DATABASE RESOURCES PRICING ABOUT US

{"id": "C9B215C2E990733679984F0C6E86DB20EA1ED143683D79CFE88293360577ED49", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition. Information about security vulnerabilities affecting WebSphere Application Server has been published in security bulletins (CVE-2016-0359, CVE-2016-0377, CVE-2016-0385, CVE-2016-1181, CVE-2016-1182, CVE-2016-2960, CVE-2016-3485, CVE-2016-3092,CVE-2016-5986, CVE-2016-5983).\n\n## Vulnerability Details\n\nConsult the security bulletin \n\n * [Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>)\n * [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)\n * [Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www.ibm.com/support/docview.wss?uid=swg21980645>)\n * [Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>)\n * [Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www.ibm.com/support/docview.wss?uid=swg21982588>)\n * [Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)](<http://www.ibm.com/support/docview.wss?uid=swg21984796>)\n * [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>)\n * [Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>)\n * [Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n * [Security Bulletin: Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>)\n * [Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server Liberty Profile (CVE-2016-3042)](<http://www-01.ibm.com/support/docview.wss?uid=swg21986716>)\n * [Security Bulletin: Open Redirect vulnerability in WebSphere Application Server Liberty (CVE-2016-3040)](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>)\n * [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>) \n\nfor vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n * * WebSphere Process Server V7.x\n * WebSphere Dynamic Process Edition V7.x\n * WebSphere Lombardi Edition V7.2.0.x\n * IBM Business Process Manager V7.5.0.0 through V7.5.1.2\n * IBM Business Process Manager V8.0 through V8.0.1.3\n * IBM Business Process Manager V8.5.0 through V8.5.0.2\n * IBM Business Process Manager V8.5.5\n * IBM Business Process Manager V8.5.6 through V8.5.6.0 cumulative fix 2\n * IBM Business Process Manager V8.5.7 through V8.5.7.0 cumulative fix 1\n \n \n_For__ earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2018-06-15T07:05:56", "modified": "2018-06-15T07:05:56", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.8}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.9, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 8.2, "baseSeverity": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 4.2}, "href": "https://www.ibm.com/support/pages/node/283509", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-0359", "CVE-2016-0377", "CVE-2016-0378", "CVE-2016-0385", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5983", "CVE-2016-5986"], "immutableFields": [], "lastseen": "2023-02-21T01:54:01", "viewCount": 6, "enchantments": {"score": {"value": 0.2, "vector": "NONE"}, "dependencies": {"references": [{"type": "aix", "idList": ["JAVA_JULY2016_ADVISORY.ASC"]}, {"type": "amazon", "idList": ["ALAS-2016-736"]}, {"type": "atlassian", "idList": ["ATLASSIAN:BSERV-8977", "ATLASSIAN:JRA-61885", "ATLASSIAN:JRASERVER-61885", "JRASERVER-61885"]}, {"type": "centos", "idList": ["CESA-2016:2599"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2016-0684", "CPAI-2016-0765", "CPAI-2016-0959", "CPAI-2017-1082"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:1DFE9585B9C1AAABE38F2402F4352EFD"]}, {"type": "cve", "idList": ["CVE-2016-0359", "CVE-2016-0377", "CVE-2016-0378", "CVE-2016-0385", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5983", "CVE-2016-5986", "CVE-2017-1000394"]}, {"type": "debian", "idList": ["DEBIAN:DLA-528-1:BE307", "DEBIAN:DLA-528-1:C8771", "DEBIAN:DLA-529-1:758C3", "DEBIAN:DLA-529-1:DC84D", "DEBIAN:DSA-3609-1:174EB", "DEBIAN:DSA-3611-1:6D627", "DEBIAN:DSA-3611-1:F53EF", "DEBIAN:DSA-3614-1:2E149", "DEBIAN:DSA-3614-1:AC7F6"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2016-3092", "DEBIANCVE:CVE-2016-3485"]}, {"type": "f5", "idList": ["F5:K04403302", "F5:K40444230", "F5:K82392041", "SOL04403302", "SOL40444230", "SOL82392041"]}, {"type": "fedora", "idList": ["FEDORA:44AA5603A529", "FEDORA:4B961604A720", "FEDORA:77E4F6087EA4", "FEDORA:8830E6049DEB", "FEDORA:CF0AC608B5E3"]}, {"type": "freebsd", "idList": ["61B8C359-4AAB-11E6-A7BD-14DAE9D210B8", "CBCEEB49-3BC7-11E6-8E82-002590263BF5"]}, {"type": "gentoo", "idList": ["GLSA-201610-08", "GLSA-201701-43", "GLSA-201705-09", "GLSA-202107-39"]}, {"type": "github", "idList": ["GHSA-5GGR-MPGW-3MGX", "GHSA-7JW3-5Q4W-89QG", "GHSA-F7F6-XRWC-9C57", "GHSA-FVM3-CFVJ-GXQQ"]}, {"type": "ibm", "idList": ["0103A083EFE13BB0A09409F189EB554977F5A87C2021E473616564E5346F1AEC", "044AFEE40BF36BB3EE75709DF1CC1873FA73A33D95D8EC711E22E4A2F6E2FCF7", "04C68A4154F53DB70F6CF2A187509A3F1147E665A6C89FADCEBAB6E7F5E3009D", "05227436D6C2C968E5B8F7343C547A73BF034D9B798F660B84940312BDE80634", "0562A7C622FB9090483ADF1A395792B176E6127F2DE0622FB9F6EA76874B54B8", "056512202CC33AB21C4152EEC32EF3EE392ADAE1B891BC9D77AE9BD58B84F8D1", "0681C227FE92A8AB5C0594A63C254BCA7CA821D8AB7BAEB8A33FF0D16BFE06D6", "0960290DF2FC619258731B7569ADA60DF596825AA7CBEE2BCC35BBF743BA7F06", "09BBCE38EAE9D107F69E0518B79009FF4B4681DB3AF2D690D7F43B62E348CBD6", "0C2BB43DF89AB651EB4868C14225E174A83EBF22C74E30A0801125F7BAB5FEA4", "0C4F91C9AA7E146EDA1AA877B92C4C590E445AC7D2AC0E60ECCE4BA77A47F0EB", "0CD3C55D23EF6A3854413D6B77B0308F73405F8CB242F8337158678FAB58DBC5", "0D1B0467224C58C889D09464233F111C95A3EF770F8A898B11321AA3D7A63B1A", "0D1C36977F87457401FD07B583A57B1C63E792D6E7A9F4B3DBEC8BE07E73EBF0", "0DF637B3284998466CF9C2A812E445BBD165260B4415CB473400F55711361A99", "0F73246124CA58D05064BB5D07082DCA6F2A1D48630CAAC82BCFFB4A71F45CA7", "104BE807C8577FF816DF414B5A588FABB581711BB54758F6F49C7CAC17CD68BE", "106B2580EB58A91741EB732CD8D15C57A8F6683069307CD600388D271E20B4BA", "10A1C628C399C86E24C9D6A9B3952A5B25FBBB7072A52C80458F472DD864A956", "10D01D812FA46A22B4D9C913390B89D005A090D6D56BE96CC6191E4A5C237C1D", "120F89D786DAFCEA904CDFDE3CC03CC57195A6BA2C76C63F6B4A814C241B114B", "121AD16C8E6DC137F59BC7099DCBB94073B1DAF243EA01F065B73DC33C59F7CD", "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "13A0372B23AE8A4E68139CD880DEBEEBDC7987A59621CA5160456B358686AF73", "1412C7A622720AE3AAED86A8033FB65D1A62025D8DFBE215BA2F9A3FAA23D685", "1415F7F81FABE5FE357FDDCFC4CCBA37DA38729E3CE569D09188222ED976317F", "14ACAB8CA0189B997A86AF4FDEDE80610DE9EAB9AC94A882276C8C1D630E0243", "154959AD312743D0405AEAA761D472891EC4AB0DB42D62DF98414A64862177AA", "1552258BC602B501CB144C17FE55DEC12CEDE82B9F4351E9E4F47BE8C7003BA9", "15D0115CEF4171E92D8BA93E2ED17B82EEC2AFF6C764062CEE615ACC92A0F1AF", "17AD7BAA4B4B92B376991EA6E2FDE807376B44743890E9D9B34CC80855CC7FB1", "17CFEAC94B4793725551806C0FC1BBB368CF42F298F302943B1FEA14FE784E44", "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "185C65AA20ADD09741AA859C490D06F40A2B734235A5F9667DC6F9321120A88D", "199CC92B290E5DA2C7A313FD51079E448761C8A62122CED83F84BC1C90E57D9C", "19CECBBC386892426CB8B069CAE677FA3816DC31F39D1E03ED5A62A648E1FC6E", "1A977E1D46AE4CB4B7068DB341125931FAD75C28D6703503973FFF9BE917887F", "1B077A4AA9474860B8C1C4046C2CC3C59145EF1904B5734CEC041210D8E1A9CE", "1B1D31107C76BD72BEF3EFC38D4EBED8FC72D557E47C37F6E39CB86E59CB9ECB", "1B5DD9848C7D60F6C9D8417EA3EBB647E326EFAB4F90F5517AA7B314DC69D75B", "1BFF63EB8AF39056E08427B06D34E43B32E43FBCC74FB2A85F32E708984FD60F", "1C91228402FD4D08EB7E1AA14F8781AE3740873F231FE4E80B592727066F0935", "1D7A9620014C4105B221C6CDF92C1FEE1B525AEE56A16CA716E6FAE637E873E0", "1DC6DF9F0F2C271FB37612B6B6BA7D59992F40C6F3209CD828D769FB2BDD0B42", "1DEC7FD30C92434624557BDD1128B37921411BD17E6CDC7FBA2302EF3CDB8DDF", "1EFCA96ED0F43F520BAAE2D9F621BE24624ABB18463E2EA095AD85756ECFD96B", "1F6C768E9144B3AD91973658F2AD3CE25A0C465D2A02F312DA2F905BA7A29F2E", "204F556EAB03A8680F9F7907025B104B7B92CBF17CD6A81D04D5552CBA6FD19C", "20CC9AA6D99CEF7EE73606665A628362756FABF0BB022191D0C2A784D35A19F1", "21C98DE98E9374C4CF11A15D5C86502E772ED8CD0C2E42213CE01503AAB9766C", "225BA36154E74070AF69A361EED7215084E8AB26B6C1580AE066C11B200C07AB", "237BBBA9548654864D2FE412BB3C8101EFD132E51D2D0A5101F8435F2DA56C43", "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "24154670B8CC3EB03C11F4CFFCD12D680AF81E5BF7B5E295FE2642969C84E9B2", "256D69C6A8C49FA921BFF6BD50DAECC1F4BFD09962DC3AA698602171A4AF9305", "279DF7F5F123A843588622F2CFFF648DF475F6C7BD44DA56FA3B20CF984A9786", "27B8E9FC98BA91ABC2C10006CF43B0739BDA7A3213E6F5DEF3851A7D59959B97", "27F3AB99CB8DA67B28332908992A1F40E20B80601A6A912EA451692BFFE79DDE", "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "2950460C2C0A65D952633F4BF7735E02651D6DDFC3EA5BA07E9DE1E2C618E938", "2A0289568A16E75438F062DD5447BEE8F462BCBB11E9154045B8CB577F2DD29B", "2AAB5BE58C0CB4743B376C4C058728AA514820228044A3F692F589C517749A2D", "2C21B781F95E3A4AE2DC4BE5B94F2879A18765E7411E6026B5B8843D38E43B85", "2CCC0082C741DDB5DC34B25ECB013C676FA97F07AF06FE2F7165FEE41D61E833", "2DC101A5E18A0AA20E5D65C4D90AB61EDC059D48B748C97B8F0B5E701BF2ED5F", "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "2E5C896ED71A7C63BA6B6E389880C03978BFA04CC2678267E26B3E7321AF2F55", "2E9BC1AFBA9F34E20E313BA5B8B5B6C1AEEC0E8F6EC0B353125AA17460789A62", "2F3DF4D2282B24EF0BC7D474141631F99685FDF82AA0F53876C8181F0CCAE559", "2F60B959AE26E6E12B6D46DCEF806CD64408E1E3D5FA1F8B1FD9290C293E11CF", "303C91E2CFE56293B63DAF25ED4EBDD8AABCFC531AD6545BF591206AC7A73FFF", "324C3A5C08D06378229F5834017A7D422F8EA19DC545B4ED1C4E4AB6290D022D", "32EB8BE682985EED6CDB1D2FE6AAA4C3E1F475A6C6763236F416CF5D1908DDD8", "343CB43E86112BC022B2CC5438929BE64F8F79637308BB26F995E85814CF881B", "344AA196E9BA42E66F06309E1030B565184E95CF7E855E7F9747C728B4CDF0A8", "352ED7C655303F942271C987E60E2A8EBE2D5119B7874AA215EC3C5E75DE5571", "35774A12657731256610BEB1ACB2AE99C105060354AA560F82DED28AE65A8B24", "35F30449FF5A9B7862DFFD13F9925E357A9EFCE7C3D117AFB152F8F9CD892EB2", "366FA55EE0B09B40AABB041DB433F5E49FC0E42F7988440387EBE3EED9DBAE91", "36B9584E17AA5AF2507B4055D315F6471C0FAEB4DA5E11B3981F0D14B6267101", "36EAF631AD2195D87F303F82AFF5E7B7CFA7545A0A6B18A6E83CF844C469D54D", "37F40800D3418C50FFCD2A39357D854385B61852A824657B5C6B84F6EADDC390", "3807634CE4F716938A9C964BADF32046049F08DE0F20E027C1152B93AF6316FC", "38D9B6A3F68CBED96349A3BFF2E84864F41372713050A661A21E0A1C496F18F5", "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "3A7D02F876961EE1920B984D5A9926B0409E64F8073E179077D1AD4DC6C80C35", "3BD924AB1914D06D60F032CE4061B3FB0D5473ECAA7B3D99C2DF77F4E5E7546B", "3C2B8784ABB03ABEF1412D29758F7128B41B8CE8ED5563C81FD9B0D761CF3193", "3C2B8EE555C2C7BA9B1DCF116F58AD2E78578E1C58F07EEE1ABD05220173B0B4", "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "3D32F9B38D46DF89EF7AEC91E44C48557AF1A0BE8B9EBD7772ADE328CB0FB68E", "3D8540513E9389E52505EF4CCF99C1FC5DC8928BFA49128170D48087D1264725", "3D991095580B76B158F7A831309B54854B2A9D4E0F2DF32D4B451D7EEA77D411", "3DFE6203DB59955492FEFDC3D6D48EBB07936D0F880BA3893D07DEEAC6EC7CD2", "3E3AF8AC7BA63076BEE8FFB670B3A3F27E0903C83526E54496E50EB2DF74B875", "3F717878AA040EDAD8CB844C86E752D8C4D36133520C6E446279F923E229DE73", "3FDC0101985ADD7D5774F255D78C573813EE11684088944BAF72283AB319514E", "40143F0DA50617F5EA31C30CAE6F6341059E3F031BCE0BC7DBD9F120A3C1F432", "4072C39942198FA288CA301A6C2F9213A715552B7A9DD1177F87322136D13270", "40AF05CBD3BBA604933F6C61D164EE39373BD16E9C951A8CF9EE0D2970B196AB", "411DE209066A00259E38D292C22264C2EDA3B961B523920D589433F42FB534BC", "41A2B080355DFAE7EADFECB4D5D6C7105784D83B969140D731128E3E9EDA0757", "43195EA4EE376F09F69147695272C390DC1C902D2303F5AF6A10BBCB312C6324", "43A6AB12EA2CF36465A8EA1AF578A0F7235298877A542981F53FF6ECF8555E96", "43EA7D9D017D774D32A0D197F345A2CCB9AC632F5A3F17E7D34A94C65782172D", "448B36431D70C2FF876FBEC8D7CD3B51B5042A64B4AF7EEA7903D392CD01A757", "462CCAEFE39DE4B8C89C00328CBC9CA234F0066E30424E0C8AE6BA1EF9AA8903", "48C632E9633C29E25E2E603EA59758933E754D6593F3D9C97533C76D3FB464BD", "48D3B4387F7AC4CDEEBF0466727DBF16D28B07565644815B406D3C32B0AAD85F", "494EAC6DED2AE35E21EE2CDDCCEF3D9DC2E0A6224046209E48AE5CA445191511", "498E2E2E02BBD7E3CFEF1107109D9E779EB3D6CBF7CFB90DB2F30E432B32CDDA", "49A2DAABF329D1D36825AC08ADE5E57BAB0D059CD2E00944D0E0DC45D4DF7BEF", "4A79091D287A34BA15193EFEEBEE7A6FA4A057FC165C69F6432AF6A12275881A", "4B7EBAB09AB01A6A2993819DB2589A79B0751770B2E5A63287320AA02BEF3420", "4BBE38BD4C14663137CB5AC368F3844C03C1649121351CF9395210280F00AC37", "4C024257AD7E9C83441C93605D5C5B18187F8CC456447E80E7EB40E8D951306D", "4C3E9BA47DD2FADD1D2F72920168275F04EE75E47AE79D74B1E9E7D48E8C5ADE", "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "4C81DB2D277BBB0E77AD563F80391527A2F6332652C81AE9734B9DFA21A1B434", "4E0CF71A698515A29D0ACA1BB71EC6A8B109B50F539EF3517671ABF65450A55C", "4E0E20EECC4387F5D8B07A8F5216717E614BDA714A2BBCCCE14643EB4E1BD3BA", "4E66ADF44C98149BB101F649EA179DF62F537E176AB809CDC86D7723BC74CC93", "5019479659D0077F96B144E8D40CE6E5ED7D6877091F61AF30306198EED03644", "5049E0390F7FB17FC4FB6FCDA949E23241366872E7987B7D22194E73DA48367A", "50500E677EF1A8A0E4B31CB7C07CC70EF5A3A981D8BCBE998194BD5C84E27A2C", "50F17354A0A89B52C1E061D02F78509C6F34AF2860DC46D6DFC82469E2AB6C29", "512BFBD27951911F89AD11C6124C5FBF6F0B5D9AC25185530EACC6604EC91242", "52A676371E671BABC3878599D45BA5E8A4AA71778619EAB5DAC852632CD3B941", "5309EC5EFB560C0EDAE9A1301EB479F223E61CEBC27B18D2F0F892C7B4171037", "533C7CB721CB7B762F46BF3C10C1394D3D00EAF22F42393BF571F84CAEB3DB9A", "539F44BE69BF7CADFD6736BAA24EE34EB7B81AA4BB30D865E326CDF1571A1343", "53C5D0378DD2F23947F42E54846A8F839F777754BB281BB0CD45684E4D1828A0", "5460DD3431086CDC97405F33BD85C80E50D7B76867766E523D3593B7AC137796", "54E8763435E71FA193D259B04F663DE2890070E91EA2A9E50CB345DAE1960792", "55DACA18AFE52B9657ED6763ECD6310E15A2B6AF470F5EA9C7BA6E971FD15B5B", "55F628252DAF650CC58C2642D1B82D06D90F25555C9C9B3A72808CD2B411DDA0", "5902A41E6B193100253C43987CCC82D3DCB47681EEACDC1CD8E3887329ED5E19", "5974D2AEC0C77B8ED87F1B975C9A98C554188897BEB5FCA57ADF4D71016AA380", "5B164B5283CE345D83E42FB6A83D722DC3D3EA9F2B2498137E455222E43AC8EE", "5BB47F0FF7CF6CFCB37955BB1E55353E2082BADAA6B2A5F407DEF9E2ACFEAFDF", "5BECF2C1BF399E515F1300DFFAFB41F31FFD0A804F8FA910C42EA050B600048E", "5C152B4A839095A837C1241374AB44F70D93203A632EC12E321A761B67A29146", "5D232E30AB5C93919EF580AFBE6D2ECEA897D47EF039A381A71CB4D189990CFC", "5D4F062A535B083DCAFE40C555463FDC20B044731A77B663E5157BF58509D9D9", "5D5511FB05FC37444DAD215E7692D2A296E9AEECC91702B6E9BD1D11BCFE5407", "5DA2F018499FC3B4EED2FE3B5ABE4582AAF867BC56B13E51DBDC838C5E23CA3B", "5DAC43403A6D99FD575B46543303C4AE9DDB38B3F55FBF172BDEA1936A1DF2A2", "5E18DDFEF42C9E454FD2B7F4F9F8E06973E1051692FB5605975B9AA96CB79617", "5F1C54B57D0A77FF4E91066E586EAC8DD7852F7155D4BFA26079447E3784C0BC", "5FABE639BDC6F4D3FFA84BB3C180F3988861FB68860970DA005D1411C72626D3", "6097D8015AFBEEA139CD04B0695213519AE407C70058F9CA2120CAD2E9367C6A", "615BC7F4DA333436381CA36075C21AE3168D8916C6701C65D498F26F92A209DA", "62439DA1685C8834EE8D742776B2A816E2F759488A37A2E67FAF819FB474771F", "637F608901EF8B9FD34455682320A8EBC1B665D4F6B5C7F53F3E57AE66C9AAAA", "63F3E08E51FAEA55521F5ABD3CD04927C13CBB1DBA8387931598DC1D099B4DA0", "648F5894D68EF123F96579E1BDB353B8EFBF458C06EE0C234B06A0EB216FA759", "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "66015684C1166B9AFC7A09E01337D5D9FE20EF8B62A13053D95EA5EAE5B3DB9B", "6783B22FC7B5C201041B367FBAAFA922D76322A15B0B12E6BDDB1EA7EA8FF3A6", "6788F1A96B921298C14A54FC3FE4C33EEAAC34E9DBECAF0ED22B8662EF114B62", "6858032AD0022691AF88FEDCEF29BB4CEA50172EAD995CAB6463B91C16637C1C", "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "68F01B55EF58AD9B7473DCE2A6939C225701FBB1F26E297D4ACE9E4AAA6A40A0", "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "6B8A6AB134864FAA55484C24121B90CF9CF3AF19AF46B8BB96B2D7E5879F766E", "6BD8A28B17576E05E0B974C262EB42ADF09E98ACEB21D1D8CF08B3D64F137C36", "6BE368724ED113848AB27424E7D716324E101FACB4F19347A213CFE87A4DD673", "6BFA62BC112FABFA05C6C5C47562FC2C7D3EECB9F385BFCD8A861FE181F02933", "6C7EF094F5ADC8D9F28ABF3F2EB18A600C9A1FFD5B394603509AB166F1A6FEE3", "6CEF08A1A5A2589C6B108019F507F85264A6994B29790BC8B95F25B7959C7A69", "6D303B9B759D915E602235C41DDCD79F0FAC32B1E335F7E9AAD35C7C07956DE8", "6E6275F5111F3859D9B1CFE078026F5DE9321B46B7C8C9680A49C524BEC1D4AF", "6E7A3C64E37B87C4037809B239C42618DCAC7FE4717376C883D27E1F986FD68A", "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "6F6FF23449572925FB1BCBDF3BC78A4879227959A3FDB4961404A9923DFE33EE", "6F9B3E5D97FDBB41059AA8C4DDC3F8C6E337642756FF537C16A61C7599D523B9", "70472019A55AC76C93332FCBAC3EA57D29A90BBAD49B238AC6B93852D83FB05E", "70DC2A30E72FE178C160BDBD013AC7631F1DE502FB35203760983EF33612E2E9", "71A473993D401FAFDA20A063C958EB3785E06B0F2833BBEB5FA0B1E2E3123139", "72F388362AF41C5685D24932E9104E4D10F2F34B4CB1D6A825C5735F1D4D2178", "73D8DE3359B8A7D986493D15802F799CF86136D0CE2E8F2B30F608A126D41D1D", "73F295E4CA98A62DC32C3F4805623BBE6C4CCCD3F58645888D4CF9A556BEE309", "778A8DA732AEB0BA940EEDCF62963DA570CAEE6B4632E80356BBA4427AACFF08", "778D5DFC07927E0976A1EE0D444F4B2AF071C29E58642C35B6240F099747720E", "781FF913946834B24E9A339648FC3C0A6ECBC1CFFB7FD556917120A6373D7BF1", "78482413CF72F85CD54D339AEE85873826C441E5C963845D366542CE62201709", "78A1E29D83FF1CF22926BFAF7A0A9A7746FF45C42CE2A05529E13ECEC5593ACF", "78CFFC4D2D270C24EEDC9DA3C157BE051A6915432AF4FACB8946F44274B08376", "7996A5B21090888A5E92985E9AA52C1DFFD5B468A73A1B32557A0A11DFBE0724", "7B6A0EC4B0BDE7D3CCC734AA346757CF04E0ACCB853B4076CEA5505A64B850B6", "7CE7B6121A220F746D7E7350024168EE4728D2E161FBFDE7CB9C7634F35AF8B0", "7D9A5F2991077AA9574FC57673D25FBF554D22D590E6151ED3F7D8BBBA3D434A", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "7E2F62106B895325A750D4AC20BF018E0EF2AE3D85B9685ADBC3048C8D7487CA", "7EE8FDEB8465940794EA3BE354C2B6719D58873E839D88BDB681B31475E4F231", "7F9570EDBA71822CFDECD9AF40AA1788B78E79EC4965BDA1BD0FA671F21BD826", "8155B091E8A9E365D7BF4DC2FC7DA1113C991153BF54EDFFC2BCC3322D0D6281", "82D72845B48E29F382E3CB32198A7458539BFAEC832BAC6D7B23609003A86C76", "83ACE9827AAA221AAEBB8FF39A79EDF0106D1E765567F4841188EA8392A197BB", "8507F09D9C972FE2BA2DDBEEBB0792D301F19FDCED202AABDA3B64AF53687671", "866777BF268D916B6BA35BD063954CE8C7C39BF5BAB0B6500CA88367EC9CCC1F", "87319000F2B5718CA8299326C25D525A5823E683BAA1D88EDFF67FDA89964C14", "8731F85B75BA77CC3784CD784E98484D53CD189EA60F1F57A3A4EE351FF62B39", "878A7F1E0FF112F9D41BDDBCB8A73E60A52C1121774FB6ACB182B9D0EBB13176", "87DBCA06130E4415C6861235A0CC97C51C4FBCD9A59FD4DB400429A7BA90D957", "87F9F17A2139C18ED1651C78BD6B6B9871F86AF41FBCB2650D11DD7F64C74352", "88F727F191CFFC37044A03CB83B1BC4AD832285EA66FE76EABF1CD38612CA6F6", "890D61B029BF12CA21C507C976B26ED9B4D3E4727839305DD5C53CF9467814DB", "89C90B70834FF0A7F6BD8AFBB87CFCADAE5A6543FDB3C22A96B4C08D3EE5B144", "89DB5E8721D6F1743F1DF2F50E0B0D24B666DB0E1D75FD07B6A831AE422211CF", "8A242C548ADF3E615FE6BA32C7E6F5B2DB8B1FA250ABF2329DC20A0FB32D3700", "8A400BB6A99E8B90EEAFDEAC498275CFF269AF50ED449DD7602246B8F3C6CA90", "8AE26EB963FE83AA165961284EF44A0145D4CC5C0159DF6247A18316A677E075", "8AECCBE0CD244EF2C1818D4560A2112EBDDE17CF922BC7869D4367156735AD72", "8AFDCAE89AED9D1573EB511B1BB0BC02E4FDA3F4A8E6C9E02934A6732955352C", "8B18AC83E9E55630F38BCC093FBA60F73823FEA190D70997BF3519D3B71A4DD8", "8B5E55715CB43CFD48BB9D471BB81630C46627FBD2947452B93068127B46D7ED", "8B8F474EAF8B4CA6EB6778674D0867DB42A06132F3C37EB84839E20E4F45E880", "8C18F8030274549454D17409D64C54EA8977ABB97F47F0C1BDD38AD8DF66DD50", "90B70E1993214101D9CBFD4EE28BC40E7D32800F9FA576E86104883F6EABE144", "920897F36E3860E5BECC58A31CEF9AD54CB65B84D6246F4EEE6D0AF20918E25A", "930FC3DBD61B7E8555AF191AB7E1E95834FBDFDFC85B66000C95954661FFE18D", "93A6214180EB19A62AD0960CB98101D6E89161ACFE11D971FA2AB345DF973E5F", "9506AEC7589C76B9F470DEAF3BDD3D3E55A36F37EAEABAF1E5E1AA416B13E81B", "95BBCF20718984EC471409C411B796E9F3D5A5F86BD0C8E3A33D9A3E2823A644", "96F7970728800B0EA1F359155E0D440D3914E976DFC09CEAD452C7D7EA6BE61B", "98B52684620C38BF0E896CC96D582D7BF5766FACACE403B25AF2E7387EDEDE1F", "9AA2F24EEF3E370354B1D2715ECE7A9C557079E3EF67FC1181F0FBB993B2B7F0", "9B3B55B32968C55E20626DD8C4FD2B5C8B0E847DE167EFDC40A0B80D7134DDEA", "9C1AA7899A19BB900DF77B5F4EFB2E495346A3556FC8A26E17E8EA20FA912324", "9C9974897D9032CCE40784D8D39546999D4563EDB691A9F8F85E7C125665ACFD", "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "9D9F8496AA1AAAE7CF135E4A6F86B7D8F86173A0E558AD93AA10046F0ACAAE6D", "9E2A151E55224A968A391D8341D89CDE7F5E957ECD11BD856F5CA5D348DE17C8", "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "9ED959A552F1F1135D021720BFEF601A33E4FF298A735DCF0648EF0558E731A9", "A0925EEB2D6265DE705572AB2EF6D7849A556C450D7D8361064E8B71A86B0189", "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "A0ECE071B650D8F5EC02E601175D0E3683680641E4438CAB1D935DEB21EBDD49", "A10A81FCA123ABD51C6EDC335DDB49CE3FC626C9476125C2CC265D2F157F0C97", "A1FFF99F4806257518CB3CE41BF94BAFDDE3EA56F512BBBD8B3CE1F45216F6B6", "A20DD20D95C60578C655644D1A8A4C9E587B5A7916261AE7A525E0C7B766C3AC", "A414E053344BF15A7174D8401C17399BA46B86AB3D086A3702B8A51CFC512A71", "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "A8C4FAE86EAE65D0C1F3A30200BC3B099B396436A3DF948A48B8B78AEF01300E", "A94F458BD760BBB3130CB482E88C0783802EC97ACD89A0EC09E9E065B5160F95", "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "AC94B80CCBC2EB56618366A30B69B9EE44D076505868D027EF028C829EF45AA3", "B0435D245CEA6490D5CFD38D5F0BF6DEE8017B36FA413D190293E5EB84544630", "B0549540072FC1BB0D803052330E32E656605B46C7EDC1BE259FE2273831E00B", "B092A6E897951ECC10739C027B685833C755CC077686979313AFCEFA2A8170D2", "B0A606101370774E5FB3E4409A17D910B4B5997971AC7B7045727379D355B696", "B3070CDC89694B6DDDE4CAF9B2A72605C462E75ECCFD37293A6ADF63D52940D9", "B314C20BF91C600149F279A906C6EBEE84E73ADFE2036985C9D6023680EB2CA8", "B34A726A1AFF5A68AE72A224974D9923E1366B92AF2487CD076BA0E00E7E7A02", "B36E9A87D26819F1000CEFC942D54F874FD41DD569BBFF95F4C0A213C8333D83", "B37880F51576751375FE7D9EBE05F55C5D38BE8567056EF4ABA103092A7E8CF9", "B480569E9EAAF60928F07D6B15EF8300E13C83515E1DC170316E4A43855FB862", "B4997BBD202D81055BD057D6162B0197578FF3830B26E9887179AA51B953191B", "B4ACC50FB3EFBFCDCC381ED7E344E2F40C781747A414909444C31FECCA264613", "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "B5983E7776B85F8B471BF41894D79B06B277D9375223AEB0B2B7060D59865A92", "B82866290921228BFC81DE31AF54D89557244B1EB83E71B60A296FF19825B6A5", "B9410A108CEB6D3C9DFE0C1617FB34D181E021D243C3FB7F5DB35969D7C4CE52", "BA00D2D757BAAC274D87A18224BEBB9CAB187A87A5111B7900F36CE8500DC305", "BA641051633E4D947A94268037F8B8865B6EE865868B44CAAC2ACF192C454E89", "BAC0ECD094048AB5764245E3813A4B3FD7B15C38CF78917E44082B74A378C2E8", "BBCF8E5459CEEE66A7E358287F0CCB2262D6336887AD34679527A9A0255313FE", "BD6AE1C01578D2358D9720998260BF5FCA8B53021F548065995F3783AB704E64", "BE40ACF27D8AE17579CFB2450280D344E32F14B5AFCC639EDB71C9D294778D10", "BE6E8380C13D1103EE23BA2477B40F90E44B32F9B46BF16533F8DB60DB918AA5", "C023DA0932CBC18A5075A9625E1AC5FAB3AFEB2685AE9EF354626E6093143ECA", "C12C8B0EAC618346259B62C6CDEF5D39AB0CD8882D93DEEA0B2EE564869BA18D", "C17CD2FEC5C4669A655AB19088977165D150865519E162C106A71DCA3D3F1BB6", "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "C2E10ADF77A56455CF7E5C548186FF7DB9049A2B642D6328AB4E9D70C0CAC558", "C4867E2A9AFB41997764998CA71B3E6F45BC2041558CE9EF5DC4280DE0468C0F", "C5DFD6DDF0D044C736F3F1427CBB14FC5CF33A1F5084FA65609536B85A5FB9AF", "C619392EFE2BDC3F1E7757ABC0AD1E8DC26DA6184FA865960384F0245294CC0A", "C6D3893A0A2AD210850BB8F4A26AB7C73EF4360C454D9EEA1A69850B46587C9E", "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "C9CE53FA0A41DFF7D5C243A1491314045D48EEB2A9EE26EE24957E92ACA8E16B", "CA49B7C63554D1CAFF30E7D6E04025376352C07DA4ECB985E5EC9931DC2968BF", "CAC8ED34222D34B14BFA3287FD19465EB8AFCF00CE3336A526593AC6DCD0075C", "CC3E66DE002526817DB1EA3478AAD281461401FF26FE54A7665592396B2D0136", "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "CD8271F1E3A620207AA3EAC35F944E1453EFEBC4728A88B9C3D9D0DA7F511F56", "CDDC46C0D603CEB978B368D94374CD03AA55B9B8393D14F518AD8D2F3626262D", "CE3EB460B9647ACCA093825A27E5BECCC421E5D4A48BE26AB3F174E9509AEE7D", "CFA0180DD2A0984F2190B115DE539BE5DFCD9394BE8E092097730884E400A5E4", "D0423281F181B1E92869B5BC9FF74F864D924BA505452A3822D73132BA4D21DA", "D247F5ACEA9EB5FBB260F234DB32171318B69EDF593FF0A9176ABE088685F443", "D2872F04FB8EC396CE4179770EFDA288DCB0E60B7B97D1F4DF50053C34DE7C06", "D2E48469AB3A6F2B1FEAEFDF00F68B8BC2F210C7E3BBABA5556DFDE4C6DB7ECD", "D4CCDF937AED62F58C315DDD3A3FFBEB98C64C89E417C833C328D04DB0E21B70", "D566ACF05DFD29C86C42838C45117DF273CC3F6461A6B738BBB6F0D31C47B1C0", "D5DD24C882DBB1D9A7CA1FF6A2B5E71A2110BD5524772EF5C4D134F94002AC84", "D5EE3EC14E7ED1E552E08E1001CECA43D603E6701AEAE8DAC86B2CBB34B5F3BF", "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "D81266EEF9A30224B03C1D4084FE2FB22F1A32AE3AEF1D43DC3CA53C8F5BCAA6", "D82E18DF27396DEC92C4727BDCC6BD3DD0D6F0F3B56EA9055906BDE22958F30B", "D9D73C9BCACF49201B1BEF05079A9FA03696ABA65DE00BEFAA3522C5956D8E68", "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "D9FD3FAD1E0107E81F28CB6CD738F1EB1F88FAA491F7CC9C3B09D25D564A16BE", "DA3FB1DFD46F13CF48674C50B5BDD37A67A33400524CD87A16AE20E667E35BA5", "DB04090859F8679BAF60915BCA68B7576553855F24A191D2D85B46CAFBAFFBAB", "DB68C8666C18AFC83A85EECDD8ABEF0A5F62BEEA4C9766E31EBEA828ED452BB7", "DBD29332B6E297F25422EB8C28791AE3DD704B7B9FDB714ACE7016CEEC63D122", "DBEEBEA67BF53D06F2B67D1EC250BC6DC481E7E1D95538F33DA149848FB8D480", "DBF3688DBA798444F3C298FA2AC7CFA893F49EE4F4F4469F192EA874C9A777D6", "DBFDA759395DD0AC7E179D05997E87AB15AB4D48C40F4A4663CE4C860E9BCA2B", "DC6C232E86993B4A9A02C52EE0791383ECC1D513CF816EB9910C1BEDC86A039E", "DD688D91FA0AAA1059ED8DE6DB189452283A58A45A0366C2E9ACA779B91EAF49", "DEAFA2DB54593AA80919E191E6F6089E8FC07DD6414224DF7420DF6F55DF4BC8", "E12AC4164A95297C0432973D30F603FA386B4210C32C90DA21EC4D23B1C17983", "E18D7E9D3ADD32A2717C5CBC25225C1C6EAA0474A66F22464249443F17754608", "E19B380C2BF0F26DFDCBADD37C1B7D4A13ED463E7B4B4ECE7EEEC8895D5690CB", "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "E41DB3BE42FBB098E24A8665578CAC1A1B7E8557F404FB6F24D4B6F961A9D4B3", "E600E0C30FA57438BAA328F6729F104613C088264EDBAF41A037C964282DC8A6", "E6941D2C78AB15CBFDEE44862F78BC64B8666D55E6564FAFE4207AE63A7F1350", "E70120C165876F69BFB2C09908AC0EB9592A96A4EE7DF139E3FEA8B8E849302E", "E709674FBABF3ACF153296465B387FAF06F18F887BD2A7754503B905294A1BED", "E7294E71F8AE85B73601527840426B879922690C9A0C464F224265C06A594345", "E7347F69EEBAD10850121686C24AD0948018817D4B771C4CEE337A734ED383CD", "E8502415402D8DEE3757A91FDF5FC83A369265B0F5E2AE2A7246A3FC800EEE8B", "E8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7", "E95C513C81DFA803C5A853C9D2DFFDF741B2BF08BBE6DAABA2EE0C2BDE4DDDC2", "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "EB29912BA3125220228A3E0ECE64F9A835E8E7C353B5EDF3F1E3E9C50AA8FC18", "EB3D28BC172F69387FACE4175489E3530181A4DEEE32D8B8B4183C88E5EBC89A", "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "EC6546AD78069F580D23481B6CD3653D1F6E41477D121A426EF95CE1079F0A14", "EC68A07B2C3DAE1C815890F259C28E42A77D5A3444423C6A6324A3D881B16265", "EC9C4942DC6B13EB8A7D2C5ED6757C645B967E343E6EFF8AEBCB6CB67C0FF535", "EDCF2E68ACD973727361751379D03614E328717BE15786687654550AC960EF96", "EE3BB1E1A3F14F2353E482F019C19EA6B369F0E209D85152E7F0187DBBA44B38", "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "F377EB02DAEA61BF9CA5FA8E0CC0F3E1F167BF16C536210BB423500CBF3E31FC", "F4B686A2FC89EE4E34E6E541C4CAE723235017E1AB5323D2E4FB5831F7D1599D", "F4C7AEAFB7E21EAB08B7FEC3E23EA02DD8B1C69791CB079F71E17ACBBBA26E72", "F4C8146FB10A44EAB37C806FB96F9E421080AE5CCA233C45EB9849A6ECADB0A2", "F4EFF02429AD4384CA34D223887849DF7B877D5977A34EE9E2677775B01FE19D", "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "F6F81EC2A93E77E4D599C827E29E48EFC512C7EB406ED8ADA47D239D81A82F3B", "F7297DEE78789012F7802C00A7D437B06424929237D39542808A1D9905687922", "F734098BAEDF5AFE2E1212CF38FFBC1027F1C32267CEE354FA41C1474C6526AB", "F75D58C0267A449CAD114159AF9A13F3D3BEAEAE57224CA266830BE31F9583B7", "F775CB7FDFF7FE8D917CBED07EA98427F88ED764F9B29FECEAB1C5D83B3CE8B6", "F79F1906EA54AB2D37EF20E76EBAEA53E4E25BB3996B08D6FED860ECE70287DA", "F936FE55F38C08867ADBDA8E6F3802EAC3CA57726D86C3FDB2C0BC8583619B6F", "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "F9C7ACF2002F6F3FDF193E4C427570D3991980C9A65D31E141CF3787E2A33C07", "F9D2DFEE8BFC9D37D4534CFD4561FDC5E9E00D0E64A6A785BB6931ACEFD5394F", "FB60355B6CF5CA4E3D9A93696E60907CED58B5F39B8C42390AB3184786F3B132", "FCDE037DAB880EAB81EB1E606586B130B29C6D1FFE94F82FA3DEEC0CD62E087F", "FE0F3BE502D0937B71FD0BD03677E2596BA97C09552BD47B66FEF5FD33DA20CB", "FFD387B2CAD7DE98A80325F850ACB6A96E2DFB99E7C223B835403F5BA65F6887", "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E"]}, {"type": "ics", "idList": ["ICSMA-20-184-01"]}, {"type": "jvn", "idList": ["JVN:03188560", "JVN:65044642", "JVN:89379547"]}, {"type": "kaspersky", "idList": ["KLA10849"]}, {"type": "mageia", "idList": ["MGASA-2016-0244", "MGASA-2016-0260"]}, {"type": "myhack58", "idList": ["MYHACK58:62201787046"]}, {"type": "nessus", "idList": ["700015.PRM", "700016.PRM", "700700.PASL", "9449.PRM", "9590.PRM", "9701.PRM", "9714.PRM", "9720.PRM", "9722.PRM", "9880.PRM", "9881.PRM", "9904.PRM", "9905.PRM", "9941.PRM", "ACTIVEMQ_5_15_5.NASL", "AIX_JAVA_JULY2016_ADVISORY.NASL", "ALA_ALAS-2016-736.NASL", "CENTOS_RHSA-2016-2599.NASL", "DEBIAN_DLA-528.NASL", "DEBIAN_DLA-529.NASL", "DEBIAN_DSA-3609.NASL", "DEBIAN_DSA-3611.NASL", "DEBIAN_DSA-3614.NASL", "DOMINO_SWG21992835.NASL", "EULEROS_SA-2016-1054.NASL", "FEDORA_2016-0A4DCCDD23.NASL", "FEDORA_2016-21BD6A33AF.NASL", "FEDORA_2016-2B0C16FD82.NASL", "FEDORA_2016-D717FDCF74.NASL", "FEDORA_2016-F4A443888B.NASL", "FREEBSD_PKG_61B8C3594AAB11E6A7BD14DAE9D210B8.NASL", "FREEBSD_PKG_CBCEEB493BC711E68E82002590263BF5.NASL", "GENTOO_GLSA-201610-08.NASL", "GENTOO_GLSA-201701-43.NASL", "GENTOO_GLSA-201705-09.NASL", "GENTOO_GLSA-202107-39.NASL", "GLASSFISH_CPU_OCT_2017.NASL", "IBM_JAVA_2016_07_19.NASL", "MYSQL_ENTERPRISE_MONITOR_3_3_3_1199.NASL", "OPENSUSE-2016-1056.NASL", "OPENSUSE-2016-944.NASL", "OPENSUSE-2016-976.NASL", "OPENSUSE-2016-977.NASL", "OPENSUSE-2016-978.NASL", "OPENSUSE-2016-982.NASL", "ORACLELINUX_ELSA-2016-2599.NASL", "ORACLE_BI_PUBLISHER_JUL_2017_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2017_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL", "ORACLE_HTTP_SERVER_CPU_JAN_2018.NASL", "ORACLE_JAVA_CPU_JUL_2016.NASL", "ORACLE_JAVA_CPU_JUL_2016_UNIX.NASL", "ORACLE_JROCKIT_CPU_JUL_2016.NASL", "ORACLE_WEBCENTER_PORTAL_CPU_JAN_2018.NBIN", "ORACLE_WEBCENTER_SITES_APR_2018_CPU.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2017.NASL", "REDHAT-RHSA-2016-2069.NASL", "REDHAT-RHSA-2016-2072.NASL", "REDHAT-RHSA-2016-2599.NASL", "REDHAT-RHSA-2016-2807.NASL", "REDHAT-RHSA-2017-0455.NASL", "REDHAT-RHSA-2017-0456.NASL", "SL_20161103_TOMCAT_ON_SL7_X.NASL", "SUN_JAVA_WEB_SERVER_7_0_27.NASL", "SUSE_SU-2016-1997-1.NASL", "SUSE_SU-2016-2012-1.NASL", "SUSE_SU-2016-2261-1.NASL", "SUSE_SU-2016-2286-1.NASL", "SUSE_SU-2016-2347-1.NASL", "SUSE_SU-2016-2348-1.NASL", "SUSE_SU-2016-2430-1.NASL", "SUSE_SU-2016-2726-1.NASL", "TOMCAT_7_0_70.NASL", "UBUNTU_USN-3024-1.NASL", "UBUNTU_USN-3027-1.NASL", "WEBSPHERE_16_0_0_2.NASL", "WEBSPHERE_16_0_0_3.NASL", "WEBSPHERE_281439.NASL", "WEBSPHERE_547999.NASL", "WEBSPHERE_711865.NASL", "WEBSPHERE_8_5_5_10.NASL", "WEBSPHERE_9_0_0_2.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108384", "OPENVAS:1361412562310120725", "OPENVAS:1361412562310703609", "OPENVAS:1361412562310703611", "OPENVAS:1361412562310703614", "OPENVAS:1361412562310807853", "OPENVAS:1361412562310808197", "OPENVAS:1361412562310808523", "OPENVAS:1361412562310808530", "OPENVAS:1361412562310808538", "OPENVAS:1361412562310808618", "OPENVAS:1361412562310808621", "OPENVAS:1361412562310808651", "OPENVAS:1361412562310808677", "OPENVAS:1361412562310809211", "OPENVAS:1361412562310809213", "OPENVAS:1361412562310809339", "OPENVAS:1361412562310809340", "OPENVAS:1361412562310809349", "OPENVAS:1361412562310809478", "OPENVAS:1361412562310810747", "OPENVAS:1361412562310810748", "OPENVAS:1361412562310811250", "OPENVAS:1361412562310842823", "OPENVAS:1361412562310842824", "OPENVAS:1361412562310851379", "OPENVAS:1361412562310851380", "OPENVAS:1361412562310851381", "OPENVAS:1361412562310851384", "OPENVAS:1361412562310871701", "OPENVAS:1361412562310871961", "OPENVAS:1361412562311220161054", "OPENVAS:703609", "OPENVAS:703611", "OPENVAS:703614"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2017", "ORACLE:CPUAPR2018", "ORACLE:CPUAPR2019", "ORACLE:CPUAPR2020", "ORACLE:CPUJAN2017", "ORACLE:CPUJAN2018", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2020", "ORACLE:CPUJUL2016", "ORACLE:CPUJUL2017", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2016", "ORACLE:CPUOCT2017", "ORACLE:CPUOCT2018"]}, {"type": "oraclelinux", "idList": ["ELSA-2016-2599", "ELSA-2017-2247"]}, {"type": "osv", "idList": ["OSV:DLA-528-1", "OSV:DLA-529-1", "OSV:DSA-3609-1", "OSV:DSA-3611-1", "OSV:DSA-3614-1", "OSV:GHSA-5GGR-MPGW-3MGX", "OSV:GHSA-7JW3-5Q4W-89QG", "OSV:GHSA-F7F6-XRWC-9C57", "OSV:GHSA-FVM3-CFVJ-GXQQ"]}, {"type": "redhat", "idList": ["RHSA-2016:2068", "RHSA-2016:2069", "RHSA-2016:2070", "RHSA-2016:2071", "RHSA-2016:2072", "RHSA-2016:2599", "RHSA-2016:2807", "RHSA-2016:2808", "RHSA-2017:0455", "RHSA-2017:0456", "RHSA-2017:0457"]}, {"type": "redhatcve", "idList": ["RH:CVE-2016-1181", "RH:CVE-2016-1182", "RH:CVE-2016-3485", "RH:CVE-2017-1000394"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2016:2050-1", "OPENSUSE-SU-2016:2051-1", "OPENSUSE-SU-2016:2052-1", "OPENSUSE-SU-2016:2058-1", "SUSE-SU-2016:1997-1", "SUSE-SU-2016:2012-1", "SUSE-SU-2016:2261-1", "SUSE-SU-2016:2286-1", "SUSE-SU-2016:2347-1", "SUSE-SU-2016:2348-1", "SUSE-SU-2016:2726-1", "SUSE-SU-2017:1660-1"]}, {"type": "symantec", "idList": ["SMNTC-91068"]}, {"type": "tomcat", "idList": ["TOMCAT:0771E17F0F0733FEFCB0AD32B094C50F", "TOMCAT:3433D97DD68E3E4EE81DAC140FD2AF8F", "TOMCAT:7E8B1837DB1B24489FB7CEAE24C18E30"]}, {"type": "ubuntu", "idList": ["USN-3024-1", "USN-3027-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2016-1181", "UB:CVE-2016-1182", "UB:CVE-2016-3092", "UB:CVE-2016-3485"]}]}, "affected_software": {"major_version": [{"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 8}, {"name": "ibm business process manager advanced", "version": 7}, {"name": "ibm business process manager advanced", "version": 7}, {"name": "ibm business process manager advanced", "version": 7}, {"name": "ibm business process manager advanced", "version": 7}, {"name": "ibm business process manager advanced", "version": 7}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 8}, {"name": "ibm business process manager express", "version": 7}, {"name": "ibm business process manager express", "version": 7}, {"name": "ibm business process manager express", "version": 7}, {"name": "ibm business process manager express", "version": 7}, {"name": "ibm business process manager express", "version": 7}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 8}, {"name": "ibm business process manager standard", "version": 7}, {"name": "ibm business process manager standard", "version": 7}, {"name": "ibm business process manager standard", "version": 7}, {"name": "ibm business process manager standard", "version": 7}, {"name": "ibm business process manager standard", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere lombardi edition", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere process server", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}, {"name": "websphere dynamic process edition", "version": 7}]}, "epss": [{"cve": "CVE-2016-0359", "epss": "0.001950000", "percentile": "0.555680000", "modified": "2023-03-20"}, {"cve": "CVE-2016-0377", "epss": "0.001120000", "percentile": "0.429780000", "modified": "2023-03-20"}, {"cve": "CVE-2016-0378", "epss": "0.001620000", "percentile": "0.510860000", "modified": "2023-03-20"}, {"cve": "CVE-2016-0385", "epss": "0.000940000", "percentile": "0.384210000", "modified": "2023-03-20"}, {"cve": "CVE-2016-1181", "epss": "0.022080000", "percentile": "0.876900000", "modified": "2023-03-20"}, {"cve": "CVE-2016-1182", "epss": "0.334130000", "percentile": "0.963540000", "modified": "2023-03-20"}, {"cve": "CVE-2016-2960", "epss": "0.018820000", "percentile": "0.865950000", "modified": "2023-03-20"}, {"cve": "CVE-2016-3040", "epss": "0.000700000", "percentile": "0.285530000", "modified": "2023-03-20"}, {"cve": "CVE-2016-3042", "epss": "0.000750000", "percentile": "0.301800000", "modified": "2023-03-20"}, {"cve": "CVE-2016-3092", "epss": "0.013670000", "percentile": "0.841760000", "modified": "2023-03-20"}, {"cve": "CVE-2016-3485", "epss": "0.000890000", "percentile": "0.362390000", "modified": "2023-03-20"}, {"cve": "CVE-2016-5983", "epss": "0.015140000", "percentile": "0.849450000", "modified": "2023-03-20"}, {"cve": "CVE-2016-5986", "epss": "0.001370000", "percentile": "0.474720000", "modified": "2023-03-20"}], "vulnersScore": 0.2}, "_state": {"score": 1684017862, "dependencies": 1676944595, "affected_software_major_version": 1677394894, "epss": 1679361349}, "_internal": {"score_hash": "99a13c743168dea163a3323c73859112"}, "affectedSoftware": [{"version": "8.5.7", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5.6", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5.5", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5.0.2", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5.0.