Security Bulletin: Information disclosure vulnerability in Liberty for Java for IBM Cloud (CVE-2019-4441)

Summary

There is a potential information disclosure vulnerability in IBM WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2019-4441 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/163177&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions of Liberty for Java in IBM Cloud up to and including v3.37.

Remediation/Fixes

To upgrade to Liberty for Java v3.38-20191031-1433 or higher, you must re-stage or re-push your application.

To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat “staging_info.yml”

Look for the following lines:

{“detected_buildpack”:“Liberty for Java™ (WAR, liberty-19.0.0_9, buildpack-v3.37-20191002-1726, ibmjdk-1.8.0_sr5fp41-20190919, env)”,“start_command”:“.liberty/initial_startup.rb”}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None.