Security Bulletin: Potential information disclosure in WebSphere Application Server (CVE-2018-1957)

Summary

There is a potential information disclosure in WebSphere Application Server (CVE-2018-1957)

Vulnerability Details

CVEID: CVE-2018-1957 DESCRIPTION: IBM WebSphere Application Server could allow sensitive information to be available caused by mishandling of data by the application based on an incorrect return by the httpServletRequest#authenticate() API when an unprotected URI is accessed.
CVSS Base Score: 4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/153629&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Version 9.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APARs for each named product as soon as practical.

For WebSphere Application Server traditional:

For V9.0.0.0 through 9.0.0.9:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH04562
--OR–
· Apply Fix Pack 9.0.0.10 or later.