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.0.1.3", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.0.1.2", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.0.1.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.0.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.0", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "7.5.1.2", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "7.5.1.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "7.5.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "7.5.0.1", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "7.5", "operator": "eq", "name": "ibm business process manager advanced"}, {"version": "8.5.7", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5.6", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5.5", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5.0.2", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5.0.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.0.1.3", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.0.1.2", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.0.1.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.0.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.0", "operator": "eq", "name": "ibm business process manager express"}, {"version": "7.5.1.2", "operator": "eq", "name": "ibm business process manager express"}, {"version": "7.5.1.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "7.5.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "7.5.0.1", "operator": "eq", "name": "ibm business process manager express"}, {"version": "7.5", "operator": "eq", "name": "ibm business process manager express"}, {"version": "8.5.7", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.5.6", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.5.5", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.5.0.2", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.5.0.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.5", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.0.1.3", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.0.1.2", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.0.1.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.0.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "8.0", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.5.1.2", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.5.1.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.5.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.5.0.1", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.5", "operator": "eq", "name": "ibm business process manager standard"}, {"version": "7.2.0.5", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.2.0.4", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.2.0.3", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.2.0.2", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.2.0.1", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.2", "operator": "eq", "name": "websphere lombardi edition"}, {"version": "7.0.0.5", "operator": "eq", "name": "websphere process server"}, {"version": "7.0.0.4", "operator": "eq", "name": "websphere process server"}, {"version": "7.0.0.3", "operator": "eq", "name": "websphere process server"}, {"version": "7.0.0.2", "operator": "eq", "name": "websphere process server"}, {"version": "7.0.0.1", "operator": "eq", "name": "websphere process server"}, {"version": "7.0", "operator": "eq", "name": "websphere process server"}, {"version": "7.0.1.1", "operator": "eq", "name": "websphere dynamic process edition"}, {"version": "7.0.1", "operator": "eq", "name": "websphere dynamic process edition"}, {"version": "7.0.0.3", "operator": "eq", "name": "websphere dynamic process edition"}, {"version": "7.0.0.2", "operator": "eq", "name": "websphere dynamic process edition"}, {"version": "7.0.0.1", "operator": "eq", "name": "websphere dynamic process edition"}, {"version": "7.0", "operator": "eq", "name": "websphere dynamic process edition"}]}

{"ibm": [{"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nThere is a potential bypass security restriction vulnerability in IBM WebSphere Application Server. This will only occur in environments that have the webcontainer custom property HttpSessionIdReuse enabled. There is a potential denial of service with IBM WebSphere Application Server when using SIP services. IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting in OpenID Connect clients caused by improper validation of input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. There is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty. Apache Commons Fileupload vulnerability affects WebSphere Application Server. There is a potential information disclosure in WebSphere Application Server.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>)** \nDESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v3.2.\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java v3.3-20160912-1729 or higher, you must re-stage or re-push your application. To check which version of the Liberty for Java runtime your Bluemix application is using, navigate to the \"Files\" menu item for your application through the Bluemix UI. In the \"logs\" directory, check the \"staging_task.log\". \n \nYou can also find this file through the command-line Cloud Foundry client by running the following command: \n \n**cf files &lt;appname&gt; logs/staging_task.log** \n \nYou can see \n \n\\-----&gt; Liberty Buildpack Version: _________ \n \nTo re-stage your application using the command-line Cloud Foundry client, use the following command: \n \n**cf restage &lt;appname&gt;** \n \nTo re-push your application using the command-line Cloud Foundry client, use the following command: \n \n**cf push &lt;appname&gt;**\n\n## Workarounds and Mitigations\n\nnone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:15", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-5986"], "modified": "2018-06-15T07:06:15", "id": "78CFFC4D2D270C24EEDC9DA3C157BE051A6915432AF4FACB8946F44274B08376", "href": "https://www.ibm.com/support/pages/node/551895", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:56:28", "description": "## Summary\n\nIBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting in OpenID Connect clients caused by improper validation of input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. There is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty. Apache Commons Fileupload vulnerability affects WebSphere Application Server. There is a potential information disclosure in WebSphere Application Server. There are multiple vulnerabilities in the IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2016. These may affect some configurations of Liberty for Java for IBM Bluemix. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n\n## Affected Products and Versions\n\nAll vulnerabilities affect the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0\n * Version 8.5 and 8.5.5 Full Profile and Liberty \n\n## Remediation/Fixes\n\nTo **patch an existing service instance** refer to the IBM WebSphere Application Server bulletins: \n[Security Bulletin: Open Redirect vulnerability in WebSphere Application Server Liberty (CVE-2016-3040)](<http://www.ibm.com/support/docview.wss?uid=swg21986715>) \n \n[Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server Liberty Profile (CVE-2016-3042)](<http://www.ibm.com/support/docview.wss?uid=swg21986716>) \n \n[Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)](<http://www.ibm.com/support/docview.wss?uid=swg21981529>)** ** \n \n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>) \n \n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>) \n \nWhen **creating a new service instance**, the following maintenance must be manually applied to an IBM WebSphere Application Server Version 8.5.5 and IBM WebSphere Application Server Version 9.0: \n \n[Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986) ](<http://www.ibm.com/support/docview.wss?uid=swg21990056>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:14", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-15T07:06:14", "id": "C09F3B9F4DBF9D0B77B16FD94B3CE34CB06275924A75E85EBBA3F1FD3FFBD2BC", "href": "https://www.ibm.com/support/pages/node/551461", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:56:23", "description": "## Summary\n\nIBM WebSphere Application Server patterns are shipped as a component of IBM PureApplication System. Information about security vulnerabilities affecting IBM WebSphere Application Server has been published in security bulletins (CVE-2016-0377, CVE-2016-0385, CVE-2016-2960, CVE-2016-0718, CVE-2016-3092, CVE-2016-5986, CVE-2016-5983, CVE-2016-3485). \n\n## Vulnerability Details\n\nConsult the security bulletin \n\n\n[\u00b7 Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www.ibm.com/support/docview.wss?uid=swg21980645>)\n\n[\u00b7 Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www.ibm.com/support/docview.wss?uid=swg21982588>)\n\n[\u00b7 Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)](<http://www.ibm.com/support/docview.wss?uid=swg21984796>)\n\n[\u00b7 Security Bulletin: Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server (CVE-2016-0718)](<http://www.ibm.com/support/docview.wss?uid=swg21988026>)\n\n[\u00b7 Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>)\n\n[\u00b7 Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[\u00b7 Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)\n\n[\u00b7 Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affect WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>)\n\nfor vulnerability details and information about fixes. \n\n \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:20", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM PureApplication System", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-0718", "CVE-2016-2960", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-15T07:06:20", "id": "7E2F62106B895325A750D4AC20BF018E0EF2AE3D85B9685ADBC3048C8D7487CA", "href": "https://www.ibm.com/support/pages/node/553679", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T17:45:55", "description": "## Summary\n\nIBM WebSphere Application Server Liberty vulnerabilities have been disclosed by IBM WebSphere Application Server Liberty . IBM WebSphere Application Server Liberty is used by IBM Worklight and IBM MobileFirst Platform Foundation. IBM Worklight and IBM MobileFirst Platform Foundation have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n \n \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>)** \nDESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM MobileFirst Foundation 8.0 \nIBM MobileFirst Platform Foundation Version 7.1.0.0\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nIBM MobileFirst Foundation| 8.0| \n| Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=8.0.0.0&platform=All&function=aparId&apars=PI70459>)._(this link will be valid when this version's fix becomes available_) \nIBM MobileFirst Foundation| 7.1| [PI70459](<http://www-01.ibm.com/support/docview.wss?crawler=1&uid=swg1PI70459>)| Download the latest iFix for [_IBM MobileFirst Platform Foundation on FixCentral_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/IBM+MobileFirst+Platform+Foundation&release=7.1.0.0&platform=All&function=aparId&apars=PI70459>) \n**Mobile Foundation service on Bluemix**** customers**: The service is already updated with these fixes. There are different actions that need to happen based on whether you are a new or existing Mobile Foundation service on Bluemix customer: \n\n * **New **_Mobile Foundation service on Bluemix_ _customers _**\\- ****_No additional action is required._**** **New Mobile Foundation instances with have these fixes by default.\n * **Existing **_Mobile Foundation service on Bluemix_** **_customers_ \\- You will need to recreate your instance from the Mobile Foundation service in order to pick up these fixes.\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.0}, "published": "2018-06-17T22:33:15", "type": "ibm", "title": "Security Bulletin: Multiple Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Worklight and IBM MobileFirst Platform Foundation", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042"], "modified": "2018-06-17T22:33:15", "id": "18DDEF8D82EE6BC9831B6AD65C21F882936F1419DDA241588628E4CDFA5196A8", "href": "https://www.ibm.com/support/pages/node/599247", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2022-06-28T22:07:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nInformation about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 | [Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-3485, CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990905>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) \n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) \n[Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n12 December 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSNHG7\",\"label\":\"Tivoli Usage and Accounting Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"2.1.0.0;2.1.0.1;7.3.0.4\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Tivoli Integrated Portal shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management (CVE-2016-0385)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-17T22:33:14", "id": "B314C20BF91C600149F279A906C6EBEE84E73ADFE2036985C9D6023680EB2CA8", "href": "https://www.ibm.com/support/pages/node/619347", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2022-06-28T22:07:15", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nInformation about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \n \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 | [](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) \n[Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-3485, CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990905>) \n \n \nPotential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986) \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n21 December 2016: Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSNHG7\",\"label\":\"Tivoli Usage and Accounting Manager\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"2.1.0.0;2.1.0.1;7.3.0.4\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in Tivoli Integrated Portal shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management (CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-17T22:33:14", "id": "5049E0390F7FB17FC4FB6FCDA949E23241366872E7987B7D22194E73DA48367A", "href": "https://www.ibm.com/support/pages/node/619349", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:56:00", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Tivoli Integrated Portal. \nIBM Tivoli Integrated Portal is in turn shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management. \nInformation about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \n \nTivoli Usage and Accounting Management V7.3.0.0, V7.3.0.1, V7.3.0.2, V7.3.0.3, V7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n \n## Remediation/Fixes\n\nRefer to the following security bulletin for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Tivoli Integrated Portal. Tivoli Integrated Portal is shipped with IBM SmartCloud Cost Management and IBM Tivoli Usage Accounting Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM SmartCloud Cost Management V2.1.0.1| Tivoli Integrated Portal V2.2.0.7 \n \nIBM WebSphere Application Server 7.0.0.19 | [Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-3485, CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990905>) \n \n \n[Security Bulletin: Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) \n \n \nIBM SmartCloud Cost Management V2.1.0| Tivoli Integrated Portal V2.2.0.1 \n \nIBM WebSphere Application Server 7.0.0.19 \nTivoli Usage and Accounting Management 7.3.0.0, 7.3.0.1, 7.3.0.2, 7.3.0.3, 7.3.0.4| Tivoli Integrated Portal 2.2.0.0 \n \nIBM WebSphere Application Server 7.0.0.11 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:18", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM SmartCloud Cost Management and Tivoli Usage and Accounting Management (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-17T22:33:18", "id": "BAC0ECD094048AB5764245E3813A4B3FD7B15C38CF78917E44082B74A378C2E8", "href": "https://www.ibm.com/support/pages/node/619357", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:45:24", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) v7.0.x is shipped as a component of Tivoli Integrated Portal (TIP v2.1 and v2.2). The version of eWAS has been affected by multiple security vulnerabilities, as described below.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5 \n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.17\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.17\n\n| embedded Websphere Application Server version 7.0.x| [PI66074: SHIP JAVA 6 SR16 FP30 FOR WSAS V70.0.X](<http://www-01.ibm.com/support/docview.wss?uid=swg24042558>) \n \n[PI65218:Denial of service in the Apache Commons FileUpload used by the Administrative Console](<http://www-01.ibm.com/support/docview.wss?uid=swg24042528>) \n \n[PI56917:Security Integrity ifix to enable secure flag on CSRFToken cookie](<http://www-01.ibm.com/support/docview.wss?uid=swg24042624>) \n \n[PI60026: Bypass security restrictions in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg24042636>) \n \n[PI67093: Potential information disclosure in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.31 or higher installed. \n \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.31 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin. \n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:29:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-3485, CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-17T15:29:00", "id": "F081AA9E389DA8704A0ED815A4AEB867FF005489C1596C9B9CD8696FCA6AB63C", "href": "https://www.ibm.com/support/pages/node/552425", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:45:23", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) v7.0.x is shipped as a component of Tivoli Common Reporting (TCR v2.1 and v2.1.1). The version of eWAS has been affected by multiple security vulnerabilities, as described below.\n\n## Affected Products and Versions\n\nTivoli Common Reporting 2.1 \n\nTivoli Common Reporting 2.1.1\n\n## Remediation/Fixes\n\nTCR Version\n\n| Bundling bulletin \n---|--- \n2.1| <http://www-01.ibm.com/support/docview.wss?uid=swg21990905> \n2.1.1| <http://www-01.ibm.com/support/docview.wss?uid=swg21990905> \n \n## ", "cvss3": {}, "published": "2018-06-17T15:29:03", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Common Reporting (CVE-2016-3485, CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-17T15:29:03", "id": "EB5D8C6E2448BC74380F4101662EE13D053367E89D5119DB578AEA896E494A4C", "href": "https://www.ibm.com/support/pages/node/552321", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:39:19", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple vulnerabilities have been addressed.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Control Center 6.1.0.0 through 6.1.0.1 iFix01 \nIBM Control Center 6.0.0.0 through 6.0.0.1 iFix07 \nIBM Control Center 5.4.2.0 through 5.4.2.1 iFix09 \n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nIBM Control Center| 6.1.0.1| iFix02 or later| [_Fix Central - 6.1.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.1.0.1&platform=All&function=all>) \nIBM Control Center| 6.0.0.1| iFix08 or later| [_Fix Central - 6.0.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nSterling Control Center| 5.4.2.1| iFix10 or later| [_Fix Central - 5.4.2.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-3042, CVE-2016-3040, CVE-2016-5986, CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-5986"], "modified": "2019-12-17T22:47:42", "id": "FFD387B2CAD7DE98A80325F850ACB6A96E2DFB99E7C223B835403F5BA65F6887", "href": "https://www.ibm.com/support/pages/node/291979", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:46:20", "description": "## Summary\n\nMultiple security vulnerabilities exist in IBM WebSphere Application Server Liberty that affect Tivoli Storage Manager (IBM Spectrum Protect) Operations Center.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n** ** \n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n## Affected Products and Versions\n\nThe following versions of Tivoli Storage Manager (IBM Spectrum Protect) Operations Center are affected: \n\n * 7.1.0.000 through 7.1.7.000\n * 6.4.1.000 through 6.4.2.400\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Remediation/First Fix** \n---|---|--- \nOperations Center| 7.1| 7.1.7.100 - [_ALL Operating Systems_](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/7.1.7.100/>) \nOperations Center| 6.4| 6.4.2.500 - [ALL Operating Systems](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/patches/opcenter/6.4.2.500/>) (see **NOTE **below) \n \n**NOTE:** \nFor Operations Center that is running on IBM\u00ae AIX\u00ae, you must first install [Operations Center 6.4.2.000](<ftp://ftp.software.ibm.com/storage/tivoli-storage-management/maintenance/opcenter/6.4.2.000/>) and then upgrade to Operations Center 6.4.2.500 \n \nYou should verify applying this fix does not cause any compatibility issues \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:32:06", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities in IBM WebSphere Application Server Liberty affect Tivoli Storage Manager (IBM Spectrum Protect) Operations Center (CVE-2016-0378, CVE-2016-3040, CVE-2016-3042, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-5986"], "modified": "2018-06-17T15:32:06", "id": "5FABE639BDC6F4D3FFA84BB3C180F3988861FB68860970DA005D1411C72626D3", "href": "https://www.ibm.com/support/pages/node/287157", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:45:17", "description": "## Summary\n\nWebsphere Application Server - Liberty profile is shipped as a component of IBM Operations Analytics - Log Analysis. Information about a cross-site scripting vulnerability affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Fix details \n---|---|--- \nIBM Operations Analytics - Log Analysis version 1.3.1, 1.3.2, 1.3.3, 1.3.3.1 and 1.3.5| Websphere Application Server 8.5.5.6 - Liberty Profile| Fix available in fix central - [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BOperations%2BAnalytics&amp;product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&amp;release=1.3.5&amp;platform=All&amp;function=fixId&amp;fixids=1.3.5-TIV-IOALA-IF001-IV90770&amp;includeRequisites=1&amp;includeSupersedes=0&amp;downloadMethod=http&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BOperations%2BAnalytics&product=ibm/Tivoli/IBM+SmartCloud+Analytics+-+Log+Analysis&release=1.3.5&platform=All&function=fixId&fixids=1.3.5-TIV-IOALA-IF001-IV90770&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \n \nPlease note: \n1) DO NOT install WAS 8.5.5.9 or later fix packs as they are NOT supported by Log Analysis 1.3.x \n\n## Workarounds and Mitigations\n\nPlease refer to the interim fix from WAS available in fix central, link provided above\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:31:11", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with IBM Operations Analytics - Log Analysis (CVE-2016-0378, CVE-2016-3040, CVE-2016-5986, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:31:11", "id": "044AFEE40BF36BB3EE75709DF1CC1873FA73A33D95D8EC711E22E4A2F6E2FCF7", "href": "https://www.ibm.com/support/pages/node/557305", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:29", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in security bulletins\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \n****DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\nPlease consult the security bulletin [Bypass security restrictions in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) for vulnerability details and information about fixes.\n\n \n\n\n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \n****DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\nPlease consult the security bulletin [Information Disclosure in IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes.\n\n \n\n\n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>)** \n****DESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\nPlease consult the security bulletin [Potential denial of service with SIP Services ](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) for vulnerability details and information about fixes.\n\n \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \n****DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>)\n\nPlease consult the security bulletin [Apache Commons FileUpload Vulnerability affects WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:12", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-0385, CVE-2016-0377, CVE-2016-2960, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3092"], "modified": "2018-06-15T07:06:12", "id": "256D69C6A8C49FA921BFF6BD50DAECC1F4BFD09962DC3AA698602171A4AF9305", "href": "https://www.ibm.com/support/pages/node/550551", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)_](<http://www.ibm.com/support/docview.wss?uid=swg21987864>) \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)_](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)_](<http://www.ibm.com/support/docview.wss?uid=swg21982588>) \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)_](<http://www.ibm.com/support/docview.wss?uid=swg21984796>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:14", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-2960)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3092"], "modified": "2018-06-15T07:06:14", "id": "43EA7D9D017D774D32A0D197F345A2CCB9AC632F5A3F17E7D34A94C65782172D", "href": "https://www.ibm.com/support/pages/node/551309", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:39:14", "description": "## Summary\n\nWebSphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting WebSphere Application Server have been published in security bulletins. \n\n## Vulnerability Details\n\nRefer to the security bulletins listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, \n\nPredictive Customer Intelligence 1.0.1, \n\nPredictive Customer Intelligence 1.1, \n\nPredictive Customer Intelligence 1.1.1\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| WebSphere Application Server 8.5.5| [_Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>)\n\n[_Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>)\n\n \n \n[_Potential denial of service with SIP Services (CVE-2016-2960)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>)\n\n[_Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1| WebSphere Application Server 8.5.5.6| [_Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>)\n\n[_Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>)\n\n \n \n[_Potential denial of service with SIP Services (CVE-2016-2960)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) \n \n[_Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-0385, CVE-2016-0377, CVE-2016-2960, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3092"], "modified": "2020-02-11T21:31:00", "id": "82D72845B48E29F382E3CB32198A7458539BFAEC832BAC6D7B23609003A86C76", "href": "https://www.ibm.com/support/pages/node/551393", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:45:23", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [PI65218:Denial of service in the Apache Commons FileUpload used by the Administrative Console](<http://www-01.ibm.com/support/docview.wss?uid=swg24042528>) \n \n[PI56917:Security Integrity ifix to enable secure flag on CSRFToken cookie](<http://www-01.ibm.com/support/docview.wss?uid=swg24042624>) \n \n[PI60026: Bypass security restrictions in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg24042636>) \n \n[PI67093: Potential information disclosure in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:29:04", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-5986"], "modified": "2018-06-17T15:29:04", "id": "747FEECC07DAC55AFB648FD70182F8973D8D7E1568BF68438A356BA5AD3C9D80", "href": "https://www.ibm.com/support/pages/node/552457", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T17:45:52", "description": "## Summary\n\nThere is a security vulnerability in WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager that is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise. \nAdditionally, the vulnerability affects Jazz\u2122 for Service Management and IBM Tivoli Monitoring, which are shipped with Cloud Orchestrator Enterprise. