sensitive information | Not affected | 8.5
| CVE-2013-0597 | 3.5 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, Liberty
| CVE-2013-0596 | 4.3 | Cross-site scripting | Not affected | 6.1
| CVE-2013-0565 | 4.3 | Cross-site scripting | Not affected | 8.5
| CVE-2013-0544 | 3.5 | File directory traversal | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0543 | 6.8 | Bypass security | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0542 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0541 | 1.9 | Buffer overflow | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0540 | 4.9 | Bypass security | Not affected | Liberty
| CVE-2013-0482 | 2.6 | Spoofing | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0467 | 4 | Obtain sensitive information | Not affected | 8.5
| CVE-2013-0464 | 4.3 | Execute code | Not affected | 8.5, 8.0,
| CVE-2013-0462 | 6.5 | Bypass security | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty
| CVE-2013-0461 | 1.2 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0460 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0459 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0458 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0443 | 4 | IBM Java SDK for Feb 2013 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2013-0440 | 5 | IBM Java SDK for Feb 2013 CPU | Not affected | 8.5, 8.0, 7.0, 6.1
Lucky Thirteen | CVE-2013-0169 | 4.3 | IBM Java SDK for Feb 2013 CPU | Side Channel Attack | 8.5, 8.0, 7.0, 6.1

2012 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2012-6153 | 4.3 | Spoofing Vulnerability | Not affected | 9.0, 8.5, 8.0
| CVE-2012-5783 | 4.3 | Spoofing attacks | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2012-4853 | 4.3 | Cross-site request Forgery | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-4851 | 4.3 | Cross-site scripting | Not affected | Liberty
| CVE-2012-4850 | 7.5 | Privilege escalation | Not affected | Liberty
| CVE-2012-3330 | 5 | Denial of Service | Not affected | 8.5, 8.0, 7.0
| CVE-2012-3325 | 6 | Bypass security | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-3311 | 3 | Bypass security | Not affected | 8.5, 8.0, 7.0
| CVE-2012-3306 | 4.3 | Weaker security | Not affected | 8.5, 8.0, 7.0
| CVE-2012-3305 | 5.8 | File directory traversal | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-3304 | 6.8 | Hijack session | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-3293 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-2191 | 5 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1
| CVE-2012-2190 | 5 | Not affected | Denial of Service | 8.5, 8.0, 7.0, 6.1
| CVE-2012-2170 | 4.3 | Obtain sensitive information | Not affected | 8.0, 7.0, 6.1
| CVE-2012-2159 | 4.3 | Cross-site scripting | Not affected | 8.5, 8.0
| CVE-2012-2098 | 5 | Denial of Service | Not affected | 8.5, 8.0, 7.0, 6.1
| CVE-2012-1148 | 5 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2012-1007 | 4.3 | Cross-site scripting | Not affected | 9.0, 8.5, 8.0, 7.0
| CVE-2012-0876 | 5 | Not affected | Denial of Service | 9.0, 8.5, 8.0, 7.0
| CVE-2012-0720 | 4.3 | Cross-site scripting | Not affected | 8.0, 7.0, 6.1
| CVE-2012-0717 | 2.6 | Bypass security | Not affected | 7.0, 6.1
| CVE-2012-0716 | 4.3 | Cross-site scripting | Not affected | 8.0, 7.0, 6.1
| CVE-2012-0193 | 5 | Denial of Service | Not affected | 8.0, 7.0, 6.1

2011 CVEs

Name

|

CVE

|

CVSS Score

|

WebSphere Application Server Bulletin or Assessment

|

IBM HTTP Server Bulletin or Assessment

|

Versions Affected

—|—|—|—|—|—
| CVE-2011-4889 | 5 | Weaker security | Not affected | 8.0, 7.0, 6.1
| CVE-2011-4343 | 5 | Obtain sensitive information | Not affected | 8.5, 8.0, Liberty
| CVE-2011-1498 | 5 | Information Disclosure | Not affected | 9.0, 8.5, 8.0
| CVE-2011-1377 | 2.1 | Weaker security | Not affected | 8.0, 7.0, 6.1
| CVE-2011-1376 | 4.4 | Insecure permissions | Not affected | 8.0, 7.0, 6.1

**Important note:**IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

[{“Product”:{“code”:“SSEQTP”,“label”:“WebSphere Application Server”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Security”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF010”,“label”:“HP-UX”},{“code”:“PF012”,“label”:“IBM i”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”}],“Version”:“9.0.0.0;8.5.5;8.5;8.0;7.0;6.1”,“Edition”:“Advanced;Base;Developer;Express;Liberty;Network Deployment”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSEQTJ”,“label”:“IBM HTTP Server”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud \u0026 Data Platform”},“Component”:" “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:”“,“label”:”“}},{“Product”:{“code”:“SSCKBL”,“label”:“WebSphere Application Server Hypervisor Edition”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSD28V”,“label”:“WebSphere Application Server Liberty Core”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”",“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]