There is a potential vulnerability in WebSphere Application Server.
CVEID: CVE-2015-0899 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APARs for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links are provided below:
APARs
PI95655 for the Administrative Console
PI98928 for the LongRunning Scheduler
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:
For V9.0.0.0 through 9.0.0.7:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--ORβ
Β· Apply Fix Pack 9.0.0.8 or later.
For V8.5.0.0 through 8.5.5.13:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--ORβ
Β· Apply Fix Pack 8.5.5.14 or later.
For V8.0.0.0 through 8.0.0.15:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655 and PI98928
For V7.0.0.0 through 7.0.0.45:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655
_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _