Lucene search

K
ibmIBM8F879C06D40BC6329D80ABEDCA5D3CC554195FEF26DACD9AA387DFFD5A8AC21F
HistoryFeb 19, 2019 - 5:50 p.m.

Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)

2019-02-1917:50:01
www.ibm.com
20

EPSS

0.949

Percentile

99.3%

Summary

There is a potential vulnerability in WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2015-0899 DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

  • Version 9.0
  • Version 8.5
  • Version 8.0
  • Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APARs for each named product as soon as practical. There are 2 separate interim fixes that may need to be applied, links are provided below:
APARs
PI95655 for the Administrative Console
PI98928 for the LongRunning Scheduler

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.0.7:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--OR–
Β· Apply Fix Pack 9.0.0.8 or later.

For V8.5.0.0 through 8.5.5.13:
Β· Upgrade to minimal fix pack levels as required by interim fixes and then apply Interim Fixes PI95655 and PI98928
--OR–
Β· Apply Fix Pack 8.5.5.14 or later.

For V8.0.0.0 through 8.0.0.15:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655 and PI98928

For V7.0.0.0 through 7.0.0.45:
Β· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI95655

_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _

EPSS

0.949

Percentile

99.3%