9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
IBM Jazz for Service Management bundles IBM Websphere Application Server (WAS) v8.5 and below. These lower level of WAS profile releases are prone to various security vulnerability issues and is being fixed thru multiple interim fixes.
We recommend to install these WAS interim fixes to fix the vulnerabilities
CVEID:CVE-2015-1885(APAR PI33202 and PI36211) **
DESCRIPTION: WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system when OAuth grant type of password is used.
CVSS:** _
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101255 _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVEID: CVE-2015-0250**
DESCRIPTION:** Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101614> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1927**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system, caused by an application not having the correct serveServletsbyClassname setting. By a developer not setting the correct property, an attacker could exploit this vulnerability to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102872> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVEID: CVE-2015-1936**
DESCRIPTION:** IBM WebSphere Application Server Administrative console could allow a remote authenticated attacker to hijack a user’s session when Security is not enabled. An attacker could exploit this vulnerability using the JSESSIONID parameter to gain access to another user’s session.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103108> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2015-1946**
DESCRIPTION:** IBM WebSphere Application Server 8.5 and IBM WebSphere Virtual Enterprise 7.0 could allow a local attacker to gain elevated privileges on the system cause by the user roles not being handled properly.
CVSS Base Score: 4.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103201> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)
The Vulnerabilities affects the below versions of Jazz for Service Management:
Jazz for Service Management 1.1 and fix packs
Jazz for Service Management 1.1.1
Jazz for Service Management 1.1.2
Please refer to the WAS security bulletin to remediate the vulnerabilities related to WAS full Profile (v8.5 and below) - <http://www-01.ibm.com/support/docview.wss?uid=swg21959083>
None; Please apply the corresponding interim fixes
CPE | Name | Operator | Version |
---|---|---|---|
tivoli components | eq | 1.1 | |
tivoli components | eq | 1.1.0.1 | |
tivoli components | eq | 1.1.0.2 | |
tivoli components | eq | 1.1.0.3 | |
tivoli components | eq | 1.1.1 | |
tivoli components | eq | 1.1.2 |