Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM PureApplication System

Summary

IBM WebSphere Application Server patterns are shipped as a component of IBM PureApplication System. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in security bulletins (CVE-2016-0377, CVE-2016-0385, CVE-2016-2960, CVE-2016-0718, CVE-2016-3092, CVE-2016-5986, CVE-2016-5983, CVE-2016-3485).

Vulnerability Details

Consult the security bulletin

· Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)

· Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)

· Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)

· Security Bulletin: Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server (CVE-2016-0718)

· Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)

· Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)

· Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)

· Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server July 2016 CPU (CVE-2016-3485)

for vulnerability details and information about fixes.

The WebSphere fixes can be installed using the IBM PureApplication System’s Installation Manager Repository feature.

Affected Products and Versions

Principal Product and Version(s)

| Affected Supporting Product and Version
—|—
PureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0
IBM WebSphere Application Server 8.0.0.0
IBM WebSphere Application Server 8.5.0.0
IBM WebSphere Application Server 8.5.5.0

Workarounds and Mitigations

None