IBMB53AD5E2D2A2AF474127E24591478FB8781BD315607546C5DA3DE7FF21443FCDSecurity Bulletin: Denial of Service with WebSphere Application Server (CVE-2016-8919)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
Summary
There is a potential denial of service with WebSphere Application Server with SOAP connectors.
Important information was added to the Remediation/Fixes section on February 22, 2017.
Vulnerability Details
Important information was added to the Remediation/Fixes section on February 22, 2017.
CVEID: CVE-2016-8919**
DESCRIPTION:** IBM WebSphere Application Server may be vulnerable to a denial of service, caused by allowing serialized objects from untrusted sources to run and cause the consumption of resources.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/118529 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
- Version 9.0
- Version 8.5.5
- Version 8.0
- Version 7.0
Remediation/Fixes
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI73519 for each named product as soon as practical. **
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** **
For V9.0.0.0 through 9.0.0.3 traditional:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73519
--ORโ
ยท Apply Fix Pack 9.0.0.4 or later.
**
For V8.5.0.0 through 8.5.5.11 traditional:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73519
--ORโ
ยท Apply Fix Pack 8.5.5.12 or later.
**
For V8.0.0.0 through 8.0.0.12 traditional:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73519
--ORโ
ยท Apply Fix Pack 8.0.0.14 or later.
**
For V7.0.0.0 through 7.0.0.41 traditional:**
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI73519
--ORโ
ยท Apply Fix Pack 7.0.0.43 or later.
NOTE: There was a potential regression in the interim fixes that were delivered prior to 16 February 2017. If you have the earlier version of the interim fix then you could see the following exception in your Systemout or trace outputs:
`
Exception in thread โGetNotification_1โ java.lang.reflect.
Caused by: SOAPException: faultCode=SOAP-ENV:ServerException;
msg=The Soap RPC call canโt be unmarshalled.ยจ
at com.ibm.ws.management.connector.soap.SOAPConnectorClient.
`
If you see these exceptions, then download a version of the interim fix dated 17 February 2017 or later.
Workarounds and Mitigations
none
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
7.8 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C