Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.2

Summary

Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.2

Vulnerability Details

CVE ID:CVE-2013-4039** (PM84760)_
_
DESCRIPTION: **WebSphere Application Server for Compute Grid could allow a remote attacker to obtain sensitive information and exploit this vulnerability to gain unauthorized access to jobs.

CVSS: _
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/86175 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:N/A:N)_**

AFFECTED VERSIONS**: The following Versions are affected:

• Version 8.5 of WebSphere Application Server for Compute Grid users

**REMEDIATION:**The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
Fix:
Apply a Fix Pack containing this APAR PM84760, as noted below: **

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

Workaround(s): None **Mitigation(s):None
** CVE ID: CVE-2013-6725(PM98132) **

DESCRIPTION:IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of input in the Administrative Console. A remote attacker with Administrative authority could exploit this vulnerability using a specially crafted URL to inject script into a victim’s Web browser within the security context of the hosting Web site.

CVSS:** _
CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89280 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PM98132, as noted below: **
For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.7:**

• Apply Fix Pack 8 (8.0.0.8), or later.

**
For V7.0.0.0 through 7.0.0.29:**

• Apply Fix Pack 31 (7.0.0.31), or later.

_
Workaround(s):None
Mitigation(s):_ none

**
CVE ID: CVE-2013-6325(PM99450 and PI08267)****

DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service, caused by improper handling of requests by a web services endpoint. By passing a specially-crafted request, a remote attacker could exploit this vulnerability to consume available resources.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/88906 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:P) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing APAR PM99450 for IBM WebSphere Application Server Full Profile or APAR PI08267 for IBM WebSphere Application Server Liberty Profile, as noted below: **

For IBM WebSphere Application Server Full Profile or Liberty Profile

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.7:**

• Apply Fix Pack 8 (8.0.0.8), or later.

**
For V7.0.0.0 through 7.0.0.29:**

• Apply Fix Pack 31 (7.0.0.31), or later.

_
Workaround(s):None
Mitigation(s):_ none

CVE ID:CVE-2013-6323(PI04777 and PI04880) **

DESCRIPTION: The Administration Console of IBM WebSphere Application Server and IBM WebSphere Application Server Virtual Edition may be vulnerable to cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability to create a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked.

CVSS:** _
CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/88903 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF for WebSphere Application Server as noted below: ** **
For IBM WebSphere Application Server (PI04777) For V8.5.0.0 through 8.5.5.1:

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:*** Apply Fix Pack 9 (8.0.0.9), or later.**
** For V7.0.0.0 through 7.0.0.29:

• Apply Fix Pack 33 (7.0.0.33), or later.

**
For IBM WebSphere Virtual Enterprise (PI04880)** **
For V7.0.0.0 through 7.0.0.4:**

• Apply Fix Pack 5 (7.0.0.5), or later.

Workaround(s): None**_
Mitigation(s):_**none Acknowledgement: Thanks to Michael Hoffman for reporting this vulnerability to IBM.

CVE ID: CVE-2013-6329(PI05309)

DESCRIPTION: Potential denial of service in SSL handshake processing with IBM HTTP Server.

CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/88939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:C)

**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5
· Version 8
· Version 7
· Version 6.1

REMEDIATION: Please refer to WebSphere Application Server Security bulletin for CVE-2013-6349 for remediation information and workaround information. ** **

---

CVE ID:CVE-2014-0823(PI05324) **

DESCRIPTION: IBM WebSphere Application Server Full Profile and IBM Websphere Application Server Liberty profile could allow a remote attacker to view files within an application by sending a specially-crafted URL.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90498 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5 Full and Liberty
• Version 8

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI05324, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.1 Full Profile or Liberty Profile: **

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Fix Pack 9 (8.0.0.9), or later.

** Workaround(s): None_
Mitigation(s):_**None **

CVE ID: CVE-2013-6738(PI05661)** **

DESCRIPTION: IBM WebSphere Application Server Oauth is vulnerable to cross-site scripting, caused by improper validation of user supplied input. A remote attacker could exploit this vulnerability to create a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked.

CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89854 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5 Full Profile and Liberty Profile
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI05661, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Fix Pack 9(8.0.0.9), or later.

For V7.0.0.0 through 7.0.0.31:

• Apply Fix Pack 33(7.0.0.33), or later.

** **Workaround(s): None.**_
Mitigation(s):_None. **
CVE ID: CVE-2014-0857(PI07808) **

DESCRIPTION: IBM WebSphere Application Server Administrative Console could allow a network attacker to obtain sensitive information caused by improper handling of requests and exploit this vulnerability to gain unauthorized access to the Server.

CVSS:** _

CVSS Base Score: 4.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:S/C:P/I:N/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5
• Version 8

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing APAR PI07808 for IBM WebSphere Application Server as noted below: **

For IBM WebSphere Application Server Full Profile** **

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Fix Pack 9 (8.0.0.9), or later.

