Lucene search

K
ibm
IBMC9A06C4BC1ACE55A17C7DD2D9DD98AA6FDEE59C9586CAFC2375754D88139C6F2
HistoryJun 17, 2018 - 10:33 p.m.

Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427)

2018-06-1722:33:08
www.ibm.com
27

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Summary

Information about a security vulnerability that affects IBM Java SDK, IBM WebSphere Application Server, and bundling products of IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition has been published in a security bulletin.

These issues were also addressed by IBM WebSphere Application Server, IBM Business Process Manager and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.

Vulnerability Details

IBM WebSphere Application Server, IBM Tivoli System Automation Application Manager, and IBM Business Process Manager are shipped as components of IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition. Additionally, the IBM Tivoli Monitoring and SmartCloud Cost Management are also shipped with IBM Cloud Orchestrator Enterprise Edition.

CVEID: CVE-2016-3426** *DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2016-3427** *DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score
: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

Principal Product and Version(s)

| Supporting Product and Version
—|—
IBM Cloud Orchestrator version 2.5, 2.5.0.1, V2.5.0.2| IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3| IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.5 through 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.3, 2.3.0.1| IBM WebSphere Application Server V8.0.1 through V8.0.0.11
IBM Business Process Manager V 8.5, 8.5.6
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2| IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.5
IBM Tivoli Monitoring 6.3.0.2
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3| IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.4
IBM Tivoli Monitoring 6.3.0.2
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from
Interim Fix1 through Interim Fix 9| IBM Business Process Manager Standard 8.5
IBM SmartCloud Cost Management V2.1.0.3
IBM Tivoli Monitoring V6.3.0.1

Remediation/Fixes

These issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.

Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator:

Product and Version(s) **Remediation/First Fix **
IBM Cloud Orchestrator V2.5, 2.5.0.1, V2.5.0.2 _Upgrade to IBM Cloud Orchestrator Fix Pack 2 (2.5.0.2) for 2.5 _
http://www-01.ibm.com/support/docview.wss?uid=swg27045667

After upgrade to IBM Cloud Orchestrator 2.5.0.2 you need to install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223.
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2 v2.4.0.3| Contact _IBM Support _
For all releases of V2.4, fix will be made available in V2.4.0.4.

If you are running IBM Cloud Orchestrator Enterprise Edition V2.4 through 2.4.0,3, install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223
IBM SmartCloud Orchestrator version V2.3, V2.3.0.1| Contact _IBM Support _

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, and Business Process Manager that are shipped with IBM Cloud Orchestrator.

Principal Product and Version(s) Affected Supporting Product and Version Remediation/First Fix/ Affected Supporting Product Security Bulletin
IBM Cloud Orchestrator V2.5, v2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2 and 2.4.0.3 IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Tivoli System Automation Application Manager 4.1 Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427) .
IBM Business Process Manager V8.5.5 thorugh 8.5.6 Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
IBM Cloud Orchestrator V2.3, V2.3.0.1 IBM WebSphere Application Server V8.0.1 through V8.0.0.11

| Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6| Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).

Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator Enterprise Edition:

Principal Product and Version Remediation/First Fix
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 _Apply IBM Cloud Orchestrator Enterprise Fix Pack 2 (2.5.0.2) for 2.5 _
http://www-01.ibm.com/support/docview.wss?uid=swg27045667
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3 Contact _IBM Support _
For all releases of V2.4, fix will be made available in V2.4.0.4.
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9 Contact _IBM Support _

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, Business Process Manager, SmartCloud Cost Management, and Tivoli Monitoring, which are shipped with IBM Cloud Orchestrator Enterprise Edition:

Principal Product and Version(s) Affected Supporting Product and Version Remediation/First Fix/ Affected Supporting Product Security Bulletin
IBM Cloud Orchestrator Enterprise V2.5, v2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2 and V2.4.0.3 IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7 Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Tivoli System Automation Application Manager V4.1 Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6 Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016)
SmartCloud Cost Management V2.1.0.4 and V2.1.0.5 for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition
IBM Tivoli Monitoring V6.3.0.1 _ Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)_
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9 IBM WebSphere Application Server V8.0.1 through V8.0.0.11

| Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6| Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
SmartCloud Cost Management V2.1.0.3| for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition
IBM Tivoli Monitoring V6.3.0.1| _ Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)_

How to protect your server from attacks?

9 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for C9A06C4BC1ACE55A17C7DD2D9DD98AA6FDEE59C9586CAFC2375754D88139C6F2