Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM9C9BD6083322204839F8553AEFDE11C546EEC223C7CE000659E67773279CB0C3
HistoryJan 26, 2021 - 6:21 p.m.

Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud

2021-01-2618:21:20
www.ibm.com
12

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON

Summary

There are multiple security vulnerabilities that affect the IBM WebSphere Application Server in the IBM Cloud. WebSphere Application Server Admin Console is vulnerable to cross-site scripting. WebSphere Application Server Liberty is vulnerable to a denial of service. WebSphere Application Server is vulnerable to an information exposure vulnerability. WebSphere Application Server is vulnerable to an information disclosure vulnerability. WebSphere Application Server is vulnerable to an information disclosure vulnerability. There is a vulnerability in the Hibernate Validator library used by WebSphere Application Server Liberty. Multiple Vulnerabilities in IBM® Java SDK affect WebSphere Application Server October 2020 CPU.

Vulnerability Details

CVEID:CVE-2020-4643
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to an XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information. IBM X-Force ID: 185590.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185590 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-4578
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 184433.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184433 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

CVEID:CVE-2020-10693
**DESCRIPTION:**Hibernate Hibernate Validator could allow a remote attacker to bypass security restrictions, caused by a flaw in the message interpolation processor. By sending a specially-crafted request, an attacker could exploit this vulnerability to bypass input sanitation controls when handling user-controlled data in error messages.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/182240 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-4782
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/189213 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID:CVE-2020-14782
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190100 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-14797
**DESCRIPTION:**An unspecified vulnerability in Java SE related to the Libraries component could allow an unauthenticated attacker to cause no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/190115 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

CVEID:CVE-2020-4629
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a local user with specialized access to obtain sensitive information from a detailed technical error message. This information could be used in further attacks against the system. IBM X-Force ID: 185370.
CVSS Base score: 2.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/185370 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-4576
**DESCRIPTION:**IBM WebSphere Application Server 7.5, 8.0, 8.5, and 9.0 traditional could allow a remote attacker to obtain sensitive information with a specially-crafted sequence of serialized objects. IBM X-Force ID: 184428.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184428 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2020-4590
**DESCRIPTION:**IBM WebSphere Application Server Liberty 17.0.0.3 through 20.0.0.9 running oauth-2.0 or openidConnectServer-1.0 server features is vulnerable to a denial of service attack conducted by an authenticated client. IBM X-Force ID: 184650.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/184650 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H)

Affected Products and Versions

These vulnerabilities affect the following versions and releases of IBM WebSphere Application Server in IBM Cloud:

  • Version 9.0
  • Version 8.5
  • Liberty

Remediation/Fixes

To patch an existing service instance, refer to the IBM WebSphere Application Server bulletins listed below:

Please see Updating your environment in the KnowlegeCenter for information on applying service.

Alternatively, delete the vulnerable service instance and create a new instance.

Workarounds and Mitigations

None

Related

ibm 165
github 1
cve 6
osv 2
debiancve 3
prion 6
ubuntucve 3
nessus 5
veracode 2
redhatcve 2
redhat 2
f5 1
alpinelinux 1
ibm
ibm
Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server used by IBM Rational ClearQuest
2020-12-10 06:45:02
Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2020-4576, CVE-2020-4629, CVE-2020-4643, CVE-2020-4782)
2020-10-30 19:35:57
Security Bulletin: Multiple vulnerabilities in IBM WebSphere Appilcation Server and WebSphere Application Server Liberty affects IBM Engineering ELM products based on IBM Jazz technology.
2020-11-12 15:45:10
github
github
Improper Input Validation in Hibernate Validator
2021-06-04 21:36:34
cve
cve
CVE-2020-10693
2020-05-06 14:15:00
CVE-2020-4629
2020-09-30 15:15:00
CVE-2020-14797
2020-10-21 15:15:00
osv
osv
CVE-2020-10693
2020-05-06 14:15:10
Improper Input Validation in Hibernate Validator
2021-06-04 21:36:34
debiancve
debiancve
CVE-2020-10693
2020-05-06 14:15:00
CVE-2020-14797
2020-10-21 15:15:00
CVE-2020-14782
2020-10-21 15:15:00
prion
prion
Input validation
2020-05-06 14:15:00
Information disclosure
2020-09-30 15:15:00
Design/Logic Flaw
2020-09-21 15:15:00
ubuntucve
ubuntucve
CVE-2020-10693
2020-05-06 00:00:00
CVE-2020-14797
2020-10-21 00:00:00
CVE-2020-14782
2020-10-21 00:00:00
nessus
nessus
IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x <= 8.5.5.18 / 9.0.x <= 9.0.5.5 Information Disclosure (6339255)
2021-01-19 00:00:00
F5 Networks BIG-IP : Java vulnerability (K35253541)
2022-12-06 00:00:00
IBM WebSphere Application Server 7.0.0.x <= 7.0.0.45 / 8.0.0.x <= 8.0.0.15 / 8.5.x <= 8.5.5.18 / 9.0.x <= 9.0.5.5 Directory Traversal (CVE-2020-4782)
2021-02-12 00:00:00
veracode
veracode
EL Expression Injection
2020-05-18 06:05:42
Authorization Bypass
2020-10-23 08:58:31
redhatcve
redhatcve
CVE-2020-10693
2020-05-05 07:39:53
CVE-2020-14797
2020-10-20 21:17:02
redhat
redhat
(RHSA-2020:4344) Moderate: Open Liberty 20.0.0.11 Runtime security update
2020-10-26 15:38:37
(RHSA-2020:5586) Moderate: java-1.7.1-ibm security update
2020-12-16 14:59:17
f5
f5
K35253541 : Java vulnerability CVE-2020-14797
2022-12-06 00:00:00
alpinelinux
alpinelinux
CVE-2020-14797
2020-10-21 15:15:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

JSON
Related for 9C9BD6083322204839F8553AEFDE11C546EEC223C7CE000659E67773279CB0C3
ibm165github1cve6osv2debiancve3prion6ubuntucve3nessus5veracode2redhatcve2redhat2f51alpinelinux1