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| \n\n**Affected Supporting Product and Version** \n---|--- \n \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2 | \n\n * WebSphere Application Server V8.5.5 through V8.5.5.7 \n * IBM Business Process Manager Standard V8.5.5 - V8.5.6.2 \n * IBM Tivoli System Automation Application Manager 4.1 \n \nIBM Cloud Orchestrator V2.4, V2.4.01, V2.4.0.2,V2.4.0.3, 2.4.0.4 | \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.7 \n * IBM Business Process Manager Standard V8.5.0.1 \n * IBM Tivoli System Automation Application Manager 4.1 \n \nIBM Cloud Orchestrator V2.3, V2.3.0.1 | \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1 \n \nIBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2 | \n\n * WebSphere Application Server V8.5.5 through V8.5.5.7 \n * IBM Business Process Manager Standard V8.5.5 - V8.5.6.2 \n * IBM Tivoli System Automation Application Manager 4.1\n * IBM Tivoli Monitoring 6.3.0.2\n * Jazz\u2122 for Service Management V1.1.0.1 \n \nIBM Cloud Orchestrator Enterprise V2.4, V2.4.01, V2.4.0.2,V2.4.0.3 | \n\n * WebSphere Application Server V8.5.0.1 through V8.5.5.7 \n * IBM Business Process Manager Standard V8.5.0.1\n * IBM Tivoli System Automation Application Manager 4.1\n * IBM Tivoli Monitoring 6.3.0.2\n * Jazz\u2122 for Service Management V1.1.0.1 \n \nIBM Cloud Orchestrator Enterprise V2.3, V2.3.0.1 | \n\n * IBM WebSphere Application Server V8.0, V8.0.11 \n * IBM Business Process Manager Standard V8.5.0.1\n * IBM Tivoli Monitoring V6.3.0.1 \n * Jazz\u2122 for Service Management V1.1.0.1 \n \n## Remediation/Fixes\n\nThese issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. \nAdditionally, these issues were also addressed by Jazz\u2122 for Service Management and IBM Tivoli Monitoring that are shipped with IBM Cloud Orchestrator Enterprise. \n\nFix delivery details for IBM Cloud Orchestrator and Cloud Orchestrator Enterprise:\n\n**Product**| **VRMF**| **Remediation/First Fix** \n---|---|--- \nIBM Cloud Orchestrator and Cloud Orchestrator Enterprise| V2.5, V2.5.0.1, V2.5.0.2| For 2.5 versions, upgrade to Fix Pack 3 (2.5.0.3) of IBM Cloud Orchestrator. \n \n[_http://www-01.ibm.com/support/docview.wss?uid=swg27045667_](<http://www-01.ibm.com/support/docview.wss?uid=swg27045667>) \nV2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4 | Apply Interim Fix or apply WebSphere Application Server Fix Pack 11 (8.5.5.11) or later. \nSee [Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>). \nFor IBM Cloud Orchestrator Self-service user interface, do the following steps: \n \n1\\. On the Central Server 2, change your directory to /opt/ibm/ccs/scui/lib and take a backup of \"org.apache.commons.fileupload_&lt;Build number&gt;.jar\" \n**Note: **Append the backed up file name with either the word \"old\" or \"backup\". For example, \n\"org.apache.commons.fileupload_1.2.2.v20111214-1400.jar_OLD\" \n \n2\\. Stop the Self-service user interface \n \n3\\. Upgrade the package to [Commons-Fileupload 1.3.2 or later](<http://commons.apache.org/proper/commons-fileupload/>) \n \n4\\. Start the Self-service user interface \n \nFor managing services manually, see [IBM Cloud Orchestrator Knowledge Center](<https://www.ibm.com/support/knowledgecenter/en/SS4KMC_2.4.0.4/com.ibm.sco.doc_2.4/c_managing_ico_services_manually.html>). \nV2.3, V2.3.0.1 | Contact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator. \n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator V2.5, V2.5.0.1, V2.5.0.2| \n\nWebSphere Application Server V8.5.5 through V8.5.5.7 | \n\n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \nIBM Business Process Manager Standard V8.5.5 - V8.5.6.2 | \n\n[Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>) \n \nIBM Tivoli System Automation Application Manager 4.1 | \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990172>) \nIBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| \n\nWebSphere Application Server V8.5.0.1 through V8.5.5.7 | \n[ Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \nIBM Business Process Manager Standard V8.5.0.1 | \n\n[Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>) \n \nIBM Tivoli System Automation Application Manager 4.1 | \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990172>) \nIBM Cloud Orchestrator V2.3, V2.3.0.1 | \n\nIBM WebSphere Application Server V8.0, V8.0.11 \nIBM Business Process Manager Standard V8.5.0.1 | \n\nContact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server, IBM Business Process Manager, IBM Tivoli System Automation Application Manager, IBM Tivoli Monitoring, and Jazz\u2122 for Service Management, which are shipped with IBM Cloud Orchestrator Enterprise Edition. **Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.0.2| \n\nWebSphere Application Server V8.5.5 through V8.5.5.7 \n * | \n\n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \nIBM Business Process Manager Standard V8.5.5 - V8.5.6.2 | \n\n[Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>) \n \nIBM Tivoli System Automation Application Manager 4.1 | \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990172>) \n \nIBM Tivoli Monitoring 6.3.0.2 | \n\n[Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990451>) \n \nJazz\u2122 for Service Management V1.1.0.1 | \n\n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990923>) \nIBM Cloud Orchestrator Enterprise Edition V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4| \n\nWebSphere Application Server V8.5.0.1 through V8.5.5.7 | \n\n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) \n \nIBM Business Process Manager Standard V8.5.0.1 | \n\n[Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Business Process Manager, WebSphere Process Server, WebSphere Dynamic Process Edition, and WebSphere Lombardi Edition](<http://www-01.ibm.com/support/docview.wss?uid=swg21986205>) \n \nIBM Tivoli System Automation Application Manager 4.1 | \n\n[Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990172>) \n \nIBM Tivoli Monitoring 6.3.0.1 | \n\n[Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990451>) \n \nJazz\u2122 for Service Management V1.1.0.1 | \n\n[Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990923>) \nIBM Cloud Orchestrator Enterprise Edition V2.3, V2.3.0.1| \n\nIBM WebSphere Application Server V8.0, V8.0.11 \nIBM Business Process Manager Standard V8.5.0.1 \nIBM Tivoli Monitoring V6.3.0.1 \nJazz\u2122 for Service Management V1.1.0.1 | \n\nContact [_IBM Support_](<https://www-947.ibm.com/support/servicerequest/newServiceRequest.action>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T22:33:30", "type": "ibm", "title": "Security Bulletin: Vulnerability affects WebSphere Application Server shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise (CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385", "CVE-2016-3092", "CVE-2016-5986"], "modified": "2018-06-17T22:33:30", "id": "54C6E83D4BDF6E6ADF5B194C223DC376C2D47C0CBD58899CB58072104014F60E", "href": "https://www.ibm.com/support/pages/node/609291", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:45:24", "description": "## Summary\n\nThe following security issues have been identified in WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0359](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111929> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [CVE-2016-0377](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112238> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n \n**CVEID:** [CVE-2016-3598](<https://vulners.com/cve/CVE-2016-3598>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Libraries component has high confidentiality impact, high integrity impact, and high availability impact. \nCVSS Base Score: 9.6 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115269> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-3511](<https://vulners.com/cve/CVE-2016-3511>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE related to the Deployment component has high confidentiality impact, high integrity impact, and high availability impact. \nCVSS Base Score: 7.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115275> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-3485](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115273> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n \n \n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above. \n \nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE's above. \n \nIBM Tivoli Monitoring versions 6.2.2 through 6.2.2 FP9 - Tivoli Enterprise Portal Server (TEPS) CVE-2016-3092 only.\n\n## Remediation/Fixes\n\n**\n\n## _Portal Server-_\n\n**embedded WebSphere Application Server \n \n\n\n**_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.X.X-TIV-ITM_EWAS_ALL-8.00.12.01| 6.3.0.x| <http://www.ibm.com/support/docview.wss?uid=swg24042745> \nContains a patch for the embedded WebSphere Application Server (eWAS) 8.0 Fix Pack 12 plus Interim Fix Block 1. \nTechnote| 6.2.3.x| <http://www.ibm.com/support/docview.wss?uid=swg21633722> \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The link gives instructions to install** **eWAS 7.0 Fix Pack 41 (7.0.0.41) and Interim Fix block 1 (or later). \nTechnote| 6.2.2.x| <http://www.ibm.com/support/docview.wss?uid=swg21509238> \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.22. The link gives instructions are to install** **eWAS 6.1 Fix Pack 47 (6.1.0.47) and Interim Fix block 5 (or later) \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.6, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T15:28:48", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-0377", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-3511", "CVE-2016-3598"], "modified": "2018-06-17T15:28:48", "id": "3DAB255772B5C0465CD2A50FC27BF93D482025FE8D7247F3C147E19AC9F9AFD2", "href": "https://www.ibm.com/support/pages/node/551783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T05:45:21", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in security bulletins. \n\n\n## Vulnerability Details\n\nConsult the security bulletins:[](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) \n[ **Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)** ** \n[**Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n[**Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) \nfor vulnerabilities details and information about fixes.\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nTivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which includes IBM WebSphere version 7.0.0.x \nTivoli Network Manager 4.1| Bundled the TIP version 2.2.0.x which includes IBM WebSphere version 7.0.0.x. \nTivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which includes IBM WebSphere version 7.0.0.x. \nTivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes. \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:29:12", "type": "ibm", "title": "Security Bulletin:Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition (CVE-2016-5986, CVE-2016-5983, CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:29:12", "id": "F377EB02DAEA61BF9CA5FA8E0CC0F3E1F167BF16C536210BB423500CBF3E31FC", "href": "https://www.ibm.com/support/pages/node/553031", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:17", "description": "## Summary\n\nThe vulnerabilities could allow a remote attacker to conduct phishing attacks or obtain sensitive information, or allow cross-site scripting in OpenID Connect clients.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3040_](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114636_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114636>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n \n**CVEID:** [_CVE-2016-3042_](<https://vulners.com/cve/CVE-2016-3042>)** \nDESCRIPTION:** IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting in OpenID Connect clients. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114638_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114638>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Monitoring 8.1.2 and 8.1.3 \n\nIBM Application Diagnostics 8.1.2 and 8.1.3\n\nIBM Application Performance Management 8.1.2 and 8.1.3\n\nIBM Application Performance Management Advanced 8.1.2 and 8.1.3\n\nIBM Performance Management on Cloud \n\n## Remediation/Fixes\n\n_Product_\n\n| _Product_ \n_VRMF_| _Remediation_ \n---|---|--- \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.3_ \n \n_ _ \n_ _| The vulnerabilities can be remediated by applying the following patches: \n\n * Apply the IBM Performance Management 8.1.3.0 Interim Fix 07 patch to the Performance Management server. The patch is available from Fix Central: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003073](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003073>)\n * Apply the Hybrid Gateway for IBM Performance Management 8.1.3.0 Interim Fix 04 patch to the Hybrid Gateway. The patch is available from Fix Central: \n[_https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003074_](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003074>) \nIBM Monitoring \n\nIBM Application Diagnostics\n\nIBM Application Performance Management\n\nIBM Application Performance Management Advanced\n\n| _8.1.2_| The vulnerabilities can be remediated by applying the following patches: \n\n * Apply the IBM Performance Management 8.1.2.0 Interim Fix 35 patch to the Performance Management server. The patch is available from Fix Central: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003145](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003145>)\n * Apply the Hybrid Gateway for IBM Performance Management 8.1.2.0 Interim Fix 36 patch to the Hybrid Gateway. The patch is available from Fix Central: \n[https://www-01.ibm.com/support/docview.wss?rs=0&amp;uid=isg400003146](<https://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400003146>) \nIBM Application Performance Management on Cloud| _N/A_| The vulnerabilities can be remediated by applying the following patch: \n\n * Apply the Hybrid Gateway for IBM Performance Management 8.1.3.1 Interim Fix 01 patch to the Hybrid Gateway. The patch is available from Fix Central: [https://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&amp;uid=isg400001355](<https://dbluewas1.pok.ibm.com/support/docview.wss?rs=0&uid=isg400001355>) \n \n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.0}, "published": "2018-06-17T15:30:50", "type": "ibm", "title": "Security Bulletin: vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Performance Management products", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-3042"], "modified": "2018-06-17T15:30:50", "id": "6B3BDC894EE7CA33F3B9CB458BD6A344B2297ED7FB9E3CFE456D71D4F046955A", "href": "https://www.ibm.com/support/pages/node/556531", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:23", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM WebSphere Application Server that is used by IBM Tealeaf Customer Experience. \nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 that is used by IBM Tealeaf Customer Experience. These issues were disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Tealeaf Customer Experience 9.0.2\n\n## Remediation/Fixes\n\nIBM Tealeaf Customer Experience\n\n| \n\n9.0.2A \n\n| [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=``9.0.2.5249_9.0.2A_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.2.5249_9.0.2A_IBMTealeaf_CXUpgrade_FixPack4>) \n---|---|--- \n \nIBM Tealeaf Customer Experience \n\n| \n\n9.0.2 \n\n| [`https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=``9.0.2.1254_IBMTealeaf_CXUpgrade_FixPack4`](<https://www.ibm.com/support/entry/portal/search_results?sn=spe&filter=keywords:ibmsupportfixcentralsearch&q=9.0.2.1254_IBMTealeaf_CXUpgrade_FixPack4>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T20:06:28", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3485", "CVE-2016-5986"], "modified": "2018-06-16T20:06:28", "id": "8AFDCAE89AED9D1573EB511B1BB0BC02E4FDA3F4A8E6C9E02934A6732955352C", "href": "https://www.ibm.com/support/pages/node/285673", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:56:21", "description": "## Summary\n\nIBM WebSphere Application Server Liberty is shipped as a component of IBM PureApplication System. Information about security vulnerabilities affecting IBM WebSphere Application Server Liberty have been published in security bulletins (CVE-2016-0378, CVE-2016-3040, CVE-2016-3042).\n\n## Vulnerability Details\n\nConsult the security bulletin \n\n\n[\u00b7 _Security Bulletin: Information Vulnerability Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>)\n\n[\u00b7 _Security Bulletin: Open Redirect vulnerability in WebSphere Application Server Liberty (CVE-2016-3040) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>)\n\n[\u00b7 _Security Bulletin: Cross-site scripting vulnerability in WebSphere Application Server Liberty (CVE-2016-3042) _](<http://www-01.ibm.com/support/docview.wss?uid=swg21986716>)\n\n \nfor vulnerability details and information about fixes. \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| This vulnerability affects IBM WebSphere Application Server Liberty. \n \n_For_ _earlier unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## ", "cvss3": {"exploitabilityScore": 2.3, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 6.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 4.0}, "published": "2018-06-15T07:06:27", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM PureApplication System", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.9, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-3042"], "modified": "2018-06-15T07:06:27", "id": "4E66ADF44C98149BB101F649EA179DF62F537E176AB809CDC86D7723BC74CC93", "href": "https://www.ibm.com/support/pages/node/555465", "cvss": {"score": 4.9, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:N"}}, {"lastseen": "2023-02-21T05:56:32", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Support Assistant Team Server. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>) \n** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \n \n**CVSS Base Score:** 6.1 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111929> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector:** (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \n** \n**DESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \n \n**CVSS Base Score:** 3.7 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \n**CVSS Environmental Score*:** Undefined \n**CVSS Vector:** (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \n** \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \n \n**CVSS Base Score:** 3.7 \n**CVSS Temporal Score:** See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \n**CVSS Environmental Score*:** Undefined** \nCVSS Vector:** (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Support Assistant Team Server: 5.0.0 - 5.0.2.2\n\n## Remediation/Fixes\n\nThe recommended solution is to install the new IBM Support Assistant Team Server 5.0.2.3:[**_http://www-01.ibm.com/software/support/isa/teamserver.html_**](<http://www-01.ibm.com/software/support/isa/teamserver.html>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:04", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Support Assistant Team Server (CVE-2016-0359, CVE-2016-0378, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-0378", "CVE-2016-5986"], "modified": "2018-06-15T07:06:04", "id": "DC6C232E86993B4A9A02C52EE0791383ECC1D513CF816EB9910C1BEDC86A039E", "href": "https://www.ibm.com/support/pages/node/548589", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:53:51", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae WebSphere Application Server Liberty 8.5.5.8. These issues were disclosed as part of the IBM Liberty updates in IBM WebSphere Application Server Liberty 16.0.0.3.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n- \n**CVEID:** [CVE-2016-3040](<https://vulners.com/cve/CVE-2016-3040>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary websites. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114636> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N) \n- \n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nThe vulnerabilities affect users of IBM MQ Light 1.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.3 on all platforms\n\n## Remediation/Fixes\n\nThis issue has been addressed by IBM MQ Light 1.0.6 \n \nDownload and install the latest MQ Light Server appropriate for your platform: [_https://developer.ibm.com/messaging/mq-light/_](<https://developer.ibm.com/messaging/mq-light/>). \n \nThe following link describes how to re-use the data from your existing installation: \n[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm _](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>).\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-15T07:06:53", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM MQ Light (CVE-2016-5986, CVE-2016-3040, CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-5986"], "modified": "2018-06-15T07:06:53", "id": "5DA2F018499FC3B4EED2FE3B5ABE4582AAF867BC56B13E51DBDC838C5E23CA3B", "href": "https://www.ibm.com/support/pages/node/288917", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:38:47", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) Liberty profile is shipped as a component of IBM InfoSphere BigInsights Console. Information about a security vulnerabilities affecting WAS Liberty profile has been published in security bulletins. \n\n## Vulnerability Details\n\nPlease consult security bulletins for vulnerability details and information about fixes. \n \n[**Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) \n[**Open Redirect vulnerability in WebSphere Application Server Liberty (CVE-2016-3040)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>) \n[**Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM InfoSphere BigInsights 2.x \n\nIBM InfoSphere BigInsights 3.x \n\n| IBM WebSphere Application Server Version 8.5 Liberty profile \n \n## Remediation/Fixes\n\n**_Fix:_**\n\n 1. Stop all BigInsights Services\n 2. Apply [_Fix Pack 16.0.0.3_](<http://www.ibm.com/support/docview.wss?uid=swg24042657>)\n 3. Start all BigInsights Services\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2020-07-18T23:34:36", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server (WAS) Liberty profile shipped with IBM InfoSphere BigInsights (CVE-2016-5986, CVE-2016-3040, CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3040", "CVE-2016-5986"], "modified": "2020-07-18T23:34:36", "id": "DB04090859F8679BAF60915BCA68B7576553855F24A191D2D85B46CAFBAFFBAB", "href": "https://www.ibm.com/support/pages/node/552865", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T06:15:21", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is used by Power Hardware Management Console (HMC). HMC has addressed the applicable CVEs\n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>) \n**DESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \nCVEID: [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \nCVEID: [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nPower HMC V7.7.9.0 \nPower HMC V8.8.2.0 \nPower HMC V8.8.3.0 \nPower HMC V8.8.4.0 \nPower HMC V8.8.5.0\n\n## Remediation/Fixes\n\nThe following fixes are available on IBM Fix Central at: <http://www-933.ibm.com/support/fixcentral/>\n\nProduct\n\n| \n\nVRMF\n\n| \n\nAPAR\n\n| \n\nRemediation/Fix \n \n---|---|---|--- \n \nPower HMC\n\n| \n\nV7.7.9.0 SP3\n\n| \n\nMB04044\n\n| \n\n[MH01659](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V7R7.9.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.2.0 SP3\n\n| \n\nMB03978\n\n| \n\n[MH01583](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V8R8.2.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.3.0 SP2\n\n| \n\nMB04048\n\n| \n\n[MH01661](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V8R8.3.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.4.0 SP2\n\n| \n\nMB04049\n\n| \n\n[MH01665](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V8R8.4.0&platform=All>) \n \nPower HMC\n\n| \n\nV8.8.5.0 SP1\n\n| \n\nMB04051\n\n| \n\n[MH01663](<https://www-945.ibm.com/support/fixcentral/main/selectFixes?parent=powersysmgmntcouncil&product=ibm~hmc~9100HMC&release=V8R8.5.0&platform=All>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2021-09-23T01:31:39", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM WebSphere Application Server affect Power Hardware Management Console (\u202aCVE-2016-0378\u202c, \u202aCVE-2016-3092\u202c and \u202aCVE-2016-5986\u202c)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3092", "CVE-2016-5986"], "modified": "2021-09-23T01:31:39", "id": "2A0289568A16E75438F062DD5447BEE8F462BCBB11E9154045B8CB577F2DD29B", "href": "https://www.ibm.com/support/pages/node/667645", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:50:41", "description": "## Summary\n\nThere are vulnerabilities in IBM\u00ae WebSphere Application Server Liberty shipped with IBM Security Directory Suite. Those issues were disclosed as part of the IBM WebSphere Application Server Liberty updates and it includes all vulnerabilities details.\n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>) \nDESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \nCVEID: [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \nDESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \nCVEID: [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \nDESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Security Directory Suite 8.0 and 8.0.1 which consumes IBM WebSphere Application Server Liberty 8.5.5\n\n## Remediation/Fixes\n\nRecent release contains IBM WebSphere Application Server Liberty 16.0.0.4 which has fix for all above vulnerabilities. \n\n**Product**\n\n| **Remediation** \n---|--- \nIBM Security Directory Suite 8.0| _Contact IBM Support_ \nIBM Security Directory Suite 8.0.1| [IBM Security Directory Suite 8.0.1.2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FIBM+Security+Directory+Suite&fixids=8.0.1.2-ISS-ISDS_20170607-0918.pkg&function=fixId&parent=IBM%20Security>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:58:56", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM\u00ae WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-16T21:58:56", "id": "F24B112BBE3CAF70D3670CF507447BF00710A6E0550400417450D66CDE852B96", "href": "https://www.ibm.com/support/pages/node/558753", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:43:00", "description": "## Summary\n\nIBM i Integrated Web Application Server version 8.5 is affected by multiple security vulnerabilities. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>) \n**DESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n\n**CVEID:** [_CVE-2016-1546_](<https://vulners.com/cve/CVE-2016-1546>) \n**DESCRIPTION:** Apache HTTP Server is vulnerable to a denial of service, caused by the failure to limit the number of simultaneous stream workers for a single HTTP/2 connection when mod_http2 is enabled. A remote attacker could exploit this vulnerability using modified flow-control windows, to cause a denial of service. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114793_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114793>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n \n\n\n**CVEID:** [_CVE-2016-4979_](<https://vulners.com/cve/CVE-2016-4979>) \n**DESCRIPTION:** Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the improper validation of X509 client certificate when experimental module for the HTTP/2 protocol is used to access a resource. An attacker could exploit this vulnerability to allow a third party to access resources on the web server without providing proper credentials and obtain sensitive information. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114720_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114720>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)\n\n \n \n \n\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nRelease 6.1, 7.1, 7.2 and 7.3 of IBM i are affected. \n\n## Remediation/Fixes\n\nThe issue can be fixed by applying a PTF to IBM i. \n \nReleases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed. \n \n**Release 6.1 \u2013 SI62166** \n**Release 7.1 \u2013 SI62167 &amp; SI62590** \n**Release 7.2 \u2013 SI62168** \n**Release 7.3 \u2013 SI62169** \n \n**_Important note: _**_IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-18T14:26:38", "type": "ibm", "title": "Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0385", "CVE-2016-1546", "CVE-2016-2960", "CVE-2016-3092", "CVE-2016-4979", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2019-12-18T14:26:38", "id": "52B4D9D8F0C35A8ED4BF1E8C6B7007F0F22DE6776296FCD8048C0DB7F18162CD", "href": "https://www.ibm.com/support/pages/node/667557", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:45:24", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Network Manager IP Edition. \nInformation about security vulnerabilities affecting IBM WebSphere Application Server have been published in security bulletins. \n\n## Vulnerability Details\n\nConsult the security bulletins: \n[_Potential denial of service with SIP Services (CVE-2016-2960)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) \n[_Potential bypass security in WebSphere Applicaiton Server(_](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>)[_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)) \n[_Open Source Apache Tomcat , Commons FileUpload Vulnerabilities affects WebSphere App Server_](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>)[_(CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)_)_ \nfor vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x.. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:28:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition (CVE-2016-2960, CVE-2016-0385, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3092"], "modified": "2018-06-17T15:28:47", "id": "27B8E9FC98BA91ABC2C10006CF43B0739BDA7A3213E6F5DEF3851A7D59959B97", "href": "https://www.ibm.com/support/pages/node/551537", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-06-24T06:00:53", "description": "## Summary\n\nThere are multiple vulnerabilities in WebSphere Liberty Profile that is used in IBM License Metric Tool v9 and IBM BigFix Inventory v9\n\n## Vulnerability Details\n\n**CVEID: **[**CVE-2016-0359**](<https://vulners.com/cve/CVE-2016-0359>) \n**DESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111929> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID: **[**CVE-2016-0385**](<https://vulners.com/cve/CVE-2016-0385>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112359> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[**CVE-2016-2960**](<https://vulners.com/cve/CVE-2016-2960>) \n**DESCRIPTION: **IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113805> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID: **[**CVE-2016-5986**](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID: **[**CVE-2015-7417**](<https://vulners.com/cve/CVE-2015-7417>) \n**DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/107575> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)\n\n## Affected Products and Versions\n\n**IBM License Metric Tool v9** \n**IBM BigFix Inventory v9**\n\n## Remediation/Fixes\n\nUpgrade to version 9.2.6 or later using the following procedure: \n\n * In IBM Endpoint Manager console, expand **IBM BigFix Inventory **or** IBM License Reporting (ILMT)** node under **Sites** node in the tree panel.\n * Click **Fixlets and Tasks** node. **Fixlets and Tasks** panel will be displayed on the right.\n * In the **Fixlets and Tasks** panel locate _Upgrade to the newest version of IBM BigFix Inventory 9.x _or _Upgrade to the newest version IBM License Metric Tool 9.x_ fixlet and run it against the computer that hosts your server.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerabilities has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-7417", "CVE-2016-0359", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-5986"], "modified": "2022-08-19T21:04:31", "id": "0103A083EFE13BB0A09409F189EB554977F5A87C2021E473616564E5346F1AEC", "href": "https://www.ibm.com/support/pages/node/286217", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:46:56", "description": "## Summary\n\nSecurity vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, IBM Watson Content Analytics, IBM Content Analytics, and OmniFind Enterprise Edition. Not all vulnerabilites affect all products and versions.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n\n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nTo see which vulnerabilities apply to your product and version, see the applicable row in the following table. \n\n**Affected Product**\n\n| **Affected Versions**| **Applicable Vulnerabilities** \n---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1.0| CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485 \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485 \nIBM Watson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1.0 | CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485 \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485 \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485 \nIBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3092 \nCVE-2016-3485 \nIBM OmniFind Enterprise Edition| 9.1.0.0 - 9.1.0.5| CVE-2016-3092 \nIBM Content Analytics| 2.2.0.0 - 2.2.0.3| CVE-2016-3092 \n \n## Remediation/Fixes\n\nFor information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>. \n \n\n\n**Affected Product**| **Affected Versions**| **Vulnerability**| **Fix** \n---|---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485| Upgrade to Watson Explorer Analytical Components Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042893>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nIBM Watson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1 | CVE-2016-3092 \nCVE-2016-0359 \nCVE-2016-3485| Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042892>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-3092| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002** or later.\n 3. To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>. \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-3485** **| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)). \nIf you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps. \n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 7 package for your edition (Enterprise or Advanced) and operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-&lt;Edition&gt;Analytical-&lt;OS&gt;[32|31]-7SR9FP60 ** or later. For example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux32-7SR9FP60.\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700618>).\n 4. Rename `$ES_INSTALL_ROOT/lib/activation.jar` \nto `activation.jar.orig` \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-0359** **| **Important:** Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Analytical Components.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Watson Explorer Analytical Components. \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-3092| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039429>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-&lt;edition&gt;FoundationalAAC-IF002** or later.\n 3. To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>. \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-3485 \n** **| \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039429>)). \nIf you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit and 64-bit packages of IBM Java Runtime, Version 7 for your edition (Enterprise or Advanced) and your operating system from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): **10.0.0.2-WS-WatsonExplorer-AEFoundationallAAC-&lt;OS&gt;[32]-7SR9FP60 **or later. For example, 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux32-7SR9FP60.\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700620>).\n 4. Rename `$ES_INSTALL_ROOT/lib/activation.jar` \nto `activation.jar.orig` \nIBM Watson Explorer Foundational Components Annotation Administration Console| 10.0 - 10.0.0.2| CVE-2016-0359 \n** **| **Important:** Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<www.ibm.com/support/docview.wss?uid=swg24039429>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-&lt;edition&gt;FoundationalAAC-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Annotation Administration Console.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Annotation Administration Console. \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-3092 \nCVE-2016-3485 \nCVE-2016-0359| Upgrade to Watson Content Analytics Version 3.5.0.4. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042836>). For information about upgrading, see the [upgrade procedures](<https://www.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.in.doc/iiysiupover.htm>). \nIBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3092| \n\n 1. If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24040579>)).\n 2. Download the package from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.0.0.6&platform=All&function=all>): interim fix **3.0.0.6-WT-ICA-IF002**.\n 3. To install the fix, see <http://www.ibm.com/support/docview.wss?uid=swg21996334>. \nIBM Content Analytics| 3.0.0.0 - 3.0.0.6| CVE-2016-3485 \n** **| \n\n 1. If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24040579>)). \nIf you upgrade to Version 3.0.0.6 after you configure IBM Java Runtime, your changes are lost and you must repeat the steps.\n 2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from [Fix Central](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/IBM+Cognos+Content+Analytics&release=3.0.0.6&platform=All&function=all>): interim fix **3.0.0.6-WT-ICA-&lt;OS&gt;[32|31]-6SR16FP35 ** or later. For example, 3.0.0.6-WT-ICA-Linux-6SR16FP35 and 3.0.0.6-WT-ICA-Linux32-6SR16FP35.