IBMC9A06C4BC1ACE55A17C7DD2D9DD98AA6FDEE59C9586CAFC2375754D88139C6F2Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427)
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Summary
Information about a security vulnerability that affects IBM Java SDK, IBM WebSphere Application Server, and bundling products of IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition has been published in a security bulletin.
These issues were also addressed by IBM WebSphere Application Server, IBM Business Process Manager and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.
Vulnerability Details
IBM WebSphere Application Server, IBM Tivoli System Automation Application Manager, and IBM Business Process Manager are shipped as components of IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition. Additionally, the IBM Tivoli Monitoring and SmartCloud Cost Management are also shipped with IBM Cloud Orchestrator Enterprise Edition.
CVEID: CVE-2016-3426** *DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2016-3427** *DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Affected Products and Versions
Principal Product and Version(s)
| Supporting Product and Version
—|—
IBM Cloud Orchestrator version 2.5, 2.5.0.1, V2.5.0.2| IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3| IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.5 through 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.3, 2.3.0.1| IBM WebSphere Application Server V8.0.1 through V8.0.0.11
IBM Business Process Manager V 8.5, 8.5.6
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2| IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.5
IBM Tivoli Monitoring 6.3.0.2
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.4
IBM Tivoli Monitoring 6.3.0.2
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from
Interim Fix1 through Interim Fix 9| IBM Business Process Manager Standard 8.5
IBM SmartCloud Cost Management V2.1.0.3
IBM Tivoli Monitoring V6.3.0.1
Remediation/Fixes
These issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.
Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator:
| Product and Version(s) | **Remediation/First Fix ** |
|---|---|
| IBM Cloud Orchestrator V2.5, 2.5.0.1, V2.5.0.2 | _Upgrade to IBM Cloud Orchestrator Fix Pack 2 (2.5.0.2) for 2.5 _ |
| http://www-01.ibm.com/support/docview.wss?uid=swg27045667 |
After upgrade to IBM Cloud Orchestrator 2.5.0.2 you need to install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223.
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2 v2.4.0.3| Contact _IBM Support _
For all releases of V2.4, fix will be made available in V2.4.0.4.
If you are running IBM Cloud Orchestrator Enterprise Edition V2.4 through 2.4.0,3, install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223
IBM SmartCloud Orchestrator version V2.3, V2.3.0.1| Contact _IBM Support _
Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, and Business Process Manager that are shipped with IBM Cloud Orchestrator.
| Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6| Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator Enterprise Edition:
| Principal Product and Version | Remediation/First Fix |
|---|---|
| IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 | _Apply IBM Cloud Orchestrator Enterprise Fix Pack 2 (2.5.0.2) for 2.5 _ |
| http://www-01.ibm.com/support/docview.wss?uid=swg27045667 | |
| IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 | Contact _IBM Support _ |
| For all releases of V2.4, fix will be made available in V2.4.0.4. | |
| IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9 | Contact _IBM Support _ |
Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, Business Process Manager, SmartCloud Cost Management, and Tivoli Monitoring, which are shipped with IBM Cloud Orchestrator Enterprise Edition:
| Principal Product and Version(s) | Affected Supporting Product and Version | Remediation/First Fix/ Affected Supporting Product Security Bulletin |
|---|---|---|
| IBM Cloud Orchestrator Enterprise V2.5, v2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2 and V2.4.0.3 | IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7 | Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427) |
| IBM Tivoli System Automation Application Manager V4.1 | Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427) | |
| IBM Business Process Manager V 8.5, 8.5.6 | Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016) | |
| SmartCloud Cost Management V2.1.0.4 and V2.1.0.5 | for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition | |
| IBM Tivoli Monitoring V6.3.0.1 | _ Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)_ | |
| IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9 | IBM WebSphere Application Server V8.0.1 through V8.0.0.11 |
| Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6| Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
SmartCloud Cost Management V2.1.0.3| for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition
IBM Tivoli Monitoring V6.3.0.1| _ Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)_
Related
9 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C