DATABASE RESOURCES PRICING ABOUT US

{"id": "EB5B40BFE11CF3025FE055F2C8D312BF5256AD62D977DC4C5DF07B8E0B5BC0A4", "vendorId": null, "type": "ibm", "bulletinFamily": "software", "title": "Security Bulletin: Security vulnerabilities have been identified in IBM WebSphere Application Server that is shipped with IBM Rational ClearQuest (CVE-2016-0360, CVE-2017-1151)", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearQuest. Information about security vulnerabilities affecting WAS have been published in security bulletins.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearQuest, ClearQuest CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\nThis vulnerability only applies to the server component.\n\n**Versions 7.1.x.x: Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS), which is shipped with IBM Rational ClearQuest. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) \nIBM Rational ClearQuest, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5, 8.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n**ClearQuest Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x \n8.0.1.x \n9.0.0.x| \n\n 1. Determine the WAS version used by your CM server. Navigate to the CM profile directory (either the profile you specified when installing ClearQuest, or `<clearquest-home>/cqweb/cqwebprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CM server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CM server host. No ClearQuest-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "published": "2020-02-04T16:40:40", "modified": "2020-02-04T16:40:40", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://www.ibm.com/support/pages/node/294367", "reporter": "IBM", "references": [], "cvelist": ["CVE-2016-0360", "CVE-2017-1151"], "immutableFields": [], "lastseen": "2023-02-21T01:39:09", "viewCount": 6, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2016-0360", "CVE-2017-1151"]}, {"type": "ibm", "idList": ["0082EF69136DDF52FD30A1AD87BA70E90CD302F865DB0A1399F55BFA017CDC49", "023421ED4D4DE1CE11FE9E522B8E3B8A8B0A15E6BE55BA553D7A8232A44DFF84", "058DDC2F33F50DAD4A23F7AD1136D68A3C420F854E4FC1399C8340811395D507", "0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F", "126537C1F8F0F30E3E1F51F743F09DF0CD7BE1FC4C806F6317B231F16161C1D7", "20A55E42E337FB65FD5A5C952D64105AF460AF02F0F9D2F936473CAA5A9FB7C7", "238C94A76C35B9E28D5EEC3382672C79D675E8074B52AC9B27881CAEDC44DA7D", "27C3A52871836133D5312CCDBC3812D323A3609FA0DC9142701333F1EA057227", "28D594CDC7AC4D58CD521E460CE5103A7C34B637D887E2835F3EB2025D7850CA", "36BA5A9CF6B059E5B55E9376E4E9E87769F2597E8D12EE0B8E70E1D709D9B1A2", "3E5F6D838B50632034BF7E67BCEB2D724189D53BF12F6055B9B362CCB99B9414", "4D438A3B2A5B98652ED5EFCAC7E346399FE5B15FB6EC9F7DFEA3A376D4BA2904", "4EBA50C07BC037765C73A48B2FDA84919C2AD90247E0A724ED8571079559C261", "50265EDE25BA65FCC20843B6501DB78AE1C7807F2BF5AD72A39FC8D805AF2A85", "5D232E30AB5C93919EF580AFBE6D2ECEA897D47EF039A381A71CB4D189990CFC", "6510B32415FB6056A2624FB07DE2B42CCFF5953DB4CE49F4C978EC09BA079B38", "7387456ACC07F9EBAAAF5AD5995B47629294A79264AE158FEE795E098E30CB66", "7CACEC65AE1B6A93658FC1036992E1D68660EBEBF809E8F5624C791B2264E7F9", "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "8ED1793CA771BC0716D3207C034E4E856DBFA7BCA5969C297D05D82458D53725", "9BE435454DACB8768FC256EDFA7E257961D1A1C3EA69888A96357F49067B254C", "AA78017E77C6DE25EC48E196CEC49E926CC723505037966B91429F257DA144D2", "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C", "AFCC8D64778E095307228BB2EFC0BA7EFE364EEFBCC328895796C30B8AE8C830", "B8E29C1A22B44FD5885063AA1EC199F8FACE7810C68C738CFE28848D0ECBC504", "C4E2D8C57E54799CB038AA5522DC01329EEA1DECA150D909511519365D0BBC4C", "C5589143DA30D86428255EFD2ADF121F96FF8D82C17B89DAF84BE0F7EC959B3C", "DCFBC967CAEFE6FF899B971BBA64A8091F1B74E3F469ADEA929AD9389A85883C", "EC05240EE77DDC84E58CE34E9DAA5BAA0AE07AC1B1E54421F5BD689DFB14DB26", "EF9F63F010095739C07233F9C717ADF8FF540A4F2057023CF95B9A0C3CE4240C", "FE28FDD1ABECE35D04E6C20DAF0FDDBD033B4E422F1A982B7583C25FF919F568"]}, {"type": "nessus", "idList": ["WEBSPHERE_9_0_0_4.NASL", "WEBSPHERE_MQ_SWG21983457.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811442"]}]}, "score": {"value": 1.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2017-1151"]}, {"type": "ibm", "idList": ["87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C"]}, {"type": "nessus", "idList": ["WEBSPHERE_MQ_SWG21983457.