\n 3. To apply the fix, follow the steps in [Updating IBM Java Runtime](<http://www.ibm.com/support/docview.wss?uid=swg21700622>).\n 4. Rename `$ES_INSTALL_ROOT/lib/activation.jar` \nto `activation.jar.orig` \nIBM OmniFind Enterprise Edition| 9.1 - 9.1.0.5| CVE-2016-3092| Contact [IBM Support](<http://www.ibm.com/support/entry/portal/product/watson_group/watson_explorer>). \nIBM Content Analytics| 2.2 - 2.2.0.3| CVE-2016-3092| Contact [IBM Support](<http://www.ibm.com/support/entry/portal/product/watson_group/watson_explorer>). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T13:07:24", "type": "ibm", "title": "Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Explorer Annotation Administration Console, Watson Content Analytics, IBM Content Analytics, and OmniFind Enterprise Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-3092", "CVE-2016-3485"], "modified": "2018-06-17T13:07:24", "id": "7683273D853201795DC98B316DD2C8B7DB84C63DD2868C0F87D00A09760EDC9B", "href": "https://www.ibm.com/support/pages/node/551191", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:52:35", "description": "## Summary\n\nMultiple vulnerabilities have been identified in the IBM Websphere Application Server (WAS) that is embedded in IBM FSM. This update addresses these issues.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM and all affected remote Common Agent Services (CAS) endpoints using the instructions referenced in this table. \n \n \n\n\nProduct| VRMF| \n\nAPAR | Remediation \n---|---|---|--- \nFlex System Manager| 1.3.4.0| \n\nIT17940 | This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing this update for FSM version 1.3.4 and Agents. \nFlex System Manager| 1.3.3.0| \n\nIT17940\n\n| This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing updates for FSM version 1.3.3 and Agents. \nFlex System Manager| 1.3.2.0 \n1.3.2.1| \n\nIT17940\n\n| This WAS update is packaged with a Java Update, therefore follow the instructions for installing the Java Update to address these vulnerabilities. \nNavigate to the [_Support Portal_](<https://www.ibm.com/support/entry/portal/support/>)_ _and search for technote \n[803813703](<http://www-01.ibm.com/support/docview.wss?uid=nas76d4ae564397c85a5862580a30078290b>) for instructions on installing updates for FSM version 1.3.2 and Agents. \n \n \nFor all VRMF not listed in this table IBM recommends upgrading to a fixed, supported version/release of the product. \n\n\nYou should verify applying this fix does not cause any compatibility issues. The fix disables older encrypted protocols by default.\n\nIBM recommends that you review your entire environment to identify other areas where you have enabled weak encryption and take appropriate mitigation and remediation actions.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:34:17", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 )", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-18T01:34:17", "id": "06C8D02C038247F15E4D79EC7F9664B27635450E908F240B3E0213DF1114F10D", "href": "https://www.ibm.com/support/pages/node/630101", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T21:52:24", "description": "## Summary\n\nThere are multiple vulnerabilities identified in IBM Websphere Application Server (WAS) that is embedded in IBM Systems Director Storage Control. This update addresses these issues. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM Systems Director command line enter **smcli lsver** to determine the level of IBM Systems Director installed. \n\n**Affected Product and Version(s)**| **Product and Version shipped as a component** \n---|--- \nIBM System Director Storage Control 4.2.6| IBM Systems Director 6.3.5 \nIBM System Director Storage Control 4.2.7| IBM Systems Director 6.3.6 \nIBM System Director Storage Control 4.2.8| IBM Systems Director 6.3.7 \n \n## Remediation/Fixes\n\n**WARNING:** Before installing the fix for this issue, you must install the fix described in Technote [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>) or [**_793147997_**](<http://www-01.ibm.com/support/docview.wss?uid=nas75cc6d09c7c17de078625803b0056876b>) found in the [_Support Portal_](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nAfter installing the fix listed in [**_760294347_**](<http://www-01.ibm.com/support/docview.wss?uid=nas73635202929791fbe86257ef20035f6b7>), or [**_793147997_**](<http://www-01.ibm.com/support/docview.wss?uid=nas75cc6d09c7c17de078625803b0056876b>) resolve this issue by following the instructions in Technote [**804133974**](<http://www-01.ibm.com/support/docview.wss?uid=nas77b4dfae046510ab5862580a6004ff0ca>) which is also found in the [**_Support Portal_**](<https://www-947.ibm.com/support/entry/portal/support/>). \n \nIBM Systems Director Storage Control versions pre-4.2.6 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-18T01:34:56", "type": "ibm", "title": "Security Bulletin: IBM Systems Director Storage Control is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-18T01:34:56", "id": "E9CDC7558DA989941146B3A84A11854BD9E2194AC94082893AAD204FB055A96A", "href": "https://www.ibm.com/support/pages/node/630559", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:25", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component IBM Tivoli Network Manager IP Edition. Information about a security vulnerability affecting WAS has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult following security bulletins in WebSphere Application Server for vulnerability details and information about fixes. \n\n * [Potential cross-site scripting in the Admin Console for WebSphere Application Serve (CVE-2016-8934)](<http://www-01.ibm.com/support/docview.wss?uid=swg21992315>)\n * [Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n * [There is a potential information disclosure in WebSphere Application Server using malformed SOAP requests on WebSphere Application Server.](<http://www-01.ibm.com/support/docview.wss?uid=swg21991469>)\n * [Certificates will need to be converted to use SHA256withRSA in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21959568>)\n * [Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597)](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>)\n * [Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>)\n * [Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)](<http://www-01.ibm.com/support/docview.wss?uid=swg21988019>)\n * [Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>)\n * [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)\n * [ ](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)[Potential denial of service with SIP Services (CVE-2016-2960)](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>)\n * [Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>)\n * [HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>)\n * [Potential security vulnerability in IBM WebSphere Application Server if FIPS 140-2 is enabled](<http://www-01.ibm.com/support/docview.wss?uid=swg21979231>)\n * [Multiple Denial of Service vulnerabilities with Expat may affect IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) \n \n======================================\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x.. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-17T15:32:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-0385", "CVE-2016-2960", "CVE-2016-3092", "CVE-2016-3485", "CVE-2016-5387", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5986", "CVE-2016-8934"], "modified": "2018-06-17T15:32:37", "id": "3DFE6203DB59955492FEFDC3D6D48EBB07936D0F880BA3893D07DEEAC6EC7CD2", "href": "https://www.ibm.com/support/pages/node/287501", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:26", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) \n \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0359, CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:47", "id": "8AECCBE0CD244EF2C1818D4560A2112EBDDE17CF922BC7869D4367156735AD72", "href": "https://www.ibm.com/support/pages/node/285283", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:32", "description": "## Summary\n\nVulnerability in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092) \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\n \nWebSphere Service Registry and Repository V8.5 \nWebSphere Service Registry and Repository V8.0 \n \nFor unsupported versions IBM recommends upgrading to a fixed, supported version of the product \n\n## Remediation/Fixes\n\nTo remediate CVE-2016-1181, CVE-2016-1182 and CVE-2016-3092 you need to apply fixes for both IBM WebSphere Application Server and IBM WebSphere Service Registry and Repository. \n \nFor** WebSphere Application Server** updates refer to this bulletin regarding CVE-2016-1181 and CVE-2016-1182 \n[Security Bulletin: Vulnerability in Apache Commons affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \nFor CVE-2016-3092, please refer to this to this bulletin: \n[Security Bulletin: Apache Commons FileUpload Vulnerability affects WebSphere Application Server (CVE-2016-3092)](<http://www.ibm.com/support/docview.wss?uid=swg21987864>) \n \nFor **WebSphere Service Registry and Repository**, all three vulnerabilities have been fixed under APARs **IV87422 **and **IV87429** \n \nFixes containing IV87422 and IV87429 have been published and are available from Fix Central. \n \n**For WSRR V8.5**\n\n * Apply [**V8.5.6.0_IV79085_IV87422_IV87429_****IV89477**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.5.6.0-WS-WSRR-MultiOS-IFIV79085_IV87422_IV87429_IV89477>)** \n**\n**For WSRR V8.0**\n\n * Apply [](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.0.0.3-WS-WSRR-MultiOS-IFIV65487_IV79085>)[**V8.0.0.3_IV65487_IV79085_IV87422_IV87429_****IV89477**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/WebSphere+Service+Registry+and+Repository&function=fixId&fixids=8.0.0.3-WS-WSRR-MultiOS-IFIV65487_IV79085_IV87422_IV87429_IV89477>)** \n**\nIBM recommends that you review your entire environment to identify vulnerable releases of the open-source Apache Commons Collections and take appropriate mitigation and remediation actions. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:03", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts and Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1181, CVE-2016-1182, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-3092"], "modified": "2018-06-15T07:06:03", "id": "55C6EB16408836E84C4255320770BC4F60934779CE325008D25B4951C20115C1", "href": "https://www.ibm.com/support/pages/node/548483", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:25", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Integrated Portal and eWAS has been affected by multiple security vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0359_](<https://vulners.com/cve/CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nTivoli Integrated Portal version 2.1.0 - 2.1.0.5 \n\nTivoli Integrated Portal version 2.2.0.0 - 2.2.0.17\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nTivoli Integrated Portal version \n\n2.1.0 - 2.1.0.5\n\n2.2.0 - 2.2.0.17\n\n| embedded Websphere Application Server version 7.0| [Security Bulletin: HTTP Response Splitting in WebSphere Application Server (CVE-2016-0359)](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) \n \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \nThe Websphere security bulletin above provides a link to the required iFix to remediate the vulnerability. However, the iFix requires either eWAS 7.0.0.33 or higher installed. \nTIP does not support upgrading Websphere fixpack independently. TIP 2.2.0.15 or TIP 2.2.0.17 must be applied which will upgrade eWAS to 7.0.0.33 and above. Once TIP FP has been applied, the Websphere iFix can be applied as described in the Websphere bulletin. \n\n## Workarounds and Mitigations\n\nPlease refer to WAS iFix as described above\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:47", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2016-0359, CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:47", "id": "F936FE55F38C08867ADBDA8E6F3802EAC3CA57726D86C3FDB2C0BC8583619B6F", "href": "https://www.ibm.com/support/pages/node/285285", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-06-28T22:13:46", "description": "## Summary\n\nThe IBM Emptoris Strategic Supply Management Suite and IBM Emptoris Services Procurement products are affected by multiple security vulnerabilities that exist in IBM SDK Java Technology Edition and IBM WebSphere Application Server. The security bulletin includes issues disclosed as part of the IBM Java SDK updates in October 2016 and includes the following additional vulnerabilities: \n1\\. Potential HTTP response splitting vulnerability in IBM WebSphere Application Server \n2\\. Apache Struts vulnerabilities affect WebSphere Application Server Administration Console \n3\\. Potential information disclosure in WebSphere Application Server \n4\\. Potential code execution vulnerability in WebSphere Application Server. \n5\\. Potential information disclosure in WebSphere Application Server using malformed SOAP requests.\n\n## Vulnerability Details\n\n \nThis bulletin covers all applicable Java SE CVE's published by Oracle as part of their October 2016 Critical Patch Update which affects IBM SDK, Java Technology Edition. There are other advisories included in the IBM Java SDK and IBM WebSphere Application Server bulletins, but IBM Emptoris products are not vulnerable to them. Additionally, this bulletin covers other security vulnerabilities reported on WebSphere Application Server. \n \n**CVEID:** [_CVE-2016-0359_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0359>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. \nCVSS Base Score: 6.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111929_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111929>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-1181_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [_CVE-2016-5986_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5983_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-5597_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/118071_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/118071>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2016-9736_](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9736>)** \nDESCRIPTION:** IBM WebSphere Application Server using malformed SOAP requests could allow a remote attacker to obtain sensitive information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/119780_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/119780>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Emptoris Contract Management 9.5 through 10.1.2 \nIBM Emptoris Program Management 10.0.0 through 10.1.2 \nIBM Emptoris Sourcing 10.0.0 through 10.1.2 \nIBM Emptoris Spend Analysis 10.0.0 through 10.1.2 \nIBM Emptoris Supplier Lifecycle Management 9.5 through 10.1.2 \nIBM Emptoris Strategic Supply Management 10.0.0 through 10.1.2 \nIBM Emptoris Services Procurement 10.0.0\n\n## Remediation/Fixes\n\nInterim fixes have been issued for the IBM WebSphere Application Server (WAS) which will apply the needed fixes on WebSphere and also upgrade the IBM Java Development Kit to a version which is not susceptible to these vulnerabilities. \n \nCustomers running any of the IBM Emptoris products listed above should apply the interim fix to all IBM WebSphere Application Server installations that are used to run IBM Emptoris applications. See the references section for specific Java and WebSphere Security bulletins. \n \n \n\n\n**IBM Emptoris Product Version**| **IBM WebSphere Version**| **Interim Fix** \n---|---|--- \nIBM Emptoris Suite \n9.5.0.0 through 9.5.0.6 \n9.5.1.0 through 9.5.1.3 \n \n \n \nIBM Emptoris Services Procurement \n10.0.0.0 through 10.0.0.5| 8.0.0.0 through 8.0.0.12| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737_](<http://www.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Apply Interim Fix[_ PI71257_](<http://www.ibm.com/support/docview.wss?uid=swg24042977>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 35 \n \nStep 6. Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.0.0.13 or later (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \n \nIBM Emptoris Suite \n10.0.0.0 through 10.0.0.3 \n10.0.1.0 through 10.0.1.5 \n10.0.2.0 through 10.0.2.12 \n10.0.3| 8.5.0.0 through 8.5.5.10| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Upgrade to WebSphere Application Server Traditional Fix Pack 8.5.5.1 or later then apply Interim Fix [_PI71255_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042968>): Will upgrade you to IBM SDK, Java Technology Edition, Version 6R1 Service Refresh 8 Fix Pack 35 \n \nStep 6. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.5.5.11 or later. (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \nIBM Emptoris Suite \n10.0.4 \n10.1.0.0 through 10.1.0.7 \n10.1.1.0 through 10.1.1.5 \n10.1.2| 8.5.5.0 through 8.5.5.10| Option 1: Follow Steps 1 through 6 below in the order specified: \n \nStep 1. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI58918_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>) \n \nStep 2. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI64303_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) \n \nStep 3. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) \n \nStep 4. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI70737 _](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) \n \nStep 5. Upgrade to WebSphere Application Server Traditional Fix Pack 8.5.5.2 or later then apply Interim Fix [_PI71253_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042957>): Will upgrade you to IBM SDK, Java Technology Edition, Version 7R1 Service Refresh 3 Fix Pack 60 \n \nStep 6. Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI66557_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043105>) \n. \n \n\\--OR-- \n \nOption 2: \nApply Fix Pack 8.5.5.11 or later. (targeted availability 20 February 2017) \n(Ensure IBM Java SDK shipped is applied with the upgrade) \n \n## Workarounds and Mitigations\n\nNone\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n[WebSphere Security Bulletin: HTTP Response Splitting in WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21982526>)\n\n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>)\n\n[Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983).](<http://www.ibm.com/support/docview.wss?uid=swg21990060>)\n\n[Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server October 2016 CPU (CVE-2016-5573, CVE-2016-5597)](<http://www.ibm.com/support/docview.wss?uid=swg21993440>)\n\n \n[_IBM Java SDK Security Bulletin_](<http://www.ibm.com/support/docview.wss?uid=swg21985393>) \n \n[Security Bulletin: Potential Information Disclosure in WebSphere Application Server (CVE-2016-9736)](<http://www.ibm.com/support/docview.wss?uid=swg21991469>)\n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n17 Jan 2017 - Original version published\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. \"Affected Products and Versions\" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.\n\n[{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Not Applicable\",\"Platform\":[{\"code\":\"PF025\",\"label\":\"Platform Independent\"}],\"Version\":\"Version Independent\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ89\",\"label\":\"Emptoris Contract Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRER\",\"label\":\"Emptoris Program Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR6U\",\"label\":\"Emptoris Services Procurement\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYR8W\",\"label\":\"Emptoris Sourcing\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQAR\",\"label\":\"Emptoris Spend Analysis\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYQ72\",\"label\":\"Emptoris Strategic Supply Management\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}},{\"Product\":{\"code\":\"SSYRC7\",\"label\":\"Emptoris Supplier Lifecycle Management\"},\"Business Unit\":{\"code\":\"BU055\",\"label\":\"Cognitive Applications\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB02\",\"label\":\"AI Applications\"}}]", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.3, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 6.0}, "published": "2018-06-16T20:07:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK and IBM WebSphere Application Server affect IBM Emptoris Strategic Supply Management and IBM Emptoris Services Procurement", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0359", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-9736"], "modified": "2018-06-16T20:07:17", "id": "A09274BA1A31537EA391724E8C52797113E094AE9E4EAA66FB5A50D995921587", "href": "https://www.ibm.com/support/pages/node/288965", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:05:07", "description": "## Summary\n\nTwo vulnerabilities have been found in WAS Liberty, which is shipped in IBM Transforation Extender Advanced and IBM Standards Processing Engine. \n \nIBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \n \nIBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Standards Processing Engine version 8.5.1.2 (common component 2.0.1.2) and IBM Transformation Extender Advanced releases prior to version 9.0.0.4.\n\n## Remediation/Fixes\n\nFixes posted to Fix Central. \n \n\n\nProduct| Version| Fix \n---|---|--- \nIBM Standards Processing Engine | Common component 2.0.1.3| [https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&amp;product=ibm/Other+software/Standards+Processing+Engine&amp;release=2.0.1.3&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Standards+Processing+Engine&release=2.0.1.3&platform=All&function=all>) \nIBM Transformation Extender Advanced | 9.0.0.4| [https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&amp;product=ibm/Other+software/Standards+Processing+Engine&amp;release=9.0.0.4&amp;platform=All&amp;function=all](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Standards+Processing+Engine&release=9.0.0.4&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2022-05-15T12:11:44", "type": "ibm", "title": "Security Bulletin: Two vulnerabilities in WAS Liberty affect IBM Transformation Extender Advanced and IBM Standards Processing Engine (CVE-2016-0378 and CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-5986"], "modified": "2022-05-15T12:11:44", "id": "15D0115CEF4171E92D8BA93E2ED17B82EEC2AFF6C764062CEE615ACC92A0F1AF", "href": "https://www.ibm.com/support/pages/node/290317", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2022-01-04T21:53:18", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Service Registry and Repository. Information about security vulnerabilities affecting WebSphere Application Server have been published in two security bulletins.\n\n## Vulnerability Details\n\nPlease consult the security bulletins [Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) and [Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)](<http://www.ibm.com/support/docview.wss?uid=swg21982588>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrinciple Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nWebSphere Service Registry and Repository V8.5| WebSphere Application Server Network Deployment V8.5.5 \nWebSphere Service Registry and Repository V8.0| WebSphere Application Server Network Deployment V8.0 \nWebSphere Service Registry and Repository V7.5| WebSphere Application Server Network Deployment V7.0 \n \n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n## Important Note\n\nIBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<http://www.ibm.com/systems/z/solutions/security_subintegrity.html>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n## Change History\n\n23 September 2016: Original version published \n\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nAccording to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES \"\"AS IS\"\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.\n\n## Internal Use Only\n\nTHIS DOCUMENT IS FOR PSIRT PRODUCT RECORDS #81505, #81708\n\n[{\"Product\":{\"code\":\"SSWLGF\",\"label\":\"WebSphere Service Registry and Repository\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"8.5;8.0;7.5\",\"Edition\":\"All Editions\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 1.4}, "published": "2018-06-15T07:06:13", "type": "ibm", "title": "Multiple vulnerabilities have been identified in WebSphere Application Server shipped with WebSphere Service Registry and Repository (CVE-2016-0377, CVE-2016-0385)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385"], "modified": "2018-06-15T07:06:13", "id": "73D8DE3359B8A7D986493D15802F799CF86136D0CE2E8F2B30F608A126D41D1D", "href": "https://www.ibm.com/support/pages/node/552137", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:50:40", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security/Tivoli Directory Server. Information about a security vulnerabilities affecting IBM Websphere Application Server has been published in security bulletins.\n\n## Vulnerability Details\n\nPlease see following security bulletins for vulnerabilities details: \n[Code execution vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) (CVE-2016-5983) and \n[Potential Information Disclosure vulnerability in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) (CVE-2016-5986).\n\n## Affected Products and Versions\n\nAffected Product and Version(s)\n\n| Product and Version shipped as a component \n---|--- \nIBM Security Directory Server Version 6.4| IBM WebSphere Application Server Version 8.5.5.9 \nIBM Security Directory Server Version 6.3.1 and \nTivoli Directory Server Version 6.3| IBM WebSphere Application Server Version 7.0.0.41 \n \n## Remediation/Fixes\n\nApply WebSphere Application Server Interim Fix [_PI70737_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>) for Vulnerability - (CVE-2016-5983) and [_PI67093_](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>) for Vulnerability -(CVE-2016-5986). \nAfter the above we can refer to SDS [recommended fixes](<http://www.ibm.com/support/docview.wss?uid=swg27009778>) . \nNote: 8.5.5.11 has already included both the vulnerabilty fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:58:56", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in IBM Websphere Application Server shipped with IBM Security/Tivoli Directory Server (CVE-2016-5983 and CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-16T21:58:56", "id": "BA00D2D757BAAC274D87A18224BEBB9CAB187A87A5111B7900F36CE8500DC305", "href": "https://www.ibm.com/support/pages/node/558755", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:33", "description": "## Summary\n\nSecurity vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, and IBM Watson Content Analytics.\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\n \n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nTo see which vulnerabilities apply to your product and version, see the applicable row in the following table. \n\n**Affected Product**\n\n| **Affected Versions**| **Applicable Vulnerabilities** \n---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983 \nWatson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983 \nWatson Content Analytics| 3.5.0.4| CVE-2016-5983 \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-5986 \nCVE-2016-5983 \n \n## Remediation/Fixes\n\nFor information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at <http://www.ibm.com/support/fixcentral/>. \n \n\n\n**Affected Product**| **Affected Versions**| **Vulnerability**| **Fix** \n---|---|---|--- \nWatson Explorer Analytical Components| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983| Upgrade to Watson Explorer Analytical Components Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042893>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nWatson Explorer Foundational Components Annotation Administration Console| 11.0.0.0 - 11.0.0.3, 11.0.1| CVE-2016-5986 \nCVE-2016-5983| Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042892>). For information about upgrading, see the [upgrade procedures](<http://www.ibm.com/support/docview.wss?uid=swg27049072>). \nWatson Explorer Analytical Components| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983| **Important:** Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<http://www.ibm.com/support/docview.wss?uid=swg24039430>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Analytical Components.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Watson Explorer Analytical Components. \nWatson Explorer Foundational Components Annotation Administration Console| 10.0.0.0 - 10.0.0.2| CVE-2016-5986 \nCVE-2016-5983| **Important:** Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin. \n\n 1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack [download document](<www.ibm.com/support/docview.wss?uid=swg24039429>)).\n 2. Download the package from [Fix Central](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Watson%2BGroup&product=ibm/Information+Management/InfoSphere+Data+Explorer&release=10.0.0.2&platform=All&function=all#Others>): interim fix **10.0.0.2-WS-WatsonExplorer-&lt;edition&gt;FoundationalAAC-IF002** or later and extract the contents of the fix into a temporary directory.\n 3. Stop Watson Explorer Annotation Administration Console.\n 4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.\n 5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.\n 6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT\n 7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n * **Note**: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.\n* Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,**wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar**,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n\n * The new classpath replaces: \nclasspath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar\n* After saving the changes, restart Annotation Administration Console. \nWatson Content Analytics| 3.5.0.4| CVE-2016-5983| **Important:** Perform these steps as a Watson Content Analytics administrative user, typically esadmin. \n\n 1. Download 16.0.0.3-WS-WLP-IFPI62375 from <http://www.ibm.com/support/docview.wss?uid=swg24042712> and extract the contents of the fix into a temporary directory.\n 2. Stop Watson Content Analytics.\n 3. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp\n 4. Restart Watson Content Analytics. \nWatson Content Analytics| 3.5.0.0 - 3.5.0.3| CVE-2016-5986| Upgrade to Watson Content Analytics Version 3.5.0.4. For information about this version, and links to the software and release notes, see the [download document](<http://www.ibm.com/support/docview.wss?uid=swg24042836>). For information about upgrading, see the [upgrade procedures](<https://www.ibm.com/support/knowledgecenter/SS5RWK_3.5.0/com.ibm.discovery.es.in.doc/iiysiupover.htm>). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T13:07:33", "type": "ibm", "title": "Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Explorer Annotation Administration Console, and Watson Content Analytics", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T13:07:33", "id": "F9C7ACF2002F6F3FDF193E4C427570D3991980C9A65D31E141CF3787E2A33C07", "href": "https://www.ibm.com/support/pages/node/287719", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:42:16", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a Security Bulletin.\n\n## Vulnerability Details\n\nConsult the Security Bulletin [Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes. \n\nConsult the Security Bulletin [Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nAffected Products and versions\n\n| Affected Components \n---|--- \nISAM ESSO 8.2, 8.2.1, 8.2.2| IBM Websphere Application Server 7.0, 8.5.0 \n \n## Remediation/Fixes\n\nNone\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-25T05:54:54", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities have been identified in IBM Websphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-25T05:54:54", "id": "36EAF631AD2195D87F303F82AFF5E7B7CFA7545A0A6B18A6E83CF844C469D54D", "href": "https://www.ibm.com/support/pages/node/553731", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:39:16", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletins listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Potential Information Disclosure vulnerability in WebSphere Application Server (CVE-2016-5986)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>)\n\n[_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) \n \n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-5983, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983", "CVE-2016-5986"], "modified": "2020-02-11T21:31:00", "id": "5E18DDFEF42C9E454FD2B7F4F9F8E06973E1051692FB5605975B9AA96CB79617", "href": "https://www.ibm.com/support/pages/node/553823", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:20", "description": "## Summary\n\nIBM Websphere Application Server is shipped as a component of IBM Security Access Manager for Enterprise Single Sign-On. Information about a security vulnerability affecting IBM Websphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Information Disclosure in IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes. \nConsult the security bulletin [Bypass security restrictions in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Security Access Manager for Enterprise Single Sign-On 8.2, 8.2.1, 8.2.2| IBM Websphere Application Server 7.0, 8.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T21:45:42", "type": "ibm", "title": "Security Bulletin: : A security vulnerability has been identified in IBM Websphere Application Server shipped with IBM Security Access Manager for Enterprise Single Sign-On (CVE-2016-0377, CVE-2016-0385)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0377", "CVE-2016-0385"], "modified": "2018-06-16T21:45:42", "id": "93A6214180EB19A62AD0960CB98101D6E89161ACFE11D971FA2AB345DF973E5F", "href": "https://www.ibm.com/support/pages/node/550191", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:46:18", "description": "## Summary\n\nSecurity vulnerabilities exist in IBM WebSphere Application Server that affect Tivoli Storage Manager for Virtual Environments (IBM Spectrum Protect for Virtual Environments): Data Protection for VMware.