Security Bulletin: A vulnerability in IBM WebSphere Application Server affects IBM Spectrum Scale packaged in IBM Elastic Storage Server (CVE-2018-1901)

Summary

There is a vulnerability in IBM WebSphere Application Server, used by IBM Spectrum Scale. This issue allow a remote attacker to temporarily gain elevated privileges on the system.

Vulnerability Details

CVEID: CVE-2018-1901 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152530&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

The Elastic Storage Server 5.3 thru 5.3.2.1
The Elastic Storage Server 5.0.0 thru 5.2.5
The Elastic Storage Server 4.5.0 thru 4.6.0
The Elastic Storage Server 4.0.0 thru 4.0.6

Remediation/Fixes

For IBM Elastic Storage Server V5.0.0. thru 5.3.2.1, apply V5.3.3.0 available from FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.3.0&platform=All&function=all

For IBM Elastic Storage Server V5.0.0. thru 5.2.5.0, apply V5.2.6 available from FixCentral at:

https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Elastic+Storage+Server+(ESS)&release=5.2.0&platform=All&function=all

If you are unable to upgrade to ESS 5.3.3.0 or 5.2.6, please contact IBM Service to obtain an efix:

- For IBM Elastic Storage Server 5.3.0.0-5.3.1.1, reference APAR IJ13422
- For IBM Elastic Storage Server 5.0.0- 5.2.4.0, reference APAR IJ10573
- For IBM Elastic Storage Server 4.0.0 - 4.6.0, reference APAR IJ13398

To contact IBM Service, see <http://www.ibm.com/planetwide/&gt;

Workarounds and Mitigations

None