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310811442"]}, {"type": "symantec", "idList": ["SMNTC-111284"]}]}, "exploitation": null, "affected_software": {"major_version": [{"name": "rational clearquest", "version": 9}, {"name": "rational clearquest", "version": 9}, {"name": "rational clearquest", "version": 9}, {"name": "rational clearquest", "version": 9}, {"name": "rational clearquest", "version": 9}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}, {"name": "rational clearquest", "version": 8}]}, "epss": [{"cve": "CVE-2016-0360", "epss": "0.004480000", "percentile": "0.710610000", "modified": "2023-03-18"}, {"cve": "CVE-2017-1151", "epss": "0.002860000", "percentile": "0.638760000", "modified": "2023-03-18"}], "vulnersScore": 1.0}, "_state": {"dependencies": 1676943753, "score": 1684013037, "affected_software_major_version": 1677355290, "epss": 1679174273}, "_internal": {"score_hash": "b803bade93e3515c77da7ba6107c2532"}, "affectedSoftware": [{"version": "9.0.0.4", "operator": "eq", "name": "rational clearquest"}, {"version": "9.0.0.3", "operator": "eq", "name": "rational clearquest"}, {"version": "9.0.0.2", "operator": "eq", "name": "rational clearquest"}, {"version": "9.0.0.1", "operator": "eq", "name": "rational clearquest"}, {"version": "9.0", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.9", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.8", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.7", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.6", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.5", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.4", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.3", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.2", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.14", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.13", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.12", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.11", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.10", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1.1", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.1", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.9", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.8", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.7", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.6", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.5", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.4", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.3", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.21", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.20", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.2", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.19", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.18", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.17", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.16", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.15", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.14", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.13", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.12", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.11", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.10", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0.0.1", "operator": "eq", "name": "rational clearquest"}, {"version": "8.0", "operator": "eq", "name": "rational clearquest"}]}

{"ibm": [{"lastseen": "2023-02-21T01:38:49", "description": "## Summary\n\nWebsphere Application Server is shipped with Predictive Customer Intelligence. Information about security vulnerabilities affecting Websphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletins [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) and [_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPredictive Customer Intelligence 1.0, 1.0.1, 1.1, 1.1.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server which is shipped with Predictive Customer Intelligence. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nPredictive Customer Intelligence 1.0 and 1.0.1| Websphere Application Server 8.5.5| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n\n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \nPredictive Customer Intelligence 1.1 and 1.1.1| Websphere Application Server 8.5.5.6| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n\n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-02-11T21:31:00", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in Websphere Application Server shipped with Predictive Customer Intelligence (CVE-2016-0360, CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360", "CVE-2017-1151"], "modified": "2020-02-11T21:31:00", "id": "023421ED4D4DE1CE11FE9E522B8E3B8A8B0A15E6BE55BA553D7A8232A44DFF84", "href": "https://www.ibm.com/support/pages/node/294293", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:53", "description": "## Summary\n\nWebsphere Application Server is shipped with Tivoli Network Manager IP Edition. Information about security vulnerabilities affecting Websphere Application Server have been published in a security bulletin. \n\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\n_Product and versions :_ \nIBM Tivoli Network Manager 3.9.x \nIBM Tivoli Network Manager 4.1.1.x \nIBM Tivoli Network Manager 4.2.x\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Websphere Application Server bundled with Tivoli Network Manager IP Edition. