Lucene search

K
ibmIBMA778665E3A13285610D462BB48B8B364C628140C0274B757D7504580D6201440
HistoryMar 25, 2020 - 10:53 p.m.

Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2020-4276)

2020-03-2522:53:21
www.ibm.com
5

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

Summary

There is a privilege escalation vulnerability in WebSphere Application Server.

Vulnerability Details

CVEID:CVE-2020-4276
**DESCRIPTION:**IBM WebSphere Application Server traditional is vulnerable to a privilege escalation vulnerability when using token-based authentication in an admin request over the SOAP connector.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/175984 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
WebSphere Application Server 9.0
WebSphere Application Server 7.0
WebSphere Application Server 8.0
WebSphere Application Server 8.5

Remediation/Fixes

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.5.3:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH21511
--OR–
· Apply Fix Pack 9.0.5.4 or later (targeted availability 2Q2020).

For V8.5.0.0 through 8.5.5.17:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH21511
--OR–
· Apply Fix Pack 8.5.5.18 or later (targeted availability 3Q2020).

For V8.0.0.0 through 8.0.0.15:
· Upgrade to 8.0.0.15 and then apply Interim Fix PH21511

For V7.0.0.0 through 7.0.0.45:
· Upgrade to 7.0.0.45 and then apply Interim Fix PH21511

Additional interim fixes may be available and linked off the interim fix download page.

_WebSphere Application Server V7.0 and V8.0 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _

Workarounds and Mitigations

None

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

6 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

Related for A778665E3A13285610D462BB48B8B364C628140C0274B757D7504580D6201440