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5986_](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116556_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116556>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nThe following levels of IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) are affected: \n\n * 7.1.0.0 through 7.1.6.3\n * 6.4.0.0 through 6.4.3.4\n * 6.3.0.0 through 6.3.2.7\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager for VE: Data Protection for VMware Release_**\n\n| **_First Fixing VRMF Level_**| **_Client_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n7.1| 7.1.6.4| Linux \nWindows| [**http://www.ibm.com/support/docview.wss?uid=swg24042520**](<http://www-01.ibm.com/support/docview.wss?uid=swg24042520>)** ** \n6.4| 6.4.3.5| Linux \nWindows| [**http://www.ibm.com/support/docview.wss?uid=swg24041370**](<http://www.ibm.com/support/docview.wss?uid=swg24041370>) \n6.3| 6.3.2.8| Linux \nWindows| [**http://www.ibm.com/support/docview.wss?uid=swg24037601**](<http://www.ibm.com/support/docview.wss?uid=swg24037601>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:32:38", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in IBM WebSphere Application Server affect Tivoli Storage Manager (IBM Spectrum Protect) for Virtual Environments: Data Protection for VMware (CVE-2016-5986, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5986"], "modified": "2018-06-17T15:32:38", "id": "8C18F8030274549454D17409D64C54EA8977ABB97F47F0C1BDD38AD8DF66DD50", "href": "https://www.ibm.com/support/pages/node/287517", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:06", "description": "## Summary\n\nIBM WebSphere Application Server Liberty Profile as embedded in TADDM is potentially vulnerable to a denial of service caused by an error in the Apache Commons FileUpload component. \nIt is also potentially vulnerable to a remote attack where the attacker could obtain sensitive information as a consequence of improperly handled responses under certain circumstances. \n\n\n## Vulnerability Details\n\n**CVEID**: [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION**: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID**: [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>) \n**DESCRIPTION**: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nTADDM 7.3.0.1-7.3.0.3\n\n## Remediation/Fixes\n\nThere is an eFix prepared on top of TADDM 7.3.0 FixPack 3 \n\n**Fix**| **VRMF**| **APAR**| **How to acquire fix** \n---|---|---|--- \nefix_wlp8558_PI67093_PI65853_FP320160323.zip| 7.3.0.3| None| [_Download eFix_](<ftp://ftp.ecurep.ibm.com/fromibm/tivoli/efix_wlp8558_PI67093_PI65853_FP320160323.zip>) \n \nPlease get familiar with eFix readme in etc/&lt;efix_name&gt;_readme.txt \nNote that the eFix requires manual deletion of the external/wlp directory. \n\n## Workarounds and Mitigations\n\nThe solution is to patch the embedded WebSphere Application Server Liberty Profile 8.5.5.8 with WebSphere patch P167093 and PI65853[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042465>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-17T15:35:11", "type": "ibm", "title": "Security Bulletin: IBM WebSphere Application Server Liberty Profile vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2016-3092, CVE-2016-5986)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3092", "CVE-2016-5986"], "modified": "2018-06-17T15:35:11", "id": "DB68C8666C18AFC83A85EECDD8ABEF0A5F62BEEA4C9766E31EBEA828ED452BB7", "href": "https://www.ibm.com/support/pages/node/291623", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T05:56:30", "description": "## Summary\n\nApache Struts vulnerabilities affect WebSphere Application Server and WebSphere Application Server Hypervisor Edition Administration Console. There is a potential denial of service with IBM WebSphere Application Server when using SIP services. There are several vulnerabilities that may affect IBM HTTP Server that is used by WebSphere Application Server. There is a vulnerability that allows redirecting of HTTP traffic with CGI applications that may affect IBM HTTP Server (IHS). This vulnerability is known as \"HTTPOXY\". There is an Information Disclosure Vulnerability in IBM WebSphere Application Server. There is a potential bypass security restriction vulnerability in IBM WebSphere Application Server. This will only occur in environments that have the webcontainer custom property HttpSessionIdReuse enabled. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [_CVE-2016-2960_](<https://vulners.com/cve/CVE-2016-2960>)** \nDESCRIPTION:** IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113805_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113805>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2012-0876_](<https://vulners.com/cve/CVE-2012-0876>)** \nDESCRIPTION:** Expat is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73868_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73868>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) \n\n**CVEID:** [_CVE-2012-1148_](<https://vulners.com/cve/CVE-2012-1148>)** \nDESCRIPTION:** Expat is vulnerable to a denial of service, caused by a memory leak in poolGrow when handling XML data. A remote attacker could exploit this vulnerability to cause the application using the vulnerable XML parsing library to crash. \nCVSS Base Score: 5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73867_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73867>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n**CVEID:** [_CVE-2016-4472_](<https://vulners.com/cve/CVE-2016-4472>)** \nDESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by the removal by compilers with certain optimization settings. By using a specially-crafted XML data, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114683_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114683>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n \n \n**CVEID:** [_CVE-2016-0718_](<https://vulners.com/cve/CVE-2016-0718>)** \nDESCRIPTION:** Expat XML parser is vulnerable to a denial of service, caused by an out-of-bounds read within XML parser. By using a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113408_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113408>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [_CVE-2016-5387_](<https://vulners.com/cve/CVE-2016-5387>)** \nDESCRIPTION:** Apache HTTP Server could allow a remote attacker to redirect HTTP traffic of CGI application, caused by the lack of protection of untrusted client data in the HTTP_PROXY environment variable. By using a specially-crafted Proxy header in a HTTP request, a remote attacker could exploit this vulnerability to redirect outbound HTTP traffic to arbitrary proxy server, also known as the \"HTTPOXY\" vulnerability. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115090_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115090>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n \n**CVEID:** [_CVE-2016-0385_](<https://vulners.com/cve/CVE-2016-0385>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data. \nCVSS Base Score: 3.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112359_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112359>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nAll vulnerabilities affect the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0\n * Version 8.5 and 8.5.5 Full Profile and Liberty \n\n## Remediation/Fixes\n\nTo **patch an existing service instance** refer to the IBM WebSphere Application Server bulletins: \n[**Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)**](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n[**Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)**](<http://www.ibm.com/support/docview.wss?uid=swg21984796>) \n \n[**Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)**](<http://www.ibm.com/support/docview.wss?uid=swg21988019>)** ** \n \n[**Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377) **](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) \n \n[**Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)**](<http://www.ibm.com/support/docview.wss?uid=swg21982588>) \n \nWhen **creating a new service instance**, the following maintenance must be manually applied to an IBM WebSphere Application Server Version 9.0: \n[**Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)**](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n[**Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)**](<http://www.ibm.com/support/docview.wss?uid=swg21984796>) \n \n[**Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)**](<http://www.ibm.com/support/docview.wss?uid=swg21988019>)** ** \n \n \nWhen **creating a new service instance**, the following maintenance must be manually applied to an IBM WebSphere Application Server Version 8.5.5 to 16.0.0.2 Liberty: \n[**Security Bulletin: Potential denial of service with SIP Services (CVE-2016-2960)**](<http://www.ibm.com/support/docview.wss?uid=swg21984796>) \n \n[](<http://www.ibm.com/support/docview.wss?uid=swg21982588>)[**Security Bulletin: Redirect HTTP traffic vulnerability may affect IBM HTTP Server (CVE-2016-5387)**](<http://www.ibm.com/support/docview.wss?uid=swg21988019>)** ** \n \n[**Security Bulletin: Bypass security restrictions in WebSphere Application Server (CVE-2016-0385)**](<http://www.ibm.com/support/docview.wss?uid=swg21982588>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:05", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-0876", "CVE-2012-1148", "CVE-2016-0377", "CVE-2016-0385", "CVE-2016-0718", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2960", "CVE-2016-4472", "CVE-2016-5387"], "modified": "2018-06-15T07:06:05", "id": "867D9ECEAB40B111EE25A99AD07419623F566D5212284F0A2C5C9E2D13C72DF2", "href": "https://www.ibm.com/support/pages/node/549243", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:19", "description": "## Summary\n\nMultiple vulnerabilities have been identified in Struts that is embedded in the IBM FSM. This bulletin addresses these vulnerabilities.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFlex System Manager 1.3.4.0 \nFlex System Manager 1.3.3.0 \nFlex System Manager 1.3.2.1 \nFlex System Manager 1.3.2.0\n\n## Remediation/Fixes\n\nIBM recommends updating the FSM using the instructions referenced in this table. \n \n**WARNING:** If an early version (fix downloaded before 4/19/2017) of the fix listed below was installed, the brand information on the FSM login screen will be displayed as \"IBM Systems Director\". This branding issue will not cause any functional FSM issues. The correct FSM branding can be restored by downloading the current version of the fix (Release Date of the fix listed in table is 4/26/2017 or later), reinstalling the current version of the fix and restarting the FSM. \n \n\n\nProduct | \n\nVRMF | \n\nRemediation \n---|---|--- \n \nFlex System Manager | \n\n1.3.4.0 | Install [fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.4.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.3.0 | Install [fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.3.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFlex System Manager | \n\n1.3.2.1 \n1.3.2.0 | Install [fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811](<https://www.ibm.com/support/fixcentral/systemx/selectFixes?product=ibm%2Fsystemx%2F8731&fixids=fsmfix1.3.2.0_IT19321_IT19679_IT19695_IT19698_IT19709_IT19811&function=fixId&parent=Flex%20System%20Manager%20NodeFlex%20System%20Manager>) \n \nFor all VRMF not listed in this table, IBM recommends upgrading to a fixed and supported version/release of the product. \n \nFor a complete list of FSM security bulletins refer to this technote: [http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&amp;myns=purflex&amp;mync=E&amp;cm_sp=purflex-_-NULL-_-E](<http://www-01.ibm.com/support/docview.wss?uid=nas7797054ebc3d9857486258027006ce4a0&myns=purflex&mync=E&cm_sp=purflex-_-NULL-_-E>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:37", "type": "ibm", "title": "Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple Struts vulnerabilities (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:37", "id": "3C630E87CC8A98E980FC5838CF94096C676B99FA65014F79A0F1057053EEB9E0", "href": "https://www.ibm.com/support/pages/node/630955", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:10", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Integrated Information Core. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server v7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T22:28:33", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Integrated Information Core (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T22:28:33", "id": "EA4BC9A6E1BC28B39AE0C360DA599139777EC05EDFDC5120E91AC3051300D3E7", "href": "https://www.ibm.com/support/pages/node/284009", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:27", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting eWAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:25:58", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:58", "id": "F9A935F07F0C2592550406829A333AA17FFA9DE5B312BF55A008E03FEAC4C43E", "href": "https://www.ibm.com/support/pages/node/284185", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:59", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for Microsoft SharePoint v3.0 \nIBM Content Collector for Microsoft SharePoint v4.0 \nIBM Content Collector for Microsoft SharePoint v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for Microsoft SharePoint| 3.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for Microsoft SharePoint| 4.0.1| Use IBM Content Collector for Microsoft SharePoint 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in IBM Content Collector for Microsoft SharePoint", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "D75C787D719F6B509B47AAA92C0EBBE969DDCD2CD7BAA1800C224FD759790609", "href": "https://www.ibm.com/support/pages/node/292421", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:30", "description": "## Summary\n\nApache Struts vulnerabilities affect FastBack for Workstations Central Administration Console.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFastBack for Workstations Central Administration Console v6.3 \n\n## Remediation/Fixes\n\nThe fix for FastBack for Workstations CAC 6.3 will be to apply the WAS interim fix pack PI64303 to the version of WAS included with the Tivoli Integrated Portal. \nIn order to obtain the PI64303 fix refer to the WAS security bulletin: \n<http://www-01.ibm.com/support/docview.wss?uid=swg21985995> \nClick on the link for v7.0.0.0 through v7.0.0.41 interim fix pack PI64303. Click the HTTPS download link for 7.0.0.33-WS-WAS-IFPI64303. \nThere will be a Readme.txt file and a 7.0.0.33-ws-was-ifpi64303.pak file. \n \nTo apply, do the following: \n1\\. If not already at the CAC 6.3.1.1 version upgrade to this version. \n2\\. Stop the Tivoli Service: Tivoli Intergrated Portal - V2.2_TIPProfile_Port_16310 \n3\\. Using the Update Installer application (update.exe) found in the Tivoli Intergrated Portal installation directory \n(default location: C:\\IBM\\Tivoli\\Tipv2_fbws\\WebSphereUpdateInstallerV7) apply the .pak file downloaded earlier \n4\\. Restart the Tivoli Service or reboot the machine \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T15:26:53", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects FastBack for Workstations Central Administration Console (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:26:53", "id": "BE523D88E9070A2DC41C20554C070BC6A203CA40E3C999CC7B9D52C82AF77DEF", "href": "https://www.ibm.com/support/pages/node/547735", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Records Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version \n---|--- \nIBM Records Manager 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \nIBM Records Manager 8.5.0.6| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \nIBM Records Manager 8.5.0.7| IBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Records Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "D9F3546932BD432766323A6E9A562D656E3EAC77AAB6EE3AAADFF6008E59BC30", "href": "https://www.ibm.com/support/pages/node/284115", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:03", "description": "## Summary\n\nApache Struts vulnerabilities affect WebSphere Application Server and WebSphere Application Server Hypervisor Edition Administration Console. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nThe following Versions of WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition may be affected: \n\n * Version 9.0\n * Version 8.5 and 8.5.5 Full Profile \n * Version 8.0 \n * Version 7.0 \n\n## Remediation/Fixes\n\n**For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition:** \n \n**For V9.0.0.0**\n\n * Apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 1 (9.0.0.1), or later.\n** \nFor V8.5.0.0 through 8.5.5.9:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 10 (8.5.5.10), or later.\n** \nFor V8.0.0.0 through 8.0.0.12:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24038969>)\n\\-- OR \n * Apply Fix Pack 13 (8.0.0.13), or later.\n** \nFor V7.0.0.0 through 7.0.0.41:**\n\n * Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI64303](<http://www-01.ibm.com/support/docview.wss?uid=swg24042468>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24041257>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039898>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24039403>)\n\\-- OR \n * Apply Fix Pack 43 (7.0.0.43), or later. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:55", "id": "CD1AEA82D347BCF45C817F297F91F17B63798AE3055B653759D8342B9405F1E0", "href": "https://www.ibm.com/support/pages/node/283179", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Workload Deployer. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Workload Deployer 3.1.0.7| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM Workload Deployer (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "12780044E1A62D25F913723FBCBD5B926E91CC9AC8CA8FAA1DCE18D02D152689", "href": "https://www.ibm.com/support/pages/node/547901", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-24T06:00:52", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Intelligent Operations Center. Information about security vulnerabilities affecting IBM WebSphere Application Server have been identified and published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.6| IBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Water V1.0, V1.5, V1.6 \nIBM Intelligent Operations for Transportation V1.0, V1.5, V1.6 \nIBM Intelligent City Planning and Operations V1.5, V1.6 \nIBM Intelligent Operations Center V5.1| IBM Intelligent Operations Center for Emergency Management V5.1 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<www.ibm.com/support/docview.wss?uid=swg21985995>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Intelligent Operations Center and related products (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-08-19T21:04:31", "id": "F5D5AAF38F45575DCEBF7AD5E9B3D25AA8678ED2972A091BF0082B881BDC74A4", "href": "https://www.ibm.com/support/pages/node/284011", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T05:57:53", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-09-22T03:02:31", "id": "23F8C1E67922626C0589CA86ED9B40D441D494E8B56CD8FF4A2EF76F18E6861F", "href": "https://www.ibm.com/support/pages/node/284963", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-24T06:09:02", "description": "## Summary\n\nStruts v2 vulnerabilities affet IBM Spectrum Control and Tivoli Storage Productivity Center. IBM Spectrum Control and Tivoli Storage Productivity Center have addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\n \nIBM Spectrum Control 5.2.8 through 5.2.10.1 \nTivoli Storage Productivity Center 5.2.0 through 5.2.7.1 \nTivoli Storage Productivity Center 5.1.0 through 5.1.1.10 \n \nThe versions listed above apply to all licensed offerings of IBM Spectrum Control and Tivoli Storage Productivity Center, including IBM SmartCloud Virtual Storage Center Storage Analytics Engine.\n\n## Remediation/Fixes\n\n**Note:** It is always recommended to have a current backup before applying any update procedure. \n \nApply the IBM Spectrum Control or Tivoli Storage Productivity Center fix maintenance as soon as practicable. (See [_Latest Downloads_](<http://www.ibm.com/support/docview.wss?uid=swg21320822>).) \n\n\n**Affected Version**| **APAR**| **Fixed Version**| **Availability** \n---|---|---|--- \n5.2.x| IT16542 | 5.2.11| August 2016 \n5.1.1.x| IT16542| 5.1.1.12| October 2016 \n \n \n\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2022-02-22T19:50:07", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Spectrum Control (formerly Tivoli Storage Productivity Center) CVE-2016-1181, CVE-2016-1182", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2022-02-22T19:50:07", "id": "29036B6FEB00571E2FBC00E867150134E5DF9C08AD44F9670B7C8B0109F99570", "href": "https://www.ibm.com/support/pages/node/549139", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:47:40", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nAffected IBM WebSphere Application Server versions are listed in the security bulletin.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:26", "id": "A38279E551792BA29F1FA34034CD64E94266819C4862EDC7B206E7A748D269FD", "href": "https://www.ibm.com/support/pages/node/547525", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Security Key Lifecycle Manager (SKLM) v2.5 on distributed platforms | WebSphere Application Server v8.5.5 \n \nIBM Security Key Lifecycle Manager (SKLM) v2.6 on distributed platforms | WebSphere Application Server v8.5.5.7 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:44:41", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:44:41", "id": "9E3B1F6158EF5703EF54F7C3064A7EB99BF9523B8A6CCF05475346791179C879", "href": "https://www.ibm.com/support/pages/node/547477", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:52:18", "description": "## Summary\n\nStruts vulnerabilities affect ISD Server. ISD Server has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nFrom the IBM System Director command line enter smcli lsver to determine the level of IBM System Director installed. \n \nIBM Systems Director: \n\n\n * 6.1.0.0\n * 6.1.0.1\n * 6.1.0.2\n * 6.1.0.3\n * 6.1.1.1\n * 6.1.1.2\n * 6.1.1.3\n * 6.1.2.0\n * 6.1.2.1\n * 6.1.2.2\n * 6.1.2.3\n * 6.2.0.0\n * 6.2.0.1\n * 6.2.0.2\n * 6.2.1.0\n * 6.2.1.0\n * 6.2.1.1\n * 6.2.1.2\n * 6.3.0.0 \n * 6.3.1.0 \n * 6.3.1.1 \n * 6.3.2.0 \n * 6.3.2.1 \n * 6.3.2.2 \n * 6.3.3.0 \n * 6.3.3.1 \n * 6.3.5.0 \n * 6.3.6.0\n * 6.3.7.0\n\n## Remediation/Fixes\n\nIBM Systems Director version pre 6.3.5 are unsupported and will not be fixed. IBM recommends upgrading to a fixed, supported version of the product. \n\nFollow the instructions mentioned in Technote [811735241](<http://www-01.ibm.com/support/docview.wss?uid=nas74ca280436f7c28b1862580f1005aa33d>)[](<http://www-01.ibm.com/support/docview.wss?uid=nas72cf7b7fb4cdb924b862580a40000b3be>) to apply the fix for releases:\n\n * 6.3.5.0\n * 6.3.6.0\n * 6.3.7.0\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-18T01:35:34", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts affect IBM Systems Director (ISD) Server (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-18T01:35:34", "id": "1D6C51DC7D1DD9D1A9F07B9737CE12B7F8F933D3089EBCB68A0BBCF75680D250", "href": "https://www.ibm.com/support/pages/node/630929", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:01", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:05:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:57", "id": "4C800D760232A012AE25AED7F8AFCFF9E3EF3D9D48D3614E764CC6588F221519", "href": "https://www.ibm.com/support/pages/node/284105", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:51:14", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Security Policy Manager. Information about security vulnerabilities affecting IBM WebSphere Application Server have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nProduct Version\n\n| WebSphere version \n---|--- \nTivoli Security Policy Manager 7.1| WebSphere Application Server 7.0 \nWebSphere Application Server 8.0 \nTivoli Security Policy Manager 7.0| WebSphere Application Server 7.0 \n \n## Remediation/Fixes\n\nIBM Tivoli Security Policy Manager (TSPM) is affected through IBM WebSphere Application Server. If you are running TSPM with one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:46:38", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:46:38", "id": "6F2C088BF5D78FB804760981ACFE38C9CC104BC5F9390812E5D324682512AD45", "href": "https://www.ibm.com/support/pages/node/552249", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:23", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Partner Gateway. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| Product and Version shipped as a component \n---|--- \nWebSphere Partner Gateway Advanced/Enterprise Edition 6.2.1.4| WebSphere Application Server 7.0 \nWebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T20:02:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Partner Gateway Advanced/Enterprise Edition (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:09", "id": "AAE50909D8058934D5CCB989B4CEA17B72CABD2BC4CF08576581EC909FE087A7", "href": "https://www.ibm.com/support/pages/node/284941", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:39:08", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability affects only the server component.\n\n**Versions 7.1.x.x:**\n\nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CQ server host. No ClearQuest-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-04T16:40:40", "id": "A4FDFC527D8A765D6247DDB806EE98612DA0FE7BCB4E133A742D7FA9A06E39DC", "href": "https://www.ibm.com/support/pages/node/284305", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:45:02", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Guardium. IBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium **\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.0 - 10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.0 - 10.5 | \n\nhttp://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%20Security&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=10.0&amp;platform=All&amp;function=fixId&amp;fixids=SqlGuard_10.0p600_GPU_Nov-2018-V10.6&amp;includeSupersedes=0&amp;source=fc \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-12-13T20:35:01", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Guardium (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-12-13T20:35:01", "id": "F5BAF336C0FFA1A9715652B899383A9C6D730D8ADE9E07CAD68C90971C7F8249", "href": "https://www.ibm.com/support/pages/node/741659", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:51:13", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Security Identity Manager. IBM Security Identity Manager has addressed the applicable CVEs. \n \nThese issues were also addressed by IBM WebSphere Application Server, which is shipped with IBM Security Identity Manager. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n \nIBM Security Identity Manager version 6.0 \n\n\n## Remediation/Fixes\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Security Identity Manager version 6.0| Apply fixes from Identity Manager and WebSphere Application Server \n \nIBM Security Identity Manager (ISIM) [6.0.0-ISS-SIM-FP0015](<https://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FTivoli%2FTivoli+Identity+Manager&fixids=6.0.0-ISS-SIM-FP0015&source=SAR&function=fixId&parent=IBM%20Security>) \n \n \nIBM Websphere Application Server 7.0, 8.0, 8.5 and 8.5.5 - [Vulnerabilities in Apache Struts affects IBM WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:47:37", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Security Identity Manager ( CVE-2016-1181 CVE-2016-1182 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:47:37", "id": "C24D4FCC97FD95E90382A4216040099F16203ABF61AF30281EF1C2E136253A42", "href": "https://www.ibm.com/support/pages/node/555339", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:48:01", "description": "## Summary\n\nSecurity vulnerabilitiy exists in IBM FileNet Content Manager and IBM Content Foundation in Apache Struts.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L) \n\n\n## Affected Products and Versions\n\nFileNet Content Manager 5.2.0 \nIBM Content Foundation 5.2.0 \n \nNote: this vulnerability is **_not_** applicable to FileNet Content Manager 5.2.1 or IBM Content Foundation 5.2.1\n\n## Remediation/Fixes\n\nInstall one of the fixes listed below to resolve the Apache Struts security vulnerability. \n \n\n\n**Product**| **VRMF**| **APAR**| **Remediation/First Fix** \n---|---|---|--- \nFileNet Content Manager| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \nIBM Content Foundation| 5.2.0| [PJ44282](<http://www.ibm.com/support/docview.wss?uid=swg1PJ44282>)| [5.2.0.5-P8CPE-IF001](<https://www.ibm.com/support/fixcentral/swg/selectFixes?parent=FileNet+Product+Family&product=ibm/Information+Management/FileNet+Content+Engine&release=5.2.0.5&platform=All&function=all>) \\- Available 9/20/2016 \n \nIn the above table, the APAR links will provide more information about the fix. \nThe links in the Remediation column will take you to the location within IBM Fix Central where you can download the particular fix you need. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:24", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects FileNet Content Manager and IBM Content Foundation (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:24", "id": "691466DAEE06683E49687F1AD61B1DE274EE44CA9F6E86B9BF8D7D76D6346999", "href": "https://www.ibm.com/support/pages/node/285013", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-10-01T01:54:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [CVE-2016-1181](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181>) \nDESCRIPTION: Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nCVEID: [CVE-2016-1182](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1182>) \nDESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 7 \n \n \nWebSphere Application Server 6.1 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n| WebSphere Application Server 7.0 \n| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.2.2 \nIBM Tivoli Asset Discovery for Distributed 7.2.2| WebSphere Application Server 6.1| Please contact support for any potential fixes. \n \n## Workarounds and Mitigations\n\n**N/A**\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.2.2;7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool and IBM Tivoli Asset Discovery for Distributed (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2021-04-26T21:17:25", "id": "1815BD265DEB0EE550962E1526DA1FE75BACA3823A20A4BCDA8ED078F9EC9C8D", "href": "https://www.ibm.com/support/pages/node/550369", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:50", "description": "## Summary\n\nApache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Content Collector for File Systems v3.0 \nIBM Content Collector for File Systems v4.0 \nIBM Content Collector for File Systems v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nIBM Content Collector for File Systems| 3.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nIBM Content Collector for File Systems| 4.0.1| Use IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:47", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerabilities in IBM Content Collector for File Systems", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:47", "id": "286378C830B748E29DFAEAB7AC19693EE4565D1CAB6189EAA20A975B835DFAD6", "href": "https://www.ibm.com/support/pages/node/292427", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:44", "description": "## Summary\n\nIBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\n\\- FTM for CPS v2.1.1.0, v2.1.1.1, v2.1.1.2, v2.1.1.3\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nFTM for Corporate Payment Services| 2.1.1.0, \n2.1.1.1, \n2.1.1.2, \n2.1.1.3| PI66509| Apply [2.1.1-FTM-CPS-MP-fp0004](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=2.1.1-FTM-CPS-MP-fp0004&includeSupersedes=0&source=fc>) or later \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:03:06", "type": "ibm", "title": "Security Bulletin: IBM Financial Transaction Manager for Corporate Payment Services open source Apache Struts Vulnerabilities (CVE-2016-1181 CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:03:06", "id": "C9D56908C5941D51F8B700D0AEB133B65A72D4A5D3A7FAA2D989A477B71C954D", "href": "https://www.ibm.com/support/pages/node/548021", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:35", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21985995_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:25:57", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T15:25:57", "id": "65DC12D6E8E0D53E6ED0AF1F356647C749F500509AAE6E4435FC95F00517F01C", "href": "https://www.ibm.com/support/pages/node/284137", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:48:03", "description": "## Summary\n\n \nIBM WebSphere Application Server is shipped as a component of IBM Content Manager Records Enabler. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n\n## Vulnerability Details\n\n \nPlease consult the security bulletin [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \n \nIBM Content Manager Records Enabler 8.5, 8.5.0.1, 8.5.0.2, 8.5.0.3, 8.5.0.4, 8.5.0.5 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41 \n \nIBM Content Manager Records Enabler 8.5.0.6 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 \n \nIBM Content Manager Records Enabler 8.5.0.7 | \n\nIBM WebSphere Application Server V7.0.0.0 through 7.0.0.41, V8.0.0.0 through 8.0.0.12, V8.5.0.0 through 8.5.5.9 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:16:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Content Manager Records Enabler (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:16:17", "id": "FFF1402575E7BE1F32E231DF470BEDA94544D3C346FFE024F98E6A628264A23E", "href": "https://www.ibm.com/support/pages/node/284113", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:12", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server with the appropriate Interim Fix based on information in the WebSphere security bulletin, ([Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>).