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version** \n---|--- \nIBM Tivoli Network Manager 3.9| Bundled the TIP version 2.1.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.1.1| Bundled the TIP version 2.2.0.x which bundled IBM WebSphere version 7.0.0.x. \nIBM Tivoli Network Manager 4.2| IBM Tivoli Network Manager 4.2 requires to install IBM Websphere Application Server Version 8.5.5.5 or later version separately. Users are recommended to apply IBM WebSphere version 8.5.5.5 Security Interim Fixes.. \n \n * [](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [**Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [**Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)\n * [**Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Tivoli Integrated Portal (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)**](<http://www.ibm.com/support/docview.wss?uid=swg21998850>)\n * [**Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1121, CVE-2016-5983, CVE-2016-8919)**](<http://www.ibm.com/support/docview.wss?uid=swg21998805>)\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:55", "type": "ibm", "title": "Security Bulletin:Security vulnerabilities have been identified in Websphere Application Server embedded in Tivoli Integrated Portal shipped with Tivoli Network Manager IP Edition.", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "NONE", "availabilityImpact": "COMPLETE", "integrityImpact": "NONE", "baseScore": 7.8, "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.9, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360", "CVE-2016-5983", "CVE-2016-8919", "CVE-2017-1121", "CVE-2017-1151"], "modified": "2018-06-17T15:37:55", "id": "5D232E30AB5C93919EF580AFBE6D2ECEA897D47EF039A381A71CB4D189990CFC", "href": "https://www.ibm.com/support/pages/node/295003", "cvss": {"score": 7.8, "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C"}}, {"lastseen": "2023-02-21T01:47:47", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.1.1 \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 7.0 \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:54", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T12:17:54", "id": "8F79D2A58294872E907CD64EDEF102AC9A962D6A809E0F42914B355A2DC384F8", "href": "https://www.ibm.com/support/pages/node/294049", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:27", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin Potential security vulnerability in [_WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>). \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 7.0.0.0 \nIBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability with IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "9BE435454DACB8768FC256EDFA7E257961D1A1C3EA69888A96357F49067B254C", "href": "https://www.ibm.com/support/pages/node/294713", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:49:50", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Tivoli Security Policy Manager (TSPM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin, [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nTSPM 7.0| WAS 7.0 \nTSPM 7.1| WAS 7.0 \nWAS 8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T21:51:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli Security Policy Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-16T21:51:14", "id": "87884175ECFBA8D8BD94DBA880A65189EC36D2543381FC2CD73A1CCE91D03236", "href": "https://www.ibm.com/support/pages/node/294889", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:56", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [_http://www-01.ibm.com/support/docview.wss?uid=swg21996748_](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:37:49", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T15:37:49", "id": "6510B32415FB6056A2624FB07DE2B42CCFF5953DB4CE49F4C978EC09BA079B38", "href": "https://www.ibm.com/support/pages/node/294801", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T17:45:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Cloud Orchestrator and Cloud Orchestrator Enterprise edition. \n \nInformation about a potential security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n \nIn addition, security vulnerability has been identified in Jazz for Service Management that is shipped with IBM Cloud Orchestrator Enterprise edition. \n \nInformation about \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457 \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| ** Supporting Product and Version** \n---|--- \nIBM Cloud Orchestrator V2.5| IBM Business Process Manager Standard V8.5.6 \nIBM Tivoli System Automation Application Manager V4.1 \nWebSphere Application Server V8.5.5 \nIBM Cloud Orchestrator V2.4 | IBM Business Process Manager Standard V8.5.5 \nIBM Tivoli System Automation Application Manager 4.1 \nWebSphere Application Server 8.5 \nIBM Cloud Orchestrator V2.3| IBM Business Process Manager Standard 8.5.0.1 \nIBM Tivoli System Automation Application Manager 4.1 \nWebSphere Application Server 8.0 \nIBM Cloud Orchestrator Enterