Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console shipped with Jazz for Service Management (CVE-2017-1501)

Summary

There is a potential security vulnerability in the WebSphere Application Server Admin Console if you have updated the web services security bindings settings. If you changed the cipher suites in the web services security bindings settings they may not have been saved properly and thus be weaker security then you expected. Verify that your settings are what you expect.

Vulnerability Details

CVEID: CVE-2017-1501**
DESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security after using the Admin Console to update the web services security bindings settings.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/129576 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

Jazz for Service Management version 1.1.0 - 1.1.3

Remediation/Fixes

Principal Product and Version(s)

| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin
—|—|—
Jazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| Security Bulletin: Potential security vulnerability in the WebSphere Application Server Admin Console (CVE-2017-1501)

Workarounds and Mitigations

Please refer to WAS iFix