Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBME8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7
HistoryDec 17, 2019 - 10:47 p.m.

Security Bulletin: Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-5983, CVE-2016-2923, CVE-2016-3092)

2019-12-1722:47:42
www.ibm.com
6

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

Summary

IBM WebSphere Application Server is shipped as a component of IBM Control Center. Multiple vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2016-5983**
DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
**** CVEID: CVE-2016-2923**
DESCRIPTION:** IBM WebSphere Application Server Liberty using JAX-RS API could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-3092**
DESCRIPTION:** Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

IBM Control Center 6.1.0.0 through 6.1.0.1 iFix01
IBM Control Center 6.0.0.0 through 6.0.0.1 iFix07
IBM Sterling Control Center 5.4.2 through 5.4.2.1 iFix09

Remediation/Fixes

Product

| VRMF|Fix|How to acquire fix
—|—|—|—
IBM Control Center| 6.1.0.1| iFix02| Fix Central - 6.1.0.1
IBM Control Center| 6.0.0.1| iFix08| Fix Central - 6.0.0.1
Sterling Control Center| 5.4.2.1| iFix10| Fix Central - 5.4.2.1

Workarounds and Mitigations

None.

Related

ibm 115
cve 4
openvas 17
checkpoint_advisories 2
prion 3
nessus 18
osv 4
redhat 5
veracode 2
jvn 1
github 1
atlassian 4
debian 6
f5 2
tomcat 3
myhack58 1
fedora 3
ubuntu 1
freebsd 2
ubuntucve 1
amazon 1
mageia 1
debiancve 1
redhatcve 1
ibm
ibm
Security Bulletin: IBM Systems Director Storage Control is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983)
2018-06-18 01:34:56
Security Bulletin: IBM Flex System Manager (FSM) is affected by multiple IBM Websphere Application Server (WAS) vulnerabilities (CVE-2016-3092, CVE-2016-5986, CVE-2016-5983 )
2018-06-18 01:34:17
Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-5983)
2018-06-17 15:29:26
cve
cve
CVE-2016-5983
2016-10-05 10:59:00
CVE-2016-2923
2016-07-07 14:59:00
CVE-2016-3092
2016-07-04 22:59:00
openvas
openvas
IBM Websphere Application Server Code Execution vulnerability (Oct 2016)
2016-10-13 00:00:00
Debian Security Advisory DSA 3611-1 (libcommons-fileupload-java - security update)
2016-07-07 00:00:00
Ubuntu: Security Advisory (USN-3027-1)
2016-07-07 00:00:00
checkpoint_advisories
checkpoint_advisories
IBM WebSphere WASPostParam cookie Untrusted Java Deserialization (CVE-2016-5983)
2016-10-30 00:00:00
Apache Commons FileUpload Denial Of Service (CVE-2016-3092)
2016-07-31 00:00:00
prion
prion
Design/Logic Flaw
2016-07-07 14:59:00
Code injection
2016-10-05 10:59:00
Design/Logic Flaw
2016-07-04 22:59:00
nessus
nessus
Debian DLA-528-1 : libcommons-fileupload-java security update
2016-06-27 00:00:00
Fedora 23 : 1:tomcat (2016-0a4dccdd23)
2016-09-02 00:00:00
RHEL 6 : jboss-ec2-eap (RHSA-2016:2072)
2016-10-18 00:00:00
osv
osv
tomcat7 - security update
2016-06-26 00:00:00
libcommons-fileupload-java - security update
2016-06-26 00:00:00
High severity vulnerability that affects commons-fileupload:commons-fileupload
2018-12-21 17:47:47
redhat
redhat
(RHSA-2016:2072) Moderate: jboss-ec2-eap security and enhancement update for EAP 6.4.11
2016-10-17 18:55:44
(RHSA-2016:2068) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 6
2016-10-17 18:09:14
(RHSA-2016:2069) Moderate: Red Hat JBoss Enterprise Application Platform 6.4.11 update on RHEL 7
2016-10-17 18:09:27
veracode
veracode
Denial Of Service (DoS)
2017-04-04 03:24:03
Denial Of Service (DoS)
2019-01-15 09:13:41
jvn
jvn
JVN#89379547: Apache Commons FileUpload vulnerable to denial-of-service (DoS)
2016-06-30 00:00:00
github
github
High severity vulnerability that affects commons-fileupload:commons-fileupload
2018-12-21 17:47:47
atlassian
atlassian
Upgrade Tomcat to 8.0.36 or later
2016-07-14 14:22:05
Upgrade Tomcat to 8.0.36 or later
2016-07-14 14:22:05
Upgrade Tomcat to 8.0.36 or later
2016-07-14 14:22:05
debian
debian
[SECURITY] [DLA 529-1] tomcat7 security update
2016-06-26 18:59:17
[SECURITY] [DSA 3611-1] libcommons-fileupload-java security update
2016-06-30 08:44:01
[SECURITY] [DLA 528-1] libcommons-fileupload-java security update
2016-06-26 18:54:37
f5
f5
SOL82392041 - Apache Commons FileUpload vulnerability CVE-2016-3092
2016-07-19 00:00:00
K82392041 : Apache Commons FileUpload vulnerability CVE-2016-3092
2016-07-19 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 9.0.0.M8
2016-06-13 00:00:00
Fixed in Apache Tomcat 8.5.3 and 8.0.36
2016-06-13 00:00:00
Fixed in Apache Tomcat 7.0.70
2016-06-20 00:00:00
myhack58
myhack58
Apache Commons Fileupload 1.3.1 DOS(CVE-2016-3092)-vulnerability warning-the black bar safety net
2017-06-15 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: tomcat-8.0.36-2.fc24
2016-09-01 17:01:05
[SECURITY] Fedora 25 Update: tomcat-8.0.36-2.fc25
2016-09-01 13:43:39
[SECURITY] Fedora 23 Update: tomcat-8.0.36-2.fc23
2016-09-01 18:56:38
ubuntu
ubuntu
Tomcat vulnerability
2016-07-06 00:00:00
freebsd
freebsd
Apache Commons FileUpload -- denial of service
2016-06-21 00:00:00
Apache Commons FileUpload -- denial of service (DoS) vulnerability
2016-06-20 00:00:00
ubuntucve
ubuntucve
CVE-2016-3092
2016-06-23 00:00:00
amazon
amazon
Medium: tomcat7, tomcat8
2016-08-17 13:30:00
mageia
mageia
Updated tomcat/apache-commons-fileupload packages fix security vulnerability
2016-07-27 00:16:28
debiancve
debiancve
CVE-2016-3092
2016-07-04 22:59:00
redhatcve
redhatcve
CVE-2017-1000394
2017-11-21 11:20:50

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for E8EEB32757FCFDA746B60EBA71D8922DF48CC00375BF0160ABE189EB75238BD7
ibm115cve4openvas17checkpoint_advisories2prion3nessus18osv4redhat5veracode2jvn1github1atlassian4debian6f52tomcat3myhack581fedora3ubuntu1freebsd2ubuntucve1amazon1mageia1debiancve1redhatcve1