\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T21:49:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities have been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T21:49:00", "id": "E3BD856982B27C3FE93EC13A76D5806B5BB18B95DD328F70706B73BE68D790ED", "href": "https://www.ibm.com/support/pages/node/287829", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:54", "description": "## Summary\n\nStruts v2 vulnerabilities affect IBM Enterprise Records has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nIBM Enterprise Records v5.2.0 - 5.2.0.3\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation_ \n---|---|--- \nIBM Enterprise Records| 5.2.0 - 5.2.0.3| Use IBM Enterprise Records 5.2.0 Fix Pack 4 Interim Fix 2 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:55", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Struts v2 affect IBM Enterprise Records", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:55", "id": "C6D76168198B9EF24D77F1D04BA06E30D33B0C7D71C8457114E69E1A43BB68AD", "href": "https://www.ibm.com/support/pages/node/294473", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:36", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5, 9.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:00", "id": "3CFF13ADA1D4912594BB3AC9D0D9ACB17881A208B1AD8998A1E8BD64DD6C5268", "href": "https://www.ibm.com/support/pages/node/547521", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:34", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin [_Vulnerabilities in Apache Struts afftects IBM WebSphere Application Server _](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes. \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.0, 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {}, "published": "2018-06-15T07:06:02", "type": "ibm", "title": "Security Bulletin: Vulnerabilities in Apache Struts has been identified in IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:02", "id": "C9594147E388237928595F1CF759F8EC355015BE6AC29A030A2FA3207D9B6DE4", "href": "https://www.ibm.com/support/pages/node/547903", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:38:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Predictive Customer Intelligence. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPredictive Customer Intelligence 1.0| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.0.1| WebSphere Application Server 8.5.5 ND \nPredictive Customer Intelligence 1.1| WebSphere Application Server 8.5.5.6 ND \nPredictive Customer Intelligence 1.1.1| WebSphere Application Server 8.5.5.6 ND \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| WebSphere Application Server 8.5.5| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nPredictive Customer Intelligence 1.1 and 1.1.1| WebSphere Application Server 8.5.5.6| [_Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-02-11T21:31:00", "id": "C270008C47088F4AB45570D101436BB116E08F304CC36AF51E0823C68AFCAAE8", "href": "https://www.ibm.com/support/pages/node/284795", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:22", "description": "## Summary\n\nWebSphere Application Server is/are shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server have been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is/are shipped with Financial Transaction Manager. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nFinancial Transaction Manager for MP v2.0| WebSphere Application Server 7.0| [_Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \nFinancial Transaction Manager for MP v2.1| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0| WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:02:01", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-16T20:02:01", "id": "F2A538AF2ED1CAABCF5F0891DB02363ECADA659FE7F2989D3CCD7668E4585622", "href": "https://www.ibm.com/support/pages/node/284149", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:41:39", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability affects only the CCRC WAN server component. \n**Versions 7.1.x.x:**\n\n \nNot affected.\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile, 8.0, 7.0| [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www.ibm.com/support/docview.wss?uid=swg21985995>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearCase (CVE-2016-1181, CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T08:34:12", "id": "2DD38E427DB50FDA5C4D07F52BDC62BA35206BA44BC185595E39ACAE88DD41C5", "href": "https://www.ibm.com/support/pages/node/284237", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:09", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \n\nIBM Business Monitor V8.0.1.3\n\nIBM Business Monitor V7.5.1.2\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:59", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:05:59", "id": "9CC98367A213309185EDA7DC75FCDBBA5D5754142F33E0C8ED1B454D10CF416E", "href": "https://www.ibm.com/support/pages/node/284535", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:48", "description": "## Summary\n\nApache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. This vulnerability also affects other products. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n## Affected Products and Versions\n\nContent Collector for IBM Connections v3.0 \nContent Collector for IBM Connections v4.0 \nContent Collector for IBM Connections v4.0.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRM**| **Remediation** \n---|---|--- \nContent Collector for IBM Connections| 3.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \nContent Collector for IBM Connections| 4.0.1| Use Content Collector for IBM Connections 4.0.1.5 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.5-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>) \n \nFollow the steps in the readme file in the 4.0.1.5 interim fix 001 to install the interim fix applicable to your version. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T12:17:48", "type": "ibm", "title": "Security Bulletin: OpenSource Apache Struts vulnerability in Content Collector for IBM Connections", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T12:17:48", "id": "6AB5B24B612744A794E7F28CC88F04C811F4BB9710FE31917EFCB65EDDDF7C9A", "href": "https://www.ibm.com/support/pages/node/292413", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:50:11", "description": "## Summary\n\nThere are multiple security vulnerabilities in various components fixed in the IBM Security Privileged Identity Manager Virtual Appliance\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-5958](<https://vulners.com/cve/CVE-2016-5958>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116135> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5966](<https://vulners.com/cve/CVE-2016-5966>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict Transport Security. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116177> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5988](<https://vulners.com/cve/CVE-2016-5988>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance could disclose sensitive information in generated error messages that would be available to an authenticated user. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116558> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-5990](<https://vulners.com/cve/CVE-2016-5990>)** \nDESCRIPTION:** IBM Security Privileged Identity Manager Virtual Appliance allows an authenicated user to upload malicious files that would be automatically executed by the server. \nCVSS Base Score: 6.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116561> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L) \n \n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-3092](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114336> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n \n**CVEID:** [CVE-2016-5597](<https://vulners.com/cve/CVE-2016-5597>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component could allow a remote attacker to obtain sensitive information resulting in a high confidentiality impact using unknown attack vectors. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/118071> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nIBM Security Privileged Identity Manager 2.0.2 and 2.1\n\n## Remediation/Fixes\n\nProduct\n\n| Remediation/First Fix \n---|--- \nISPIM 2.0.2| [2.0.2 ISPIM Interim Fix 9](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Privileged+Identity+Manager&release=2.0.2&platform=Linux&function=fixId&fixids=2.0.2-ISS-ISPIM-VA-IF0009&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nISPIM 2.1| Available via Passport Advantage \n_Passport Advantage is a secure Web site that requires an account ID and password. It makes all of the component and platform images associated with a product available for download._ \n \n_You can locate images on the Passport Advantage Online Web site by using the part number as the search query. For example, to locate the IBM Security Privileged Identity Manager version 2.1 use CNFX7ML as the search query _\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2018-06-16T21:49:17", "type": "ibm", "title": "Security Bulletin: Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-3092", "CVE-2016-5597", "CVE-2016-5958", "CVE-2016-5966", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-5988", "CVE-2016-5990"], "modified": "2018-06-16T21:49:17", "id": "B4ACC50FB3EFBFCDCC381ED7E344E2F40C781747A414909444C31FECCA264613", "href": "https://www.ibm.com/support/pages/node/288687", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:39:20", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple vulnerabilities have been addressed.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n** ** \n**CVEID:** [_CVE-2016-2923_](<https://vulners.com/cve/CVE-2016-2923>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty using JAX-RS API could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113354_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113354>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [_CVE-2016-3092_](<https://vulners.com/cve/CVE-2016-3092>)** \nDESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114336_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114336>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nIBM Control Center 6.1.0.0 through 6.1.0.1 iFix01 \nIBM Control Center 6.0.0.0 through 6.0.0.1 iFix07 \nIBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix09\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **Fix**| **How to acquire fix** \n---|---|---|--- \nIBM Control Center| 6.1.0.1| iFix02| [_Fix Central - 6.1.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.1.0.1&platform=All&function=all>) \nIBM Control Center| 6.0.0.1| iFix08| [_Fix Central - 6.0.0.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=6.0.0.1&platform=All&function=all>) \nSterling Control Center| 5.4.2.1| iFix10| [_Fix Central - 5.4.2.1_](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/Sterling+Control+Center&release=5.4.2.1&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 3.6}, "published": "2019-12-17T22:47:42", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center \n(CVE-2016-5983, CVE-2016-2923, CVE-2016-3092)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-2923", "CVE-2016-3092", "CVE-2016-5983"], "modified": "2019-12-17T22:47:42", "id": "E8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7", "href": "https://www.ibm.com/support/pages/node/287363", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:46:19", "description": "## Summary\n\nThe following security issues have been identified in WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-5983](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116468> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>) \n**DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n**CVEID:** [CVE-2016-0306](<https://vulners.com/cve/CVE-2016-0306>)** \nDESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/111423> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above. \n \nIBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE's above except CVE-2016-0306.\n\n## Remediation/Fixes\n\n**Portal Server-****embedded WebSphere Application Server** \n \n\n\n**_Fix_**| **_VMRF_**| **_Remediation/First Fix_** \n---|---|--- \n6.X.X-TIV-ITM_EWAS_ALL_8.00.12.02| 6.3.0| <http://www.ibm.com/support/docview.wss?uid=swg24043156> \nContains a patch for the embedded WebSphere Application Server (eWAS) 8.0 Fix Pack 12 plus Interim Fix Block 2. \neWAS-7.00.00.41.02| 6.2.3| <http://www.ibm.com/support/docview.wss?uid=swg21633722> \nContains information about installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.2.3. The link gives instructions to install** **eWAS 7.0 Fix Pack 41 (7.0.0.41) and Interim Fix block 2 (or later). \n \nYou should verify applying this fix does not cause any compatibility issues. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:32:10", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0306", "CVE-2016-5983", "CVE-2016-5986"], "modified": "2018-06-17T15:32:10", "id": "04C68A4154F53DB70F6CF2A187509A3F1147E665A6C89FADCEBAB6E7F5E3009D", "href": "https://www.ibm.com/support/pages/node/287357", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:27", "description": "## Summary\n\nMultiple security vulnerabilities have been reported for Apache Struts that is used by IBM Business Process Manager and WebSphere Lombardi Edition.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-1181](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113852> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [CVE-2016-1182](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113853> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n \n**CVEID:** [CVE-2015-0899](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) \n\n## Affected Products and Versions\n\n * * WebSphere Lombardi Edition V7.2.0.0 - V7.2.0.5\n * IBM Business Process Manager all editions V7.5.0.0 - V7.5.1.2\n * IBM Business Process Manager all editions V8.0.0.0 - V8.0.1.3\n * IBM Business Process Manager all editions V8.5.0.0 - V8.5.7.0 prior to cumulative fix 2016.09\n\n## Remediation/Fixes\n\nInstall IBM Business Process Manager interim fix JR56285 as appropriate for your current IBM Business Process Manager or WebSphere Lombardi Edition version. \n\n\n * [_IBM Business Process Manager Advanced_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Advanced&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Standard](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Standard&release=All&platform=All&function=aparId&apars=JR56285>)\n * [IBM Business Process Manager Express](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/IBM+Business+Process+Manager+Express&release=All&platform=All&function=aparId&apars=JR56285>)\n \nAs WebSphere Lombardi Edition and IBM Business Process Manager V7.5 are out of general support, customers with a support extension contract can contact IBM support to request the fix for download. \n \nIBM Business Process Manager and WebSphere Lombardi Edition build upon IBM WebSphere Application Server that also uses Apache Struts. Refer to the [Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) for details on fixes for WebSphere Application Server. \nIBM Business Process Manager V8.5.7.0 cumulative fix 2016.09 includes IBM WebSphere Application Server V8.5.5.10, thus does not require additional fixes for this vulnerability. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:06:16", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities in Apache Struts might affect IBM Business Process Manager and WebSphere Lombardi Edition (CVE-2016-1181, CVE-2016-1182, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-15T07:06:16", "id": "107B029DD56A2199A3A87E51461350D452A0422C3E3D25CE9E1B91F71C36131B", "href": "https://www.ibm.com/support/pages/node/552311", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:33", "description": "## Summary\n\nIBM C\u00faram Social Program Management uses the Apache Struts Library. Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator; or Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance; or Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \n_CVSS Base Score: 4.8 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113853__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L_) \n \n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \n_CVSS Base Score: 8.1 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/113852__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H_) \n \n**CVEID:** [_CVE-2015-0899_](<https://vulners.com/cve/CVE-2015-0899>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products. \n_CVSS Base Score: 4.3 \nCVSS Temporal Score: See _[__https://exchange.xforce.ibmcloud.com/vulnerabilities/101770__](<https://exchange.xforce.ibmcloud.com/vulnerabilities/101770>)_ for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)_\n\n## Affected Products and Versions\n\nIBM C\u00faram Social Program Management 7.0.0.0 - 7.0.1.0 \nIBM C\u00faram Social Program Management 6.2.0.0 - 6.2.0.5 \nIBM C\u00faram Social Program Management 6.1.0.0 - 6.1.1.5 \nIBM C\u00faram Social Program Management 6.0.5.0 - 6.0.5.10\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| _Remediation/First Fix_ \n---|---|--- \nIBM C\u00faram Social Program Management| 7.0| Visit IBM Fix Central and upgrade to [_7.0.1.1_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=7.0.1.0&platform=All&function=all>) or a subsequent 7.0.1 release \nIBM C\u00faram Social Program Management| 6.2| Visit IBM Fix Central and upgrade to [_6.2.0.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.2.0.0&platform=All&function=all>) or a subsequent 6.2.0 release \nIBM C\u00faram Social Program Management| 6.1| Visit IBM Fix Central and upgrade to [_6.1.1.6_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.1.1.0&platform=All&function=all>) or a subsequent 6.1.1 release \nIBM C\u00faram Social Program Management| 6.0.5| Visit IBM Fix Central and upgrade to [_6.0.5.10 iFix2_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Smarter%20Cities&product=ibm/Other+software/Curam+Social+Program+Management&release=6.0.5.10&platform=All&function=all>) or a subsequent 6.0.5 release \n \n## Workarounds and Mitigations\n\nFor information on all other versions please contact C\u00faram Customer Support.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-17T13:09:41", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM C\u00faram Social Program Management (CVE-2016-1182, CVE-2016-1181, CVE-2015-0899)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-06-17T13:09:41", "id": "B4BA991763253D738BCAA9AB61AE50E1AA4C20D6F3366D5551C3051C29FEADB2", "href": "https://www.ibm.com/support/pages/node/296843", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:59", "description": "## Summary\n\nThere is an information disclosure vulnerability in IBM WebSphere Application Server Liberty for any users of the JAX-RS API. Apache Struts vulnerabilities affect WebSphere Application Server Administration Console. \n\n## Vulnerability Details\n\nPlease consult the security bulletins for vulnerability details and information about fixes: \n\n\n * [**Security Bulletin: Information disclosure in WebSphere Application Server Liberty (CVE-2016-2923)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21983700>)\n * * [**Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>)\n[](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995#com.dblue.docview.dwAnswers.textfield.addQuestion>)\n\n## Affected Products and Versions\n\nThese vulnerabilities affect the following versions and releases of IBM WebSphere Application Server that IBM WebSphere Application Server Patterns supports \n\n * Version 8.0\n * Version 8.5.5 Full Profile and Liberty\n * Version 9.0\n\n## Remediation/Fixes\n\nTo patch an existing PureApplication Virtual System Instance, apply the patch using the PureApplication Maintainence fix process. \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-15T07:05:58", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Applciation Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2923"], "modified": "2018-06-15T07:05:58", "id": "6858032AD0022691AF88FEDCEF29BB4CEA50172EAD995CAB6463B91C16637C1C", "href": "https://www.ibm.com/support/pages/node/284161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:23", "description": "## Summary\n\nThere is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty used by IBM MessageSight\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM MessageSight 1.1 \u2013 2.0\n\n## Remediation/Fixes\n\n_Product_\n\n| \n_VRMF_| \n_APAR_| \n_Remediation/First Fix_ \n---|---|---|--- \n_IBM MessageSight_| _1.1_| _IT18037_| [**_1.1.0.1-IBM-IMA-IFIT18037_**](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EOther%2Bsoftware&product=ibm/Other+software/MessageSight&release=All&platform=All&function=fixId&fixids=1.1.0.1-IBM-IMA-IFIT18037&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>) \n \n_IBM MessageSight_| \n_1.2_| _IT18037_| [**_1.2.0.3-IBM-IMA-IFIT18037_**](<http://www.ibm.com/support/docview.wss?uid=swg21994569>) \n_IBM MessageSight_| _2.0_| _IT18037_| [**_2.0.0.1-IBM-IMA-IFIT18037_**](<http://www.ibm.com/support/docview.wss?uid=swg21994568>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:31:46", "type": "ibm", "title": "Security Bulletin: Information Disclosure in IBM MessageSight (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-17T15:31:46", "id": "70472019A55AC76C93332FCBAC3EA57D29A90BBAD49B238AC6B93852D83FB05E", "href": "https://www.ibm.com/support/pages/node/286681", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:46:11", "description": "## Summary\n\nIBM WebSphere Application Server Liberty is shipped as a component of IBM Tivoli Netcool Impact. There is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n\nPlease consult the [Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)](<http://www.ibm.com/support/docview.wss?uid=swg21981529>) also.\n\n## Affected Products and Versions\n\n \nIBM Tivoli Netcool Impact 7.1\n\n## Remediation/Fixes\n\n \n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nIBM Tivoli Netcool Impact | _7.1.0.8_| _None_| [IBM Tivoli Netcool Impact 7.1.0 FP08](<http://www.ibm.com/support/docview.wss?uid=swg24042885>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:32:55", "type": "ibm", "title": "Security Bulletin: IBM Tivoli Netcool Impact affected by Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-17T15:32:55", "id": "6E7A3C64E37B87C4037809B239C42618DCAC7FE4717376C883D27E1F986FD68A", "href": "https://www.ibm.com/support/pages/node/288541", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:52:39", "description": "## Summary\n\nIBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \n\n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>) \nDESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240?cm_mc_uid=52774617790314815526535&cm_mc_sid_50200000=1481639919>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAlgo One Core 5.0.0 \n\n## Remediation/Fixes\n\nPatch Number\n\n| Download URL \n---|--- \nAlgo One Core 510-153| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&amp;product=ibm/Information+Management/Algo+One&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=5.1.0.0-Algo-One-AlgoCore-if0153:0&amp;includeSupersedes=0&amp;source=fc&amp;login=true](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.1.0.0-Algo-One-AlgoCore-if0153:0&includeSupersedes=0&source=fc&login=true>) \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T22:47:46", "type": "ibm", "title": "Security Bulletin: Vulnerability in Stack trace may be thrown if no default error page was set up and exception occurred IBM Algorithmics AlgoCore", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-15T22:47:46", "id": "DD688D91FA0AAA1059ED8DE6DB189452283A58A45A0366C2E9ACA779B91EAF49", "href": "https://www.ibm.com/support/pages/node/287625", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:49:20", "description": "## Summary\n\nMultiple security vulnerabilities have been fixed in IBM Security Identity Manager.\n\n## Vulnerability Details\n\n \n**CVEID:** [CVE-2016-5986](<https://vulners.com/cve/CVE-2016-5986>)** \nDESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/116556> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n \n**CVEID:** [CVE-2017-1194](<https://vulners.com/cve/CVE-2017-1194>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123669> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n \n**CVEID:** [CVE-2017-1405](<https://vulners.com/cve/CVE-2017-1405>)** \nDESCRIPTION:** IBM Security Identity Manager Virtual Appliance processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code. \nCVSS Base Score: 4.4 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/127392> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N) \n \n**CVEID:** [CVE-2018-1453](<https://vulners.com/cve/CVE-2018-1453>)** \nDESCRIPTION:** IBM Security Identity Manager Virtual Appliance allows an authenticated attacker to upload or transfer files of dangerous types that can be automatically processed within the environment. \nCVSS Base Score: 8.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140055> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) \n \n \n\n\n## Affected Products and Versions\n\n \nIBM Security Identity Manager 7.0 and 7.0.1\n\n## Remediation/Fixes\n\n \n\n\n**Product Version**| **WebSphere version** \n---|--- \nISIM 7.0| Contact support \nISIM 7.0.1| [7.0.1-ISS-SIM-FP0009 ](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/Tivoli+Identity+Manager&release=7.0.1&platform=All&function=fixId&fixids=7.0.1-ISS-SIM-FP0009&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-16T22:05:39", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities have been fixed in IBM Security Identity Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378", "CVE-2016-5986", "CVE-2017-1194", "CVE-2017-1405", "CVE-2018-1453"], "modified": "2018-06-16T22:05:39", "id": "F4C7AEAFB7E21EAB08B7FEC3E23EA02DD8B1C69791CB079F71E17ACBBBA26E72", "href": "https://www.ibm.com/support/pages/node/304563", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:45:21", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21990060_](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:29:26", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:29:26", "id": "237BBBA9548654864D2FE412BB3C8101EFD132E51D2D0A5101F8435F2DA56C43", "href": "https://www.ibm.com/support/pages/node/553867", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:55", "description": "## Summary\n\nA code execution vulnerability has been discovered in IBM Cognos Business Intelligence installed by IBM Tivoli Common Reporting (TCR). TCR is included in IBM Jazz for Service Management (JazzSM). IBM has addressed the applicable CVE.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-5983_](<https://vulners.com/cve/CVE-2016-5983>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/116468_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/116468>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nTivoli Common Reporting 3.1 \n\nTivoli Common Reporting 3.1.0.1\n\nTivoli Common Reporting 3.1.0.2\n\nTivoli Common Reporting 3.1.2\n\nTivoli Common Reporting 3.1.2.1\n\nTivoli Common Reporting 3.1.3\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix for versions listed as soon as practical. \n \n \n\n\n**Tivoli Common reporting release**| **Remediation ** \n---|--- \n3.1.0.0 through 3.1.2| [Download 10.2-BA-CBI-&lt;OS&gt;64-IF0022](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2-BA-CBI-&lt;OS&gt;64-IF0022](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n3.1.2.1| [Download 10.2.1.1-BA-CBI-&lt;OS&gt;64-IF0018](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2.1.1-BA-CBI-&lt;OS&gt;64-IF0018](<http://www-01.ibm.com/support/docview.wss?uid=swg21967299>) \n3.1.3| [Download 10.2.2-BA-CBI-&lt;OS&gt;64-IF0014](<http://www-01.ibm.com/support/docview.wss?uid=swg24043288>) \n[Install 10.2.2-BA-CBI-&lt;OS&gt;64-IF0014](<https://www.ibm.com/support/knowledgecenter/SSEKCU_1.1.3.0/com.ibm.psc.doc/tcr_original/ttcr_cognos_out_tcr.html>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:48", "type": "ibm", "title": "Security Bulletin: IBM Jazz for Service Management (Jazz SM) is affected by a code execution vulnerability in IBM Tivoli Common Reporting (TCR) (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:37:48", "id": "7D9A5F2991077AA9574FC57673D25FBF554D22D590E6151ED3F7D8BBBA3D434A", "href": "https://www.ibm.com/support/pages/node/294785", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:46:31", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)._](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.4| IBM WebSphere Application Server 8.5.5.4 Full Profile \nNote : WAS needs 8.5.5.8 as the minimal level for fixing the vulnerability, Please upgrade to WAS 8.5.5.8 to apply the fix. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:31:32", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T15:31:32", "id": "B480569E9EAAF60928F07D6B15EF8300E13C83515E1DC170316E4A43855FB862", "href": "https://www.ibm.com/support/pages/node/286181", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:56:25", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nConsult the security bulletin: [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nIBM Business Monitor V8.5.5, V8.5.6 and V8.5.7 \nIBM Business Monitor V8.0.1.3 \nIBM Business Monitor V7.5.1.2 \n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:17", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-15T07:06:17", "id": "95D35E61A150C874B7D72B4FC3E221BBD460380DC67B596F8578BB0BE5B6DD01", "href": "https://www.ibm.com/support/pages/node/552823", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:39", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Rational Asset Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\n**Version **\n\n| **Status** \n---|--- \nIBM Rational Asset Manager \nV7.5.2, V7.5.1, V7.5| Affected \n \n## Remediation/Fixes\n\nPlease consult the security bulletin [Security Bulletin: Code execution vulnerability in WebSphere Application Server (CVE-2016-5983)](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) for vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 7.5, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T05:16:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational Asset Manager (CVE-2016-5983)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5983"], "modified": "2018-06-17T05:16:22", "id": "213CEE268FCEE3A0445A4848726479C5F86515B98D1F34B418FA107E77219997", "href": "https://www.ibm.com/support/pages/node/552737", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:52:39", "description": "## Summary\n\nIBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. Liberty is bundled/embedded with Algo One ARA in Algo One versions 5.0 and 5.1. IBM Algo One Algo Risk Application has addressed the applicable CVEs.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM Algo One ARA Versions 5.0, 5.1\n\n## Remediation/Fixes\n\n**Product**\n\n| **Version**| **Remediation/First Fix ** \n---|---|--- \nAlgo One ARA| 5.0.0 - iFix 500-344| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&amp;product=ibm/Information+Management/Algo+One&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=5.0.0.5006-17-Algo-One-ARA-if0344:0&amp;includeSupersedes=0&amp;source=fc&amp;login=true_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.0.0.5006-17-Algo-One-ARA-if0344:0&includeSupersedes=0&source=fc&login=true>) \nAlgo One ARA| 5.1.0 - iFix 510-138| [_http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&amp;product=ibm/Information+Management/Algo+One&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=5.1.0.1-3-Algo-One-ARA-if0138:0&amp;includeSupersedes=0&amp;source=fc&amp;login=true_](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+One&release=All&platform=All&function=fixId&fixids=5.1.0.1-3-Algo-One-ARA-if0138:0&includeSupersedes=0&source=fc&login=true>) \n \n## Workarounds and Mitigations\n\nNONE\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T22:48:14", "type": "ibm", "title": "Security Bulletin: Vulnerabilites in IBM Algorithmics Algo One Algo Risk Application (ARA) Stack trace may be thrown if no default error page was set up and exception occurred", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-15T22:48:14", "id": "5974D2AEC0C77B8ED87F1B975C9A98C554188897BEB5FCA57ADF4D71016AA380", "href": "https://www.ibm.com/support/pages/node/290183", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-13T01:33:44", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| \n\n**WebSphere Version** \n \n---|--- \n \nTSPM 7.1\n\n| \n\nWAS v7.0 \n \nRTSS 7.1\n\n| \n\nWAS v7.0, v8.0 \n \n**Note: **TSPM is comprised of TSPM and Runtime Security Services (RTSS)\n\n## ", "cvss3": {}, "published": "2018-07-23T06:08:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-23T06:08:09", "id": "A49F8E92510CDD96D8127764BC310529CF44A60596DB14352FF329575652A707", "href": "https://www.ibm.com/support/pages/node/717511", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-03T17:44:29", "description": "## Summary\n\nWebSphere Liberty Profile is shipped as a component of IBM License Metric Tool v9 and IBM BigFix Inventory v9. \nInformation about a security vulnerability affecting WebSphere Liberty Profile has been published in a security bulletin.\n\n## Vulnerability Details\n\nCVEID: [CVE-2016-3485](<https://vulners.com/cve/CVE-2016-3485>) \nDESCRIPTION: An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/115273> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM License Metric Tool 9 \nIBM BigFix Inventory 9| WebSphere Liberty Profile 8.5.5 \n \n## Remediation/Fixes\n\nUpgrade to version 9.2.5 or later: \n\n * In IBM Endpoint Manager console, expand **IBM License Reporting** or **IBM BigFix Inventory** node under **Sites** node in the tree panel. \n * Click **Fixlets and Tasks** node. **Fixlets and Tasks** panel will be displayed on the right. \n * In the **Fixlets and Tasks** panel locate _Upgrade to the newest version of License Metric Tool 9.x_ or _Upgrade to the newest version of IBM BigFix Inventory 9.x_ fixlet and run it against the computer that hosts your IBM License Metric Tool or IBM BigFix Inventory server.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-08-19T23:26:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2022-08-19T23:26:06", "id": "4A79091D287A34BA15193EFEEBEE7A6FA4A057FC165C69F6432AF6A12275881A", "href": "https://www.ibm.com/support/pages/node/551777", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:56:32", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 8 and earlier releases that is used by IBM MQ Light. \n \nThis issue was disclosed as part of the IBM Java SDK updates in July 2016. \n \nIBM MQ Light 1.0.6 has addressed the applicable CVE.