Security Bulletin: Privilege Escalation Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1151)

Summary

Websphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by privilege escalation vulnerability

Vulnerability Details

CVEID: CVE-2017-1151
DESCRIPTION: IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/122292&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Jazz for Service Management version 1.1.0 - 1.1.3

Remediation/Fixes

Principal Product and Version(s)

| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin
—|—|—
Jazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)

Workarounds and Mitigations

Please refer to WAS iFix