8.5 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.2
CVE ID:CVE-2013-4039** (PM84760)_
_
DESCRIPTION: **WebSphere Application Server for Compute Grid could allow a remote attacker to obtain sensitive information and exploit this vulnerability to gain unauthorized access to jobs.
CVSS: _
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86175 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:N/A:N)_**
AFFECTED VERSIONS**: The following Versions are affected:
**REMEDIATION:**The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack containing this APAR PM84760, as noted below: **
For V8.5.0.0 through 8.5.5.1:**
Workaround(s): None **Mitigation(s):None
** CVE ID: CVE-2013-6725(PM98132) **
DESCRIPTION:IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of input in the Administrative Console. A remote attacker with Administrative authority could exploit this vulnerability using a specially crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.
CVSS:** _
CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89280 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PM98132, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.1:**
**
For V8.0.0.0 through 8.0.0.7:**
**
For V7.0.0.0 through 7.0.0.29:**
_
Workaround(s):None
Mitigation(s):_ none
**
CVE ID: CVE-2013-6325(PM99450 and PI08267)****
DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service, caused by improper handling of requests by a web services endpoint. By passing a specially-crafted request, a remote attacker could exploit this vulnerability to consume available resources.
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/88906 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:P) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing APAR PM99450 for IBM WebSphere Application Server Full Profile or APAR PI08267 for IBM WebSphere Application Server Liberty Profile, as noted below: **
For IBM WebSphere Application Server Full Profile or Liberty Profile
For V8.5.0.0 through 8.5.5.1:**
**
For V8.0.0.0 through 8.0.0.7:**
**
For V7.0.0.0 through 7.0.0.29:**
_
Workaround(s):None
Mitigation(s):_ none
CVE ID:CVE-2013-6323(PI04777 and PI04880) **
DESCRIPTION: The Administration Console of IBM WebSphere Application Server and IBM WebSphere Application Server Virtual Edition may be vulnerable to cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability to create a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked.
CVSS:** _
CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/88903 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF for WebSphere Application Server as noted below: ** **
For IBM WebSphere Application Server (PI04777) For V8.5.0.0 through 8.5.5.1:
**
For V8.0.0.0 through 8.0.0.8:*** Apply Fix Pack 9 (8.0.0.9), or later.**
** For V7.0.0.0 through 7.0.0.29:
**
For IBM WebSphere Virtual Enterprise (PI04880)** **
For V7.0.0.0 through 7.0.0.4:**
Workaround(s): None**_
Mitigation(s):_**none Acknowledgement: Thanks to Michael Hoffman for reporting this vulnerability to IBM.
CVE ID: CVE-2013-6329(PI05309)
DESCRIPTION: Potential denial of service in SSL handshake processing with IBM HTTP Server.
CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)
**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5
· Version 8
· Version 7
· Version 6.1
REMEDIATION: Please refer to WebSphere Application Server Security bulletin for CVE-2013-6349 for remediation information and workaround information. ** **
CVE ID:CVE-2014-0823(PI05324) **
DESCRIPTION: IBM WebSphere Application Server Full Profile and IBM Websphere Application Server Liberty profile could allow a remote attacker to view files within an application by sending a specially-crafted URL.
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90498 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI05324, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.1 Full Profile or Liberty Profile: **
**
For V8.0.0.0 through 8.0.0.8:**
** Workaround(s): None_
Mitigation(s):_**None **
CVE ID: CVE-2013-6738(PI05661)** **
DESCRIPTION: IBM WebSphere Application Server Oauth is vulnerable to cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability to create a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked.
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89854 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI05661, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.1:**
**
For V8.0.0.0 through 8.0.0.8:**
For V7.0.0.0 through 7.0.0.31:
** **Workaround(s): None.**_
Mitigation(s):_None. **
CVE ID: CVE-2014-0857(PI07808) **
DESCRIPTION: IBM WebSphere Application Server Administrative Console could allow a network attacker to obtain sensitive information caused by improper handling of requests and exploit this vulnerability to gain unauthorized access to the Server.
CVSS:** _
CVSS Base Score: 4.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:N/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing APAR PI07808 for IBM WebSphere Application Server as noted below: **
For IBM WebSphere Application Server Full Profile** **
For V8.5.0.0 through 8.5.5.1:**
**
For V8.0.0.0 through 8.0.0.8:**
** Workaround(s): None_
Mitigation(s):_**none **
CVE ID: CVE-2014-0859(PI08892)** **
DESCRIPTION: IBM WebSphere Application server using the web server plugin that is configured to retry failed POST requests may be vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the Application Server to crash. **
CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90879 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI08892, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.1 Full Profile and Liberty Profile:**
**
For V8.0.0.0 through 8.0.0.8:**
**
For V7.0.0.0 through 7.0.0.31:**
_
Workaround(s):None
Mitigation(s):_ none
**
CVE ID:CVE-2013-6438(PI09345)** DESCRIPTION: IBM HTTP Server may be vulnerable to a buffer overflow in the optional mod_dav module when using mod_dav addons. A remote attacker could overflow a buffer and cause a denial of service.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5
· Version 8
· Version 7
**REMEDIATION:**The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
**Fix:**Apply a Fix Pack, PTF or Interim Fix containing APAR PI09345, as noted below:
For affected IBM HTTP Server for WebSphere Application Server:
For V8.5.0.0 through 8.5.5.1 Full Profile:
-- OR
**
For V8.0.0.0 through 8.0.0.8:**
-- OR
**
For V7.0.0.0 through 7.0.0.31:**
-- OR
Workaround(s): Do not use optional mod_dav module.**_
Mitigation(s):_none
CVE ID: CVE-2013-6747 (PI09443)
DESCRIPTION: **IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.
CVSS: _
CVSS Base Score: 7.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5
· Version 8
· Version 7
Remediation/Workaround/Mitigation
Please refer to WebSphere Application Server Security bulletin for CVE-2013-6747 for remediation information. ** **
CVE ID:CVE-2014-0891(PI09786) **
DESCRIPTION: The Proxy and ODR servers of the IBM WebSphere Application Server could allow a network attacker to obtain sensitive information caused by improper handling of requests. **
CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91286 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI09786, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.1:**
**
For V8.0.0.0 through 8.0.0.8:**
**
For V7.0.0.0 through 7.0.0.31:**
_
Workaround(s):None
Mitigation(s):_ none
CVE ID:CVE-2014-0896(PI10134) **
DESCRIPTION: IBM WebSphere Application Server Liberty Profile could allow a network attacker to obtain sensitive information caused by improper handling of requests. The attacker could exploit this vulnerability to obtain sensitive information. **
CVSS: _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91326 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Liberty Profile Version is affected:
**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI10134, as noted below: **
For IBM WebSphere Application Server Liberty Profile
For V8.5.0.0 through 8.5.5.1:**
** Workaround(s): None_
Mitigation(s):_** none
CVE ID:CVE-2014-0050(PI12648, PI12926 and PI13162) **
DESCRIPTION: **Apache Commons FileUpload used by IBM WebSphere Application Server may be vulnerable to a denial of service. **
*CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90987 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
VERSIONS AFFECTED: **This problem affects the following versions of the WebSphere Application Server:
· Version 8.5 Full Profile and Liberty Profile
· Version 8
· Version 7
· Version 6.1
This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 7
**
REMEDIATION/Workaround/Mitigation: Please refer to WebSphere Application Server Security bulletin for CVE-2014-0050 for information.
**IBM SDK:**Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 8.5.5.2 _
_http://www.ibm.com/support/docview.wss?&uid=swg21663938