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nThe vulnerability affects users of IBM MQ Light 1.0, 1.0.0.1, 1.0.0.2, 1.0.2, 1.0.3 on all platforms\n\n## Remediation/Fixes\n\nThis issue has been addressed by IBM MQ Light 1.0.6 \n \nDownload and install the latest MQ Light Server appropriate for your platform: [_https://developer.ibm.com/messaging/mq-light/_](<https://developer.ibm.com/messaging/mq-light/>). \n \nThe following link describes how to re-use the data from your existing installation: \n[_http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm _](<http://www.ibm.com/support/knowledgecenter/SSBJCR_1.0.0/com.ibm.mq.koa.doc/tmql_data.htm>). \n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T07:06:04", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM MQ Light (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T07:06:04", "id": "142ED7ABF5F6D2324D9B1EBA713398CF0E3454303A4FD693F65CCEFC77C08760", "href": "https://www.ibm.com/support/pages/node/548835", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:46:18", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae Runtime Environment Java\u2122 Technology Edition that is used by IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect\u2122 for Virtual Environments). These issues were disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nThe following levels of IBM Tivoli Storage Manger for Virtual Environments: Data Protection for VMware (IBM Spectrum Protect for Virtual Environments) are affected on the Windows platform: \n\n * 7.1.0.0 through 7.1.6.3\n * 6.4.0.0 through 6.4.3.4\n * 6.3.0.0 through 6.3.2.7\n\n## Remediation/Fixes\n\n**_Tivoli Storage Manager for VE: Data Protection for VMware Release_**\n\n| **_First Fixing VRMF Level_**| **_Client_** \n**_Platform_**| **_Link to Fix / Fix Availability Target_** \n---|---|---|--- \n7.1| 7.1.6.4| Windows| [**http://www.ibm.com/support/docview.wss?uid=swg24042520**](<http://www-01.ibm.com/support/docview.wss?uid=swg24042520>)** ** \n6.4| 6.4.3.5| Windows| [**http://www.ibm.com/support/docview.wss?uid=swg24041370**](<http://www.ibm.com/support/docview.wss?uid=swg24041370>) \n6.3| 6.3.2.8| Windows| [**http://www.ibm.com/support/docview.wss?uid=swg24037601**](<http://www.ibm.com/support/docview.wss?uid=swg24037601>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:32:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilites in IBM Java Runtime affect IBM Tivoli Storage Manager for Virtual Environments: Data Protection for VMware on Windows (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T15:32:38", "id": "5019479659D0077F96B144E8D40CE6E5ED7D6877091F61AF30306198EED03644", "href": "https://www.ibm.com/support/pages/node/287515", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:48:41", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and Version 8. These issues were disclosed as part of the IBM Java SDK updates in July 2016. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nRational Performance Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.\n\n## Remediation/Fixes\n\nUpgrading to version 9.0.1 is strongly recommended. \n \n\n\n**_Product_**| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRPT Workbench| 9.0| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc>) \nRPT Agent| 9.0| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRPT| 8.7 - 8.7.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRPT| 8.6 - 8.6.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRPT| 8.5 - 8.5.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRPT| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=9.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T05:16:38", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect Rational Performance Tester (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T05:16:38", "id": "B3A30BFE1DDB23AB963424D18F7BD02A5D835B3CE088D631F825F5F3631E10F3", "href": "https://www.ibm.com/support/pages/node/553831", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:51:57", "description": "## Summary\n\nA vulnerability in IBM\u00ae Runtime Environment Java\u2122 Version 6.0, 7.0, 7.1, and 8.0 that is used by IBM SPSS Statistics. This issue was disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM SPSS Statistics 21.0.0.2 \n\nIBM SPSS Statistics 22.0.0.2\n\nIBM SPSS Statistics 23.0.0.3\n\nIBM SPSS Statistics 24.0.0.1\n\n## Remediation/Fixes\n\nProduct\n\n| VRMF| APAR| Remediation/First Fix \n---|---|---|--- \nIBM SPSS Statistics| 21.0.0.2| [_PI73706_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI73706>)| Install 21.0.0.2-IF011 \u2013 [_aix64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-AIX-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_linux32_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-Linux8632-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_linux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-Linux8664-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_solaris64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-Solaris-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win32_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-WIN32-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-WIN64-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_zlinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=21.0.0.2&platform=All&function=fixId&fixids=21.0-IM-S21STAT-zLinux-FP002-IF011&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM SPSS Statistics| 22.0.0.2| [_PI73706_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI73706>)| Install 22.0.0.2-IF012 - [_aix64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-AIX-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_linux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-Linux8664-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_solaris64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-Solaris-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win32_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-WIN32-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-WIN64-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_zlinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=22.0.0.2&platform=All&function=fixId&fixids=22.0-IM-S22STAT-zLinux-FP002-IF012&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM SPSS Statistics| 23.0.0.3| [_PI73706_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI73706>)| Install 23.0.0.3-IF005 - [_aix64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-AIX-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_linux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-Linux8664-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_macosx_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=Mac+OSX&function=fixId&fixids=23.0-IM-S23STAT-MACOS-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_plinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-pLinux-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_solaris64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-Solaris-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win32_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-WIN32-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-WIN64-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_zlinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=23.0.0.3&platform=All&function=fixId&fixids=23.0-IM-S23STAT-zLinux-FP003-IF005&includeRequisites=1&includeSupersedes=0&downloadMethod=http>) \nIBM SPSS Statistics| 24.0.0.1| [_PI73706_](<https://www.ibm.com/support/entdocview.wss?uid=swg1PI73706>)| Install 24.0.0.1-IF002 - [_aix64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-AIX-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_linux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-Linux8664-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_macosx_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=Mac+OSX&function=fixId&fixids=24.0-IM-S24STAT-MACOS-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_plinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-pLinux-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win32_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-WIN32-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_win64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-WIN64-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>), [_zlinux64_](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=SPSS&product=ibm/Information+Management/SPSS+Statistics&release=24.0.0.1&platform=All&function=fixId&fixids=24.0-IM-S24STAT-zLinux-FP001-IF002&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)_ _ \nFor IBM SPSS Statistics 20.0 IBM recommends upgrading to a fixed, supported version of the product. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T13:44:45", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java Runtime affects IBM SPSS Statistics (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-16T13:44:45", "id": "D82E18DF27396DEC92C4727BDCC6BD3DD0D6F0F3B56EA9055906BDE22958F30B", "href": "https://www.ibm.com/support/pages/node/287529", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T21:34:27", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about multiple security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager.\n\nPrincipal Product and Version(s)\n\n| \n\nAffected Supporting Product and Version\n\n| \n\nAffected Supporting Product Security Bulletin \n \n---|---|--- \n \nIBM Tivoli System Automation Application Manager 4.1\n\n| \n\nWebSphere Application Server 8.5\n\n| \n\n[Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2023-01-17T17:35:00", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2014-0114, CVE-2012-1007, CVE-2016-1182, CVE-2016-1181)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2023-01-17T17:35:00", "id": "39D4A3024CD82E0AB1412C8F0B7DE6C9C896CC59E99FBAB7A5A61175586A3211", "href": "https://www.ibm.com/support/pages/node/719303", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:44:29", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional using the optional UDDI.ear. \n\n * Version 9.0\n * Version 8.5\n * Version 8.0\n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI97162 if you are using the optional UDDI.ear for each named product as soon as practical. \n \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:** \n**For V9.0.0.0 through 9.0.0.8:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044995>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.9 or later. \n \n**For V8.5.0.0 through 8.5.5.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI9716](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) 2[](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.14 or later. \n\n**For V8.0.0.0 through 8.0.0.15:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n**For V7.0.0.0 through 7.0.0.45:** \n\u00b7 Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix [PI97162](<http://www-01.ibm.com/support/docview.wss?uid=swg24044993>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24043596>)\n\n \n \n_WebSphere Application Server V7 and V8 are no longer in full support; IBM recommends upgrading to a fixed, supported version/release/platform of the product. _\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2019-02-19T17:50:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2019-02-19T17:50:01", "id": "615E4369D0B07E7BA358AF447BD05A3ACC0720A255109ADB57E2A2080DB3607A", "href": "https://www.ibm.com/support/pages/node/711865", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-13T09:35:19", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www.ibm.com/support/docview.wss?uid=swg22016214>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0 \nIBM Case Manager 5.3.1 \nIBM Case Manager 5.3.2 \nIBM Case Manager 5.3.3 | IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \nIBM WebSphere Application Server 9.0 \n \n## ", "cvss3": {}, "published": "2018-07-10T22:09:09", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2014-0114, CVE-2016-1181, CVE-2016-1182, CVE-2012-1007)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-07-10T22:09:09", "id": "68E7DB3D7E398B2706226213F9B1A94ACD374A065EE9538BCE2CF140B065CB08", "href": "https://www.ibm.com/support/pages/node/713521", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T21:45:32", "description": "## Summary\n\nVulnerabilities exist in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI. These only exist if you have deployed the optional UDDI application. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2014-0114_](<https://vulners.com/cve/CVE-2014-0114>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to restrict the setting of Class Loader attributes. An attacker could exploit this vulnerability using the class parameter of an ActionForm object to manipulate the ClassLoader and execute arbitrary code on the system. \nCVSS Base Score: 7.5 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/92889_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/92889>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)\n\n**CVEID:** [_CVE-2012-1007_](<https://vulners.com/cve/CVE-2012-1007>) \n**DESCRIPTION:** Apache Struts is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the upload-submit.do, processSimple.do and struts-cookbook/processDyna.do scripts. A remote attacker could exploit this vulnerability using the name or message parameter in a specially-crafted URL to execute script in a victim''s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim''s cookie-based authentication credentials. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/73052_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/73052>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)\n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the failure to properly properly restrict the Validator configuration bin ActionServlet.java. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version | Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3 | Websphere Application Server Full Profile 8.5.5 | \n\n# [Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-11-28T11:00:02", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Struts and Apache Commons that is used by WebSphere Application Server UDDI shipped with Jazz for Service Management", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1007", "CVE-2014-0114", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2018-11-28T11:00:02", "id": "88E396C29AABC664ACC3D5B0A3797EDDA0587772D5D9F452A2E356E7CC5BCD5D", "href": "https://www.ibm.com/support/pages/node/741907", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:42", "description": "## Summary\n\nMultiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060)\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-1181_](<https://vulners.com/cve/CVE-2016-1181>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113852_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113852>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n**CVEID:** [_CVE-2016-1182_](<https://vulners.com/cve/CVE-2016-1182>)** \nDESCRIPTION:** Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages. \nCVSS Base Score: 4.8 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/113853_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/113853>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)\n\n \n**CVEID:** [_CVE-2016-3060_](<https://vulners.com/cve/CVE-2016-3060>)** \nDESCRIPTION:** IBM Payments Director could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could exploit this vulnerability to hijack the victim's click actions and possibly launch further attacks against the victim. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/114896_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/114896>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n \n**CVEID:** [_CVE-2016-5920_](<https://vulners.com/cve/CVE-2016-5920>)** \nDESCRIPTION:** IBM Financial Transaction Manager for ACH Services for Multi-Platform is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. \nCVSS Base Score: 5.4 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115704_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115704>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) \n\n\n## Affected Products and Versions\n\n\\- FTM for ACH v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0 \n\n\\- FTM for Check v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14, 3.0.1.0\n\n\\- FTM for CPS v3.0.0.0, v3.0.0.1, v3.0.0.2, v3.0.0.3, v3.0.0.4, v3.0.0.5, v3.0.0.6, v3.0.0.7, v3.0.0.8, v3.0.0.9, v3.0.0.10, 3.0.0.11, 3.0.0.12, 3.0.0.13, 3.0.0.14\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _APAR_| _Remediation/First Fix_ \n---|---|---|--- \nFTM for ACH Services| 3.0.0.0 through 3.0.0.14| PI67537| Apply [3.0.0-FTM-ACH-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-ACH-MP-fp0015&includeSupersedes=0>) or later. \nFTM for Check Services| 3.0.0.0 through 3.0.0.14| PI64063| Apply [3.0.0-FTM-Check-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-Check-MP-fp0015&includeSupersedes=0>) or later. \nFTM for CPS Services| 3.0.0.0 through 3.0.0.14| PI64064| Apply [3.0.0-FTM-CPS-MP-fp0015](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.0-FTM-CPS-MP-fp0015&includeSupersedes=0>) or later. \nFTM for ACH Services| 3.0.1.0| PI67537| Apply [3.0.1.0-FTM-ACH-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-ACH-MP-iFix0002&includeSupersedes=0>) or later. \nFTM for Check Services| 3.0.1.0| PI64063| Apply [3.0.1.0-FTM-Check-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-Check-MP-iFix0002&includeSupersedes=0>) or later. \nFTM for CPS Services| 3.0.1.0| PI64064| Apply [3.0.1.0-FTM-CPS-MP-iFix0002](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=Financial%2BOperations&product=ibm/Other+software/Financial+Transaction+Manager&release=All&platform=All&function=fixId&fixids=3.0.1.0-FTM-CPS-MP-iFix0002&includeSupersedes=0>) or later. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2018-06-16T20:03:39", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Financial Transaction Manager for ACH Services, Check Services, Corporate Payment Services (CVE-2016-5920, CVE-2016-1181, CVE-2016-1182, CVE-2016-3060)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1181", "CVE-2016-1182", "CVE-2016-3060", "CVE-2016-5920"], "modified": "2018-06-16T20:03:39", "id": "8585A81D2C6357431DB37ADDF4189DBBFAC913BE555A9B6483BF16E8E8705C85", "href": "https://www.ibm.com/support/pages/node/549731", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:52:43", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Partner Gateway. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Information Disclosure in IBM WebSphere Application Server in the Admin Console](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s) \n\n| Product and Version shipped as a component \n---|--- \nWebSphere Partner Gateway Advanced/Enterprise Edition 6.2.1 through 6.2.1.4| WebSphere Application Server 7.0 \nWebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-16T20:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Partner Gateway Advanced/Enterprise Edition(CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-16T20:04:31", "id": "5F1C54B57D0A77FF4E91066E586EAC8DD7852F7155D4BFA26079447E3784C0BC", "href": "https://www.ibm.com/support/pages/node/552163", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:45:26", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21980645_](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:28:03", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-17T15:28:03", "id": "D9D73C9BCACF49201B1BEF05079A9FA03696ABA65DE00BEFAA3522C5956D8E68", "href": "https://www.ibm.com/support/pages/node/550157", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:47:33", "description": "## Summary\n\nIBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>) \n**DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM eDiscovery Manager Version 2.2.2\n\n## Workarounds and Mitigations\n\nUpgrade to minimal fix pack levels as required OR apply Fix pack for WebSphere Application Server as mentioned in WebSphere Application Server security bulletin. \n \n<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T12:17:10", "type": "ibm", "title": "Security Bulletin:Secure Console cookie, cookie has been set without the secure flag in IBM eDiscovery Manager", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-17T12:17:10", "id": "1B5DD9848C7D60F6C9D8417EA3EBB647E326EFAB4F90F5517AA7B314DC69D75B", "href": "https://www.ibm.com/support/pages/node/553969", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:47:38", "description": "## Summary\n\n \n \nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T12:16:57", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-17T12:16:57", "id": "5BB47F0FF7CF6CFCB37955BB1E55353E2082BADAA6B2A5F407DEF9E2ACFEAFDF", "href": "https://www.ibm.com/support/pages/node/551291", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-06-24T05:57:51", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Aviation, Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nSmartCloud Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nSmartCloud Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2022-09-22T03:02:31", "id": "CC3E66DE002526817DB1EA3478AAD281461401FF26FE54A7665592396B2D0136", "href": "https://www.ibm.com/support/pages/node/549773", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:45:28", "description": "## Summary\n\nEmbedded Websphere Application Server (eWAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting eWAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 7.4.0 GA and FP| embedded Websphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:28:01", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in embedded IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-17T15:28:01", "id": "89C90B70834FF0A7F6BD8AFBB87CFCADAE5A6543FDB3C22A96B4C08D3EE5B144", "href": "https://www.ibm.com/support/pages/node/550091", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:43:48", "description": "## Summary\n\nIBM WebSphere Application Server v7.0 is shipped as a component of IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server v7.0 \n \n## Remediation/Fixes\n\nConsult the security bulletin: [Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details and information about fixes. \n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T22:28:34", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-17T22:28:34", "id": "EB3D28BC172F69387FACE4175489E3530181A4DEEE32D8B8B4183C88E5EBC89A", "href": "https://www.ibm.com/support/pages/node/550829", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:51:17", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin,[ Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Federated Identity Manager 6.2.1 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.1| IBM WebSphere Application Server 7.0 \nIBM Tivoli Federated Identity Manager 6.2.2 \nIBM Tivoli Federated Identity Manager Business Gateway 6.2.2| IBM WebSphere Application Server 7.0, 8.0, 8.5 \n \n## Remediation/Fixes\n\nIBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway are affected through IBM WebSphere Application Server. If you use one of the affected versions of WebSphere, update your IBM WebSphere Application Server SDK with the appropriate Interim Fix based on information in the WebSphere security bulletin [Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2016-0377)](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>).** **\n\n## Workarounds and Mitigations\n\nNone. \n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:46:00", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2018-06-16T21:46:00", "id": "43195EA4EE376F09F69147695272C390DC1C902D2303F5AF6A10BBCB312C6324", "href": "https://www.ibm.com/support/pages/node/550971", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-05-08T18:13:08", "description": "## Summary\n\nA vulnerability with an improper setting in a secure console cookie in WebSphere Application Server bundled with IBM Jazz Team Server based Applications affects multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), and Rational Rhapsody Design Manager (Rhapsody DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0377_](<https://vulners.com/cve/CVE-2016-0377>)** \nDESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112238_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112238>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 3.0.1.6 - 6.0.2 \n \nRational Quality Manager 3.0.1.6 \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.2 \n \nRational Team Concert 3.0.1.6 \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.2 \n \nRational DOORS Next Generation 4.0 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.2 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.2 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.2\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of WAS with the available versions of the products, and also support some previous versions of WAS, in addition to the bundled version. For a remediation follow the WAS security bulletin appropriately: \n\n\n 1. Review the [_Security Bulletin:__ Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)_](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) for vulnerability details. \n\n 2. Check the version of WAS, if any, that your deployment is actually using, and compare it against the list of affected versions in the WAS security bulletin. \n\n 3. Review the **Remediation/Fixes** section in the[](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) [_Security Bulletin: Information Disclosure in IBM WebSphere Application Server in the Admin Console (CVE-2016-0377)_](<http://www.ibm.com/support/docview.wss?uid=swg21980645>) for a solution for the WAS version that your deployment is using. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "baseScore": 4.3, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Vulnerability in WebSphere Application Server affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-0377)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.0, "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0377"], "modified": "2021-04-28T18:35:50", "id": "185C65AA20ADD09741AA859C490D06F40A2B734235A5F9667DC6F9321120A88D", "href": "https://www.ibm.com/support/pages/node/552209", "cvss": {"score": 4.0, "vector": "AV:N/AC:L/Au:S/C:P/I:N/A:N"}}, {"lastseen": "2023-02-27T21:50:37", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Security Key Lifecycle Manager (SKLM). Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nAffected Product(s) | Version(s) | WebSphere Application Server Version \n---|---|--- \nIBM Security Key Lifecycle Manager | 4.0 | 9.0.5 \nIBM Security Key Lifecycle Manager | 3.0.1 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 3.0 | 9.0.0.5 \nIBM Security Key Lifecycle Manager | 2.7 | 9.0.0.1 \n \n## Remediation/Fixes\n\nPlease consult the following bulletins: \n\n[Security Bulletin: Potential vulnerability in WebSphere Application Server (CVE-2015-0899)](<https://www.ibm.com/support/pages/security-bulletin-potential-vulnerability-websphere-application-server-cve-2015-0899> \"Security Bulletin: Potential vulnerability in WebSphere Application Server \\(CVE-2015-0899\\)\" ) \n[Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114](<https://www.ibm.com/support/pages/security-bulletin-classloader-manipulation-vulnerability-ibm-websphere-application-server-cve-2014-0114> \"Security Bulletin: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114\" ) \n[Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)](<https://www.ibm.com/support/pages/security-bulletin-vulnerabilities-apache-struts-affects-ibm-websphere-application-server-cve-2016-1181-and-cve-2016-1182> \"Security Bulletin: Vulnerabilities in Apache Struts affects IBM WebSphere Application Server \\(CVE-2016-1181 and CVE-2016-1182\\)\" )\n\nfor vulnerability details and information about fixes.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "NONE", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 8.2, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 4.2}, "published": "2020-09-26T18:24:35", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Security Key Lifecycle Manager (SKLM) (CVE-2015-0899, CVE-2014-0114, CVE-2016-1181 and CVE-2016-1182)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2014-0114", "CVE-2015-0899", "CVE-2016-1181", "CVE-2016-1182"], "modified": "2020-09-26T18:24:35", "id": "EB488D986A623E81C07D5F38DFFA754649938084B72DDAA698DEA6B41BB73C49", "href": "https://www.ibm.com/support/pages/node/6338461", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T21:47:46", "description": "## Summary\n\nIBM B2B Advanced Communications has addressed the stack trace display issue when no default error page was set up.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>) \n**DESCRIPTION:** IBM B2B Advanced Communications could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/112240> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM B2B Advanced Communications 1.0.0.0 - 1.0.0.6_1\n\n## Remediation/Fixes\n\nApply IBM B2B Advanced Communications 1.0.0.6_2 available on [_Fix Central_ ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%2Bsoftware&product=ibm/Other+software/Sterling+B2B+Integrator&release=All&platform=All&function=all>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-09-20T18:10:01", "type": "ibm", "title": "Security Bulletin: Stack Trace Vulnerability Affects IBM B2B Advanced Communication (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-09-20T18:10:01", "id": "2AAB5BE58C0CB4743B376C4C058728AA514820228044A3F692F589C517749A2D", "href": "https://www.ibm.com/support/pages/node/732325", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:51:56", "description": "## Summary\n\nIBM\u00ae WebSphere\u2122 Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nIBM SPSS Analytic Server 2.0.0.0 \nIBM SPSS Analytic Server 2.1.0.0 \nIBM SPSS Analytic Server 3.0.0.0 \nIBM SPSS Analytic Server 3.0.1.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the appropriate interim fix. \n \n\n\n_Product_| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nSPSS Analytic Server| _2.0.0.0_| [_http://www-01.ibm.com/support/docview.wss?uid=swg24043229_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043229>) \nSPSS Analytic Server| 2.1.0.0| [_http://www-01.ibm.com/support/docview.wss?uid=swg24043229_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043229>) \nSPSS Analytic Server| _3.0.0.0_| [_http://www-01.ibm.com/support/docview.wss?uid=swg24043229_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043229>) \nSPSS Analytic Server| _3.0.1.0_| [_http://www-01.ibm.com/support/docview.wss?uid=swg24043229_](<http://www-01.ibm.com/support/docview.wss?uid=swg24043229>) \n \nYou should verify applying this fix does not cause any compatibility issue in your environment. \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T13:45:01", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM\u00ae WebSphere\u2122 Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-16T13:45:01", "id": "E18D7E9D3ADD32A2717C5CBC25225C1C6EAA0474A66F22464249443F17754608", "href": "https://www.ibm.com/support/pages/node/289165", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-09-23T19:07:30", "description": "## Summary\n\nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty caused by improper handling of exceptions (CVE-2016-0378). IBM WebSphere Application Server Liberty is included as part of the Base OS used by our service images.. Please read the details for remediation below.\n\n## Vulnerability Details\n\n** CVEID: **[CVE-2016-0378](<https://vulners.com/cve/CVE-2016-0378>) \n** DESCRIPTION: **IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base score: 3.7 \nCVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/112240](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score. \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)\n\n## Affected Products and Versions\n\nAffected Product(s)| Version(s) \n---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.0.0 - 4.6.3 \n \n \n \n \n\n\n \n\n\n## Remediation/Fixes\n\nIBM strongly recommends addressing the vulnerability now by upgrading. \n\n**Product(s)**| **Version(s) \n**| **Remediation/Fix/Instructions** \n---|---|--- \nIBM Watson Speech Services Cartridge for IBM Cloud Pak for Data| 4.6.4| The fix in 4.6.4 applies to all versions listed (4.0.0-4.6.3). Version 4.6.4 can be downloaded and installed from: ** \n<https://www.ibm.com/docs/en/cloud-paks/cp-data/4.6.x?topic=installing> \n** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2023-03-30T15:17:08", "type": "ibm", "title": "Security Bulletin: IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2023-03-30T15:17:08", "id": "36E7C71EE514D628ABEBE98655D18943D38870E6D577F2EA3518BF54BE79A732", "href": "https://www.ibm.com/support/pages/node/6967241", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:54:22", "description": "## Summary\n\nThere is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Liberty\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR [PI54459 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24042758>)for each named product as soon as practical. ** \n** \n**For WebSphere Application Server Liberty: ** \n**For Liberty:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI54459](<http://www-01.ibm.com/support/docview.wss?uid=swg24042758>)\n\n\\--OR-- \n\u00b7 Apply Liberty Fix Pack 16.0.0.3 or later**. \n**\n\n## Workarounds and Mitigations\n\nCreate a custom error page.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T07:05:30", "type": "ibm", "title": "Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-15T07:05:30", "id": "A0925EEB2D6265DE705572AB2EF6D7849A556C450D7D8361064E8B71A86B0189", "href": "https://www.ibm.com/support/pages/node/276605", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:53:32", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) Liberty profile is shipped as a component of IBM Streams. Information about a security vulnerabilities affecting WAS Liberty profile has been published in a security bulletin. