IBM9E87F162964EFA269022E795C248C44A7E59EB5181730CB521B210549355D42DSecurity Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect for Virtual Environments (CVE-2014-7810, CVE-2018-8039)
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Summary
IBM WebSphere Application Server Liberty is affected by Apache Tomcat and CXF vulnerabilities that affect IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware and Data Protection for Hyper-V.
Vulnerability Details
CVEID: CVE-2014-7810 DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103155> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVEID:
CVE-2018-8039
DESCRIPTION: Apache CXF could allow a remote attacker to conduct a man-in-the-middle attack. The TLS hostname verification does not work correctly with com.sun.net.ssl interface. An attacker could exploit this vulnerability to launch a man-in-the-middle attack.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145516> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
Affected Products and Versions
The following levels of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for VMware are affected:
- 8.1.0.0 through 8.1.6.1
- 7.1.0.0 through 7.1.8.4
The following levels of IBM Spectrum Protect (formerly Tivoli Storage Manager) for Virtual Environments: Data Protection for Hyper-V are affected:
- 8.1.4.0 through 8.1.6.1
Remediation/Fixes
IBM Spectrum Protect for Virtual Environments: Data Protection for VMware Release
| First Fixing VRM Level |
Platform
| _Link to Fix _
—|—|—|—
8.1 | 8.1.7 | Linux
Windows |
<https://www.ibm.com/support/docview.wss?uid=ibm10744187>
7.1 | 7.1.8.5 | Linux
Windows | <https://www.ibm.com/support/docview.wss?uid=swg24044553>
IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V Release
| First Fixing VRM Level |Platform|_Link to Fix _
—|—|—|—
8.1 | 8.1.7 | Windows |
<https://www.ibm.com/support/docview.wss?uid=ibm10744187>
Workarounds and Mitigations
None.
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P