Security Bulletin: Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901)

Summary

There is a timing window where there could be a privilege escalation vulnerability in WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2018-1901 DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/152530&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Liberty
• Version 9.0
• Version 8.5

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical.

For WebSphere Application Server Liberty:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02811
--OR–
· Apply Fix Pack 18.0.0.4 or later.

For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:

For V9.0.0.0 through 9.0.0.9:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02811
--OR–
· Apply Fix Pack 9.0.0.10 or later.

For V8.5.0.0 through 8.5.5.14:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH02811
--OR–
· Apply Fix Pack 8.5.5.15 or later.