IBMA158F20FE364012ED487B38F8B26AADFCBDEFCE12A49F4784FF582C6013FDD1ASecurity Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N
Summary
WebSphere Application Server is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.
Vulnerability Details
CVEID: CVE-2018-1996 DESCRIPTION: IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/154650> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
Affected Products and Versions
| Affected Product Name | Affected Versions |
|---|---|
| IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition | V2.5, V2.5.0.1, V2.5.02. V2.5.0.3, V2.5.0.4, V2.5.0.5, V2.5.0.6, V2.5.0.7, V2.5.0.8, V2.5.0.9, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4, V2.4.0.5 |
Remediation/Fixes
The recommended solution is to apply the fixes as soon as practical.
| Principal Product and Version(s) | VRMF | Remediation/First Fix |
|---|---|---|
| IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise | 2.5, 2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5, 2.5.0.6, 2.5.0.7, 2.5.0.8, 2.5.0.9 |
For 2.5 versions, IBM recommends upgrading to Fix Pack 10 (2.5.0.10) of IBM Cloud Orchestrator:
<https://www.ibm.com/support/pages/ibm-cloud-orchestrator-fix-pack-10-25010-25>
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise | 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5 |
Contact IBM Cloud Orchestrator support.
Refer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server and IBM Tivoli System Automation Application Manager which is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Principal Product and Version(s)
|
Affected Supporting Product and Version
| Affected Supporting Product Security Bulletin
—|—|—
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.02. V2.5.0.3, V2.5.0.4, V2.5.0.5, V2.5.0.6, V2.5.0.7, V2.5.0.8, V2.5.0.9
|
-
WebSphere Application Server V8.5.5 through V8.5.5.15
-
IBM Tivoli System Automation Application Manager 4.1
|
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4, V2.4.0.5
|
-
WebSphere Application Server V8.5.0.1 through V8.5.5.12
-
IBM Tivoli System Automation Application Manager 4.1
|
Workarounds and Mitigations
None
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
3.5 Low
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:S/C:P/I:N/A:N