IBM8F879C06D40BC6329D80ABEDCA5D3CC554195FEF26DACD9AA387DFFD5A8AC21FSecurity Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
Summary
There is a potential vulnerability in WebSphere Application Server.
Vulnerability Details
CVEID: CVE-2015-0899 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Products and Versions
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
- Version 9.0
- Version 8.5
- Version 8.0
- Version 7.0
Remediation/Fixes
The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APARs for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links are provided below:
APARs
PI95655 for the Administrative Console
PI98928 for the LongRunning Scheduler
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:
For V9.0.0.0 through 9.0.0.7:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--ORβ
Β· Apply Fix Pack 9.0.0.8 or later.
For V8.5.0.0 through 8.5.5.13:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--ORβ
Β· Apply Fix Pack 8.5.5.14 or later.
For V8.0.0.0 through 8.0.0.15:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655 and PI98928
For V7.0.0.0 through 7.0.0.45:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655
_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N