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n \n\n\n## Affected Products and Versions\n\n * * IBM Streams Version 4.2.0.0\n * IBM InfoSphere Streams Version 4.1.1.1 and earlier\n * IBM InfoSphere Streams Version 4.0.1.2 and earlier\n * IBM InfoSphere Streams Version 3.2.1.5 and earlier\n * IBM InfoSphere Streams Version 3.1.0.7 and earlier\n * IBM InfoSphere Streams Version 3.0.0.5 and earlier \n \n\n\n## Remediation/Fixes\n\n \nNOTE: Fix Packs are available on IBM Fix Central. \n\n\n * **Version 4.2.0:**\n * Apply [4.2.0 Fix Pack 2 (4.2.0.1) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.2.0.0&platform=All&function=all>)\n * **Version 4.1.1:**\n * Contact IBM Technical Support.\n * **Version 4.0.1:**\n * Apply [4.0.1 Fix Pack 3 (4.0.1.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.0.1.0&platform=All&function=all>)\n * **Version 3.2.1:**\n * Apply [3.2.1 Fix Pack 6 (3.2.1.6) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=3.2.1.0&platform=All&function=all>)\n * **Version 3.1.0:**\n * Contact IBM Technical Support.\n * **Version 3.0.0:**\n * Contact IBM Technical Support.\n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T13:44:07", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-16T13:44:07", "id": "49FFE0ABDE204A7E9F1841F7F559919ABCAF9937FAD0DB6345CFB4D041BD27B8", "href": "https://www.ibm.com/support/pages/node/556227", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T01:50:03", "description": "## Summary\n\nThere is a potential information disclosure in WebSphere Liberty Profile, shipped as a component of IBM Secutity Identity Governance and Intelligence.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nIBM Security Identity Governance and Intelligence 5.2.1 Virtual Appliance\n\n## Remediation/Fixes\n\nProduct Name \n\n| VRMF | APAR| Remediation/Fix \n---|---|---|--- \nIBM Security Identity Governance and Intelligence| 5.2.1| None| [ ](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.0.0&platform=Linux&function=all>)[ ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.1.0&platform=Linux&function=all>)[5.2.1.5-ISS-SIGI-IF0006](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Identity+Governance&release=5.2.1.0&platform=Linux&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:50:15", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM Secutity Identity Governance and Intelligence (CVE-2016-0378 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2018-06-16T21:50:15", "id": "2F60B959AE26E6E12B6D46DCEF806CD64408E1E3D5FA1F8B1FD9290C293E11CF", "href": "https://www.ibm.com/support/pages/node/291225", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-05-08T18:13:12", "description": "## Summary\n\nInformation disclosure vulnerability in WebSphere Application Server Liberty bundled with IBM Jazz Team Server based Applications affects multiple products: Collaborative Lifecycle Management (CLM), Rational DOORS Next Generation (RDNG), Rational Engineering Lifecycle Manager (RELM), Rational Team Concert (RTC), Rational Quality Manager (RQM), Rational Software Architect (RSA DM), and Rational Rhapsody Design Manager (Rhapsody DM).\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0378_](<https://vulners.com/cve/CVE-2016-0378>)** \nDESCRIPTION:** IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/112240_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/112240>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) \n\n## Affected Products and Versions\n\nRational Collaborative Lifecycle Management 4.0 - 6.0.2 \n \nRational Quality Manager 4.0 - 4.0.7 \nRational Quality Manager 5.0 - 5.0.2 \nRational Quality Manager 6.0 - 6.0.2 \n \nRational Team Concert 4.0 - 4.0.7 \nRational Team Concert 5.0 - 5.0.2 \nRational Team Concert 6.0 - 6.0.2 \n \nRational DOORS Next Generation 4.0.1 - 4.0.7 \nRational DOORS Next Generation 5.0 - 5.0.2 \nRational DOORS Next Generation 6.0 - 6.0.2 \n \nRational Engineering Lifecycle Manager 4.0.3 - 4.0.7 \nRational Engineering Lifecycle Manager 5.0 - 5.0.2 \nRational Engineering Lifecycle Manager 6.0 - 6.0.2 \n \nRational Rhapsody Design Manager 4.0 - 4.0.7 \nRational Rhapsody Design Manager 5.0 - 5.0.2 \nRational Rhapsody Design Manager 6.0 - 6.0.2 \n \nRational Software Architect Design Manager 4.0 - 4.0.7 \nRational Software Architect Design Manager 5.0 - 5.0.2 \nRational Software Architect Design Manager 6.0 - 6.0.2\n\n## Remediation/Fixes\n\nThe IBM Jazz Team Server based Applications bundle different versions of WebSphere Application Server Liberty Profile with the available versions of the products, and in addition to the bundled version some previous versions of WAS Liberty are also supported. For a remediation follow the WAS Liberty security bulletin appropriately: \n\n\n 1. Review the [_Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)_](<http://www.ibm.com/support/docview.wss?uid=swg21981529>) for vulnerability details. \n\n 2. Check the version of WAS Liberty, if any, that your deployment is actually using, and compare it against the list of affected versions in the security bulletin. \n\n 3. Review the **Remediation/Fixes** section in the[](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) [_Security Bulletin: Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378__)_](<http://www.ibm.com/support/docview.wss?uid=swg21981529>) for available fixes in the version that you are using.\n * When installing the fixed WAS Liberty package use &lt;JazzInstallLocation&gt;/server/liberty/wlp as the location of the WAS Liberty installation, where &lt;JazzInstallLocation&gt; is the root folder of your CLM installation \n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "baseScore": 3.7, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-28T18:35:50", "type": "ibm", "title": "Security Bulletin: Information disclosure vulnerability in WebSphere Application Server Liberty affects multiple IBM Rational products based on IBM Jazz technology (CVE-2016-0378)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0378"], "modified": "2021-04-28T18:35:50", "id": "BBCF8E5459CEEE66A7E358287F0CCB2262D6336887AD34679527A9A0255313FE", "href": "https://www.ibm.com/support/pages/node/553925", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2023-02-21T05:45:27", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5 \nNote that IBM Tivoli System Automation Application Manager 3.2.2, 3.2.1, and 3.2.0 are not affected. \n\n## Remediation/Fixes\n\nYou need to install the corresponding APAR from WebSphere Application Server. Please follow the instructions on this link: [_http://www-01.ibm.com/support/docview.wss?uid=swg21988339_](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>). Please see section \u201cAffected Products and Versions\u201d in this bulletin on details which fix of WebSphere Application Server applies to your version of IBM Tivoli System Automation Application Manager.\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {}, "published": "2018-06-17T15:27:47", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T15:27:47", "id": "B34A726A1AFF5A68AE72A224974D9923E1366B92AF2487CD076BA0E00E7E7A02", "href": "https://www.ibm.com/support/pages/node/549493", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:45:26", "description": "## Summary\n\nIBM Tivoli Storage Manager FastBack Reporting requires the dependent product IBM WebSphere Application Server. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [_Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)_](<http://www.ibm.com/support/docview.wss?uid=swg21988339>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Tivoli Storage Manager Fastback 6.1.0 through 6.1.12.1| IBM WebSphere Application Server 8.5.0.1 Full Profile \nIBM Tivoli Storage Manager Fastback 6.1.12.2 through 6.1.12.3| IBM WebSphere Application Server 8.5.5.4 Full Profile \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:28:06", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server affecting IBM Tivoli Storage Manager FastBack Reporting (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T15:28:06", "id": "1EFCA96ED0F43F520BAAE2D9F621BE24624ABB18463E2EA095AD85756ECFD96B", "href": "https://www.ibm.com/support/pages/node/550423", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T17:45:57", "description": "## Summary\n\nWebSphere Application Server is shipped as components of IBM Service Delivery Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \n****DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nIBM Service Delivery Manager version 7.2.1 through 7.2.4| IBM WebSphere Application Server version 7.0.0.0 through 7.0.0.27 \n \n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Service Delivery Manager version 7.2.1 through 7.2.4| IBM WebSphere Application Server version 7.0.0.0 through 7.0.0.27| Consult the security bulletin [_Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) for fix information. \n \n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T22:33:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Service Delivery Manager (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T22:33:13", "id": "5C152B4A839095A837C1241374AB44F70D93203A632EC12E321A761B67A29146", "href": "https://www.ibm.com/support/pages/node/609257", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:52:28", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae Runtime Environment Java\u2122 Versions 6 and 7 that are used by IBM Cognos Metrics Manager. This issue was disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n * * IBM Cognos Metrics Manager 10.2.2\n * IBM Cognos Metrics Manager 10.2.1\n * IBM Cognos Metrics Manager 10.2\n * IBM Cognos Metrics Manager 10.1.1\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the fix as soon as practical. As the fix is in a shared component across the Business Intelligence portfolio, applying the BI Interim Fix will resolve the issue. Note that the prerequisites named in the links are also satisfied by an IBM Cognos Metrics Manager install of the same version. \n\n \n| Version| Interim Fix \n---|---|--- \nIBM Cognos Metrics Manager| 10.2.2| [IBM Cognos Business Intelligence 10.2.2 Interim Fix 13](<http://www-01.ibm.com/support/docview.wss?uid=swg24042721>) \nIBM Cognos Metrics Manager| 10.2.1| [IBM Cognos Business Intelligence 10.2.1 Interim Fix 18](<http://www-01.ibm.com/support/docview.wss?uid=swg24042721>) \nIBM Cognos Metrics Manager| 10.2| [IBM Cognos Business Intelligence 10.2 Interim Fix 21](<http://www-01.ibm.com/support/docview.wss?uid=swg24042721>) \nIBM Cognos Metrics Manager| 10.1.1| [IBM Cognos Business Intelligence 10.1.1 Interim Fix 20](<http://www-01.ibm.com/support/docview.wss?uid=swg24042720>) \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T23:17:13", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM Java Runtime affects IBM Cognos Metrics Manager (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T23:17:13", "id": "9C1AA7899A19BB900DF77B5F4EFB2E495346A3556FC8A26E17E8EA20FA912324", "href": "https://www.ibm.com/support/pages/node/286645", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:39:04", "description": "## Summary\n\nMultiple security vulnerabilities exist in the IBM\u00ae Runtime Environment Java\u2122 Technology Edition 6.0.16.26 (and earlier) used by WebSphere Message Broker, and the IBM\u00ae Runtime Environment Java\u2122 Technology Edition 7.0.9.40 (and earlier) used by WebSphere Message Broker and IBM Integration Bus, and the IBM\u00ae Runtime Environment Java\u2122 Technology Edition 7.1.3.40 (and earlier) used by IBM Integration Bus. These issues were disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM Integration Bus V10, V9 \n\nWebSphere Message Broker V8\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus| V10| IT16743 | The APAR is available in fix pack 10.0.0.7 \n<https://www-304.ibm.com/support/docview.wss?uid=swg24043068> \nIBM Integration Bus| V9| IT16743| The APAR is available in fix pack 9.0.0.7 \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043227> \nWebSphere Message Broker | V8| IT16743| An interim fix is available from IBM Fix Central for all platforms \n[http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&amp;product=ibm/WebSphere/WebSphere+Message+Broker&amp;release=All&amp;platform=All&amp;function=aparId&amp;apars=IT16743](<http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Message+Broker&release=All&platform=All&function=aparId&apars=%20IT16743>) \n \nIf you are running with a fix pack earlier than 8.0.0.7 and do not have IT03599 applied then you must upgrade your fix pack level to 8.0.0.7 or higher, or request IT16735 via IBM support. \n \nAPAR IT16743 is targeted to be available in fix pack 8.0.0.9 \n \n_For unsupported versions of the product IBM recommends upgrading to a fixed, supported version/release/platform of the product._\n\n \nThe planned maintenance release dates for WebSphere Message Broker and IBM Integration Bus are available at : \n[http://www.ibm.com/support/docview.wss?uid=swg27006308 ](<http://www.ibm.com/support/docview.wss?uid=swg27006308>) \n\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java Runtime affect WebSphere Message Broker and IBM Integration Bus (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2020-03-23T20:41:52", "id": "2CCC0082C741DDB5DC34B25ECB013C676FA97F07AF06FE2F7165FEE41D61E833", "href": "https://www.ibm.com/support/pages/node/557179", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:48", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. This issue was disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM OS Image for Red Hat Linux Systems 3.0.0.0 and earlier. \nIBM OS Image for AIX Systems 2.1.1.0 and earlier.\n\n## Remediation/Fixes\n\nVirtual machines deployed from IBM PureApplication Systems are affected. This includes RedHat Linux, AIX-based, and Windows-based deployments. The solution is to apply the following IBM PureApplication System fix to the deployed virtual machines. \n \nJava Update for Linux \n[_https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=Java_Update_Linux_Dec_2016-sys&amp;includeRequisites=1&amp;includeSupersedes=0_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Linux_Dec_2016-sys&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n \nJava Update for Windows \n[_https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=Java_Update_Windows_Dec_2016-sys&amp;includeRequisites=1&amp;includeSupersedes=0_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_Windows_Dec_2016-sys&includeRequisites=1&includeSupersedes=0&downloadMethod=ddp>) \n \nJava Update for AIX \n[_https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=Java_Update_AIX_Dec_2016-sys&amp;includeRequisites=1&amp;includeSupersedes=0_](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=Java_Update_AIX_Dec_2016-sys&includeRequisites=1&includeSupersedes=0>) \n \n1\\. Import the fix into the Emergency Fix catalogue. \n2\\. For deployed instances, apply this emergency fix on the VM. \n3\\. Restart the deployed instance after the fix is applied.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T07:06:56", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM\u00ae Java\u2122 SDK affects IBM OS Images for Red Hat Linux Systems, AIX-based, and Windows-based deployments. (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T07:06:56", "id": "279DF7F5F123A843588622F2CFFF648DF475F6C7BD44DA56FA3B20CF984A9786", "href": "https://www.ibm.com/support/pages/node/289505", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:48:40", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 and Version 8. These issues were disclosed as part of the IBM Java SDK updates in July 2016. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nRational Service Tester versions 8.3, 8.5, 8.6, 8.7 and 9.0.\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nRST Workbench| 9.0| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java8SR3FP10&includeSupersedes=0&source=fc>) \nAgent| 9.0| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRST| 8.7 - 8.7.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRST| 8.6 - 8.6.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRST| 8.5 - 8.5.x| None| Download \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \nRST| 8.3 -8.3.x| None| Download[ ](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Performance+Tester&release=8.0.0.0&platform=All&function=fixId&fixids=Rational-RPT-JavaPatch-Java7SR8FP10&includeSupersedes=0&source=fc>) \n[`http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc`](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7ERational&product=ibm/Rational/Rational+Service+Tester+for+SOA+Quality&release=9.0.0&platform=All&function=fixId&fixids=Rational-RST-JavaPatch-Java7SR9FP50&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T05:16:39", "type": "ibm", "title": "Security Bulletin: : Multiple vulnerabilities in IBM Java SDK affect Rational Service Tester (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T05:16:39", "id": "E989638EA01DAE005E993A089CABDDA04583202E3AB1A5A1C7E9061356E64678", "href": "https://www.ibm.com/support/pages/node/553835", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:53:12", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 that is used by IBM InfoSphere Discovery. This issue was disclosed as part of the IBM Java SDK updates in July 2016. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM InfoSphere Discovery, IBM InfoSphere Discovery for Information Integration, and IBM InfoSphere Discovery for zOS, versions 4.1.1 and 4.5 on Windows, and version 4.6 running on all platforms \n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRMF_**| **_APAR_**| **_Remediation/First Fix_** \n---|---|---|--- \nAll InfoSphere Discovery products| 4.6| IT16577| \\--Apply [_IT16577_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/InfoSphere+Discovery&function=fixId&fixids=disc462_security_IT16577_*>) \nAll InfoSphere Discovery products| 4.5| IT16577| \\--Upgrade to [_Discovery 4.6.2.2_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/InfoSphere+Discovery&function=fixId&fixids=disc462_discovery_fp2*>) \n\\--Apply [_IT16577_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/InfoSphere+Discovery&function=fixId&fixids=disc462_security_IT16577_*>) \nAll InfoSphere Discovery products| 4.1.1| IT16577| \\--Upgrade to [_Discovery 4.6.2.2_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/InfoSphere+Discovery&function=fixId&fixids=disc462_discovery_fp2*>) \n\\--Apply [_IT16577_](<http://www.ibm.com/support/fixcentral/swg/quickorder?&product=ibm/Information+Management/InfoSphere+Discovery&function=fixId&fixids=disc462_security_IT16577_*>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T14:08:22", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affects IBM InfoSphere Discovery (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-16T14:08:22", "id": "1C3CC43F2390665767F4BF31CBD0410ED166608D5AA9753E90DCEAAB9BD2B8B1", "href": "https://www.ibm.com/support/pages/node/550083", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:39:38", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 9.0.0.x:**\n\nThis vulnerability only applies to the server component.\n\n**Versions 7.1.x.x, 8.0.0.x, 8.0.1.x,: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile| [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2020-02-04T16:40:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2020-02-04T16:40:40", "id": "CAC8ED34222D34B14BFA3287FD19465EB8AFCF00CE3336A526593AC6DCD0075C", "href": "https://www.ibm.com/support/pages/node/554601", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:41:55", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component. \n**Versions 7.1.x.x, 8.0.0.x, 8.0.1.x,: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 9.0.0.x| IBM WebSphere Application Server versions 8.5.5 Full Profile, 8.5 Full Profile| [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www.ibm.com/support/docview.wss?uid=swg21988339>) \n \n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n9.0.0.x| Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-07-10T08:34:12", "id": "B36E9A87D26819F1000CEFC942D54F874FD41DD569BBFF95F4C0A213C8333D83", "href": "https://www.ibm.com/support/pages/node/548959", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:56:29", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:06:13", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-3485 )", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T07:06:13", "id": "53C5D0378DD2F23947F42E54846A8F839F777754BB281BB0CD45684E4D1828A0", "href": "https://www.ibm.com/support/pages/node/551141", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:51:28", "description": "## Summary\n\nThere are multiple vulnerabilities in IBM\u00ae SDK Java\u2122 Technology Edition, Version 7 Service Refresh 9 Fix Pack 40 that is used by IBM B2B Advanced Communications. These issues were disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM Multi-Enterprise Integration Gateway 1.0 - 1.0.0.1 \n\nIBM B2B Advanced Communications 1.0.0.2 - 1.0.0.5\n\n## Remediation/Fixes\n\nThe recommended solution is to upgrade to the current release as soon as practical. Please see below for information about the fixes available. \n \n\n\n**_Fix*_**| **_VRMF_**| **_APAR_**| **_How to acquire fix_** \n---|---|---|--- \nFixpack 1.0.0.5_2| 1.0.0.1| None| IBM Fix Central &gt; [](<http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.1&platform=All&function=fixId&fixids=IBM_Multi-Enterprise_Integration_Gateway_V1.0.0.1_3_iFix_Media&includeSupersedes=0>)[](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Other%20software&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.5&platform=All&function=all>)[_IBM_B2B_Advanced_Communications_V1.0.0.5_2_iFix_Media _](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm%7EOther%20software&product=ibm/Other+software/Multi-Enterprise+Integration+Gateway&release=1.0.0.5&platform=All&function=all>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T20:07:04", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM Java SDK affect IBM B2B Advanced Communications.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-16T20:07:04", "id": "F4C8146FB10A44EAB37C806FB96F9E421080AE5CCA233C45EB9849A6ECADB0A2", "href": "https://www.ibm.com/support/pages/node/288189", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:47:59", "description": "## Summary\n\nVulnerability in IBM\u00ae SDK Java\u2122 Technology Edition, Version 6 &amp; 7 that is used by IBM Enterprise Content Management. These issues were disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n \nIBM Enterprise Content Management System Monitor v 5.1.0 \nIBM Enterprise Content Management System Monitor v 5.2.0\n\n## Remediation/Fixes\n\n**_Product_**\n\n| **_VRM_**| **_Remediation_** \n---|---|--- \n_IBM Enterprise Content Management System Monitor_| _5.1.0_| _Use _ECM SM 510-FP3-IF9 avaible at [__https://www-933.ibm.com/support/fixcentral/__](<https://www-933.ibm.com/support/fixcentral/>) \n_IBM Enterprise Content Management System Monitor_| _5.2.0_| _Use _ECM SM 5.2.0.4 avaible at [__https://www-933.ibm.com/support/fixcentral/__](<https://www-933.ibm.com/support/fixcentral/>) \n \n## Workarounds and Mitigations\n\nNA\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T12:17:29", "type": "ibm", "title": "Security Bulletin: Vulnerability in IBM Java SDK affect IBM Enterprise Content Management System Monitor (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T12:17:29", "id": "55F628252DAF650CC58C2642D1B82D06D90F25555C9C9B3A72808CD2B411DDA0", "href": "https://www.ibm.com/support/pages/node/286411", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T01:53:56", "description": "## Summary\n\nThere is a vulnerability in IBM\u00ae SDK Java\u2122 Technology Edition that is used by IBM Image Construction and Composition Tool. This issue was disclosed as part of the IBM Java SDK updates in July 2016.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nIBM Image Construction and Composition Tool v2.3.2.0 \nIBM Image Construction and Composition Tool v2.3.1.0 \n\n## Remediation/Fixes\n\nThe solution is to apply the following IBM Image Construction and Composition Tool version fixes. \n \nUpgrade the IBM Image Construction and Composition Tool to the following fix levels or higher: \n \n \n\u00b7 For IBM Image Construction and Composition Tool v2.3.2.0 \nIBM Image Construction and Composition Tool v2.3.2.0 Build 31 \n \n[__https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_IM_Repository_2.3.2.0-31&amp;includeRequisites=1&amp;includeSupersedes=0__](<http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-31&includeRequisites=1&includeSupersedes=0>) \n \n[__http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.2.0-31&amp;includeRequisites=1&amp;includeSupersedes=0__](<http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.2.0-31&includeRequisites=1&includeSupersedes=0>) \n \n\u00b7 For IBM Image Construction and Composition Tool v2.3.1.0 \nIBM Image Construction and Composition Tool v2.3.1.0 Build 53 \n \n[__http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_IM_Repository_2.3.1.0-53&amp;includeRequisites=1&amp;includeSupersedes=0__](<http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_IM_Repository_2.3.1.0-53&includeRequisites=1&includeSupersedes=0>)_ _ \n_ _ \n[__http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&amp;product=ibm/WebSphere/PureApplication+System&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=ICCT_efix_Repository_2.3.1.0-53&amp;includeRequisites=1&amp;includeSupersedes=0__](<http://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=PureSystems&product=ibm/WebSphere/PureApplication+System&release=All&platform=All&function=fixId&fixids=ICCT_efix_Repository_2.3.1.0-53&includeRequisites=1&includeSupersedes=0>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T07:06:56", "type": "ibm", "title": "Security Bulletin: A vulnerability in IBM\u00ae Java\u2122 SDK affects IBM Image Construction and Composition Tool. (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T07:06:56", "id": "F75D58C0267A449CAD114159AF9A13F3D3BEAEAE57224CA266830BE31F9583B7", "href": "https://www.ibm.com/support/pages/node/289499", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2022-10-01T01:54:48", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM License Metric Tool 7.5 and IBM Tivoli Asset Discovery for Distributed 7.5. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nProduct and Version(s) \n \n--- \nIBM License Metric Tool 7.5 \nIBM Tivoli Asset Discovery for Distributed 7.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM License Metric Tool 7.5 and IBM Tivoli Asset Discovery for Distributed 7.5. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM License Metric Tool 7.5 \n \nIBM Tivoli Asset Discovery for Distributed 7.5| WebSphere Application Server 7.0| [Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) \n \n## Workarounds and Mitigations\n\nN/A\n\n## Get Notified about Future Security Bulletins\n\nSubscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.\n\n### References \n\n[Complete CVSS v2 Guide](<http://www.first.org/cvss/v2/guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v2](<http://nvd.nist.gov/CVSS-v2-Calculator> \"Link resides outside of ibm.com\" )\n\n[Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> \"Link resides outside of ibm.com\" ) \n[On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> \"Link resides outside of ibm.com\" )\n\nOff \n\n## Related Information\n\n[IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) \n[IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>)\n\n*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.\n\n## Disclaimer\n\nReview the [IBM security bulletin disclaimer and definitions](<https://www.ibm.com/support/pages/node/6610583#disclaimer>) regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.\n\n[{\"Product\":{\"code\":\"SS8JFY\",\"label\":\"IBM License Metric Tool\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud &amp; Data Platform\"},\"Component\":\"--\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSHT5T\",\"label\":\"Tivoli Asset Discovery for Distributed\"},\"Business Unit\":{\"code\":\"BU058\",\"label\":\"IBM Infrastructure w\\/TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"}],\"Version\":\"7.5\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB26\",\"label\":\"Storage\"}}]", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2021-04-26T21:17:25", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM License Metric Tool 7.5 and IBM Tivoli Asset Discovery for Distributed 7.5 (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2021-04-26T21:17:25", "id": "13A0372B23AE8A4E68139CD880DEBEEBDC7987A59621CA5160456B358686AF73", "href": "https://www.ibm.com/support/pages/node/552977", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:45:28", "description": "## Summary\n\nIBM\u00ae SDK Java\u2122 Technology Edition integrated within WebSphere Application Server is shipped as a component of IBM Tivoli Network Manager IP Edition. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin[** Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n \n\n\nAffected Product and Version(s)| Product and Version shipped as a component \n---|--- \nIBM Tivoli Network Manager 3.8| Bundled the TIP version 1.1.1.x, IBM WebSphere version 6.1.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 5. \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nIBM Tivoli Network Manager 4.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x, IBM WebSphere version 7.0.0.x and the JRE from IBM SDK Java 2 Technology Edition Version 6. \n \n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-17T15:27:47", "type": "ibm", "title": "Security Bulletin:Multiple vulnerabilities in IBM Java SDK affect WebSphere Application Server shipped with IBM Tivoli Network Manager IP Edition July 2016 CPU (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-17T15:27:47", "id": "D0423281F181B1E92869B5BC9FF74F864D924BA505452A3822D73132BA4D21DA", "href": "https://www.ibm.com/support/pages/node/549631", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:56:25", "description": "## Summary\n\nThere are multiple vulnerabiltities in the IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2016. \n\n## Vulnerability Details\n\nIf you run your own Java code using the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n \n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.2.2.0\n\n## Remediation/Fixes\n\nPlease see the IBM Java SDK Security Bulletin for WebSphere Application Server to determine which WebSphere Application Server versions are affected. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-JULY16 can be used to apply the July SDK versions in a PureApplication Environment. \n\nDownload the interim fix [1.0.0.0-WS-WASPATTERNS-JDK-JULY16. ](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+Application+Server+Patterns&release=All&platform=All&function=fixId&fixids=1.0.0.0-WS-WASPATTERNS-JDK-JULY16+&includeSupersedes=0>)\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-15T07:06:17", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in IBM\u00ae Java SDK affects WebSphere Application Server July 2016 CPU (CVE-2016-3485) that is bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud.", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-15T07:06:17", "id": "4FA3ED002224D47C2E62F374D30A8FF283ECB81DCBD1F8589CEEAB63A0C535B2", "href": "https://www.ibm.com/support/pages/node/552805", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:51:13", "description": "## Summary\n\nAn unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact.\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>) \n**DESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\n** **IBM Security Guardium Data Redaction V2.5.1\n\n## Remediation/Fixes\n\n_Product_\n\n| _VRMF_| _Remediation/First Fix_ \n---|---|--- \nIBM Security Guardium Data Redaction | 2.5.1 | [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BSecurity&amp;product=ibm/Information+Management/InfoSphere+Guardium&amp;release=All&amp;platform=All&amp;function=fixId&amp;fixids=Guardium_DataRedaction_2.5.1_SecurityUpdate_2016-11-01&amp;includeSupersedes=0&amp;source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=IBM%2BSecurity&product=ibm/Information+Management/InfoSphere+Guardium&release=All&platform=All&function=fixId&fixids=Guardium_DataRedaction_2.5.1_SecurityUpdate_2016-11-01&includeSupersedes=0&source=fc>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 1.4, "cvssV3": {"baseSeverity": "LOW", "confidentialityImpact": "NONE", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "baseScore": 2.9, "vectorString": "CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 1.4}, "published": "2018-06-16T21:47:13", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium Data Redaction is vulnerable to IBM SDK, Java Technology Edition Quarterly CPU - Jul 2016 - Includes Oracle Jul 2016 CPU (CVE-2016-3485)", "bulletinFamily": "software", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 2.1, "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "impactScore": 2.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3485"], "modified": "2018-06-16T21:47:13", "id": "80F2BB90E4A6D6AE5BFD741728B7B63ACB29588271F52E86637CCC34FEC93AC1", "href": "https://www.ibm.com/support/pages/node/554041", "cvss": {"score": 2.1, "vector": "AV:L/AC:L/Au:N/C:N/I:P/A:N"}}, {"lastseen": "2023-02-21T05:56:30", "description": "## Summary\n\nThere are multiple vulnerabilities in the IBM\u00ae SDK Java\u2122 Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in July 2016. These may affect some configurations of Liberty for Java for IBM Bluemix.\n\n## Vulnerability Details\n\nIf you are using a different JRE than the IBM Java Runtime delivered with this product, you should evaluate your code to determine whether the complete list of vulnerabilities are applicable to your code. For a complete list of vulnerabilities please refer to the link for \u201cIBM Java SDK Security Bulletin\" located in the \u201cReferences\u201d section for more information. \n \n**CVEID:** [_CVE-2016-3485_](<https://vulners.com/cve/CVE-2016-3485>)** \nDESCRIPTION:** An unspecified vulnerability related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact. \nCVSS Base Score: 2.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/115273_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/115273>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nThis vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v3.1.\n\n## Remediation/Fixes\n\nTo upgrade to Liberty for Java v3.2-20160822-2200 or higher, you must re-stage or re-push your application. To check which