Security Bulletin: IBM Jazz for Service Management Recommends to Install IBM Websphere Application Server Fixes to fix Multiple Security Vulnerabilities

Summary

IBM Jazz for Service Management bundles IBM Websphere Application Server (WAS) v8.5 and below. These lower level of WAS profile releases are prone to various security vulnerability issues and is being fixed thru multiple interim fixes.
We recommend to install these WAS interim fixes to fix the vulnerabilities

Vulnerability Details

CVEID:CVE-2015-1885(APAR PI33202 and PI36211) **

DESCRIPTION: WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system when OAuth grant type of password is used.

CVSS:** _
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101255 _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)

CVEID: CVE-2015-0250**
DESCRIPTION:** Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101614&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1927**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system, caused by an application not having the correct serveServletsbyClassname setting. By a developer not setting the correct property, an attacker could exploit this vulnerability to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/102872&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVEID: CVE-2015-1936**
DESCRIPTION:** IBM WebSphere Application Server Administrative console could allow a remote authenticated attacker to hijack a user’s session when Security is not enabled. An attacker could exploit this vulnerability using the JSESSIONID parameter to gain access to another user’s session.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103108&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2015-1946**
DESCRIPTION:** IBM WebSphere Application Server 8.5 and IBM WebSphere Virtual Enterprise 7.0 could allow a local attacker to gain elevated privileges on the system cause by the user roles not being handled properly.
CVSS Base Score: 4.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103201&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

The Vulnerabilities affects the below versions of Jazz for Service Management:

Jazz for Service Management 1.1 and fix packs

Jazz for Service Management 1.1.1

Jazz for Service Management 1.1.2

Remediation/Fixes

Please refer to the WAS security bulletin to remediate the vulnerabilities related to WAS full Profile (v8.5 and below) - <http://www-01.ibm.com/support/docview.wss?uid=swg21959083&gt;

Workarounds and Mitigations

None; Please apply the corresponding interim fixes