Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-0385)

Summary

IBM WebSphere Application Server and IBM Business Process Manage are shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise.
Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.

Vulnerability Details

Consult Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385) for information details.

Affected Products and Versions

Principal Product and Version(s)

| Affected Supporting Product and Version
—|—
IBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2|

• WebSphere Application Server V8.5.5 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.5 - V8.5.6.2
  IBM Cloud Orchestrator V2.4, V2.4.01, V2.4.0.2,V2.4.0.3|

• WebSphere Application Server V8.5.0.1 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.0.1
  IBM Cloud Orchestrator V2.3, V2.3.0.1|

• IBM WebSphere Application Server V8.0, V8.0.11

• IBM Business Process Manager Standard V8.5.0.1
  IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 |

• WebSphere Application Server V8.5.5 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.5 - V8.5.6.2

• IBM SmartCloud Cost Management V2.1.0.5
  IBM Cloud Orchestrator Enterprise V2.4, V2.4.01, V2.4.0.2,V2.4.0.3|

• WebSphere Application Server V8.5.0.1 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.0.1

• IBM SmartCloud Cost Management V2.1.0.4
  IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1|

• IBM WebSphere Application Server V8.0, V8.0.11

• IBM Business Process Manager Standard V8.5.0.1

• IBM SmartCloud Cost Management V2.1.0.3

Remediation/Fixes

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM Cloud Orchestrator.

• WebSphere Application Server V8.5.5 through V8.5.5.7
• IBM Business Process Manager Standard V8.5.5 - V8.5.6.2
  | Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)

Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition
IBM Cloud Orchestrator V2.4, V2.4.01, V2.4.0.2,V2.4.0.3|

• WebSphere Application Server V8.5.0.1 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.0.1
  IBM Cloud Orchestrator V2.3, V2.3.0.1|

• IBM WebSphere Application Server V8.0, V8.0.11

• IBM Business Process Manager Standard V8.5.0.1
  IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 |

• WebSphere Application Server V8.5.5 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.5 - V8.5.6.2

• IBM SmartCloud Cost Management V2.1.0.5
  IBM Cloud Orchestrator Enterprise V2.4, V2.4.01, V2.4.0.2,V2.4.0.3|

• WebSphere Application Server V8.5.0.1 through V8.5.5.7

• IBM Business Process Manager Standard V8.5.0.1

• IBM SmartCloud Cost Management V2.1.0.4
  IBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1|

• IBM WebSphere Application Server V8.0, V8.0.11

• IBM Business Process Manager Standard V8.5.0.1

• IBM SmartCloud Cost Management V2.1.0.3

Workarounds and Mitigations

Apply mitigation as per Security Bulletin WebSphere Application Server (CVE-2016-0385).