** Workaround(s): None_
Mitigation(s):_**none **

CVE ID: CVE-2014-0859(PI08892)** **

DESCRIPTION: IBM WebSphere Application server using the web server plugin that is configured to retry failed POST requests may be vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the Application Server to crash. **
CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90879 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5 Full and Liberty
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI08892, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.1 Full Profile and Liberty Profile:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Fix Pack 9 (8.0.0.9), or later.

**
For V7.0.0.0 through 7.0.0.31:**

• Apply Fix Pack 33 (7.0.0.33), or later.

_
Workaround(s):None
Mitigation(s):_ none

**
CVE ID:CVE-2013-6438(PI09345)** DESCRIPTION: IBM HTTP Server may be vulnerable to a buffer overflow in the optional mod_dav module when using mod_dav addons. A remote attacker could overflow a buffer and cause a denial of service.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90878 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and bundling products:
· Version 8.5
· Version 8
· Version 7

**REMEDIATION:**The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical

**Fix:**Apply a Fix Pack, PTF or Interim Fix containing APAR PI09345, as noted below:

For affected IBM HTTP Server for WebSphere Application Server:

For V8.5.0.0 through 8.5.5.1 Full Profile:

• Apply Interim Fix PI09345

-- OR

• Apply Fix Pack 8.5.5.2 or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Interim Fix PI09345

-- OR

• Apply Fix Pack 8.0.0.9 or later.

**
For V7.0.0.0 through 7.0.0.31:**

• Apply Interim Fix PI09345

-- OR

• Apply Fix Pack 7.0.0.33 or later.

Workaround(s): Do not use optional mod_dav module.**_
Mitigation(s):_none

CVE ID: CVE-2013-6747 (PI09443)

DESCRIPTION: **IBM HTTP Server may be vulnerable to a denial of service, caused by an error in the GSKit component. By initiating an SSL/TLS connection using a malformed certificate chain, a remote attacker could exploit this vulnerability to cause the server process to hang or crash.

CVSS: _
CVSS Base Score: 7.1
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/89863 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

**AFFECTED VERSIONS:**This problem affects the IBM HTTP Server component in all editions of WebSphere Application Server and all products that bundle WebSphere Application Server:
· Version 8.5
· Version 8
· Version 7

Remediation/Workaround/Mitigation

Please refer to WebSphere Application Server Security bulletin for CVE-2013-6747 for remediation information. ** **

CVE ID:CVE-2014-0891(PI09786) **

DESCRIPTION: The Proxy and ODR servers of the IBM WebSphere Application Server could allow a network attacker to obtain sensitive information caused by improper handling of requests. **
CVSS: _
CVSS Base Score: 5.0
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91286 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5
• Version 8
• Version 7

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI09786, as noted below: **

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

**
For V8.0.0.0 through 8.0.0.8:**

• Apply Fix Pack 9 (8.0.0.9), or later.

**
For V7.0.0.0 through 7.0.0.31:**

• Apply Fix Pack 33 (7.0.0.33), or later.

_
Workaround(s):None
Mitigation(s):_ none

CVE ID:CVE-2014-0896(PI10134) **

DESCRIPTION: IBM WebSphere Application Server Liberty Profile could allow a network attacker to obtain sensitive information caused by improper handling of requests. The attacker could exploit this vulnerability to obtain sensitive information. **
CVSS: _
CVSS Base Score: 4.3
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/91326 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N) **

AFFECTED VERSIONS**: The following IBM WebSphere Application Server Liberty Profile Version is affected:

• Version 8.5

**
REMEDIATION: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical_
Fix:_**
Apply a Fix Pack or PTF containing this APAR PI10134, as noted below: **

For IBM WebSphere Application Server Liberty Profile

For V8.5.0.0 through 8.5.5.1:**

• Apply Fix Pack 2 (8.5.5.2), or later.

** Workaround(s): None_
Mitigation(s):_** none

CVE ID:CVE-2014-0050(PI12648, PI12926 and PI13162) **

DESCRIPTION: **Apache Commons FileUpload used by IBM WebSphere Application Server may be vulnerable to a denial of service. **
*CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90987 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
**
VERSIONS AFFECTED: **This problem affects the following versions of the WebSphere Application Server:
· Version 8.5 Full Profile and Liberty Profile
· Version 8
· Version 7
· Version 6.1

This problem also affects the following versions of WebSphere Extended Deployment Compute Grid:
· Version 8 on WebSphere Application Server Version 7 or Version 8
· Version 6.1 on WebSphere Application Server Version 7
**
REMEDIATION/Workaround/Mitigation: Please refer to WebSphere Application Server Security bulletin for CVE-2014-0050 for information.

---

**IBM SDK:**Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 8.5.5.2 _
_http://www.ibm.com/support/docview.wss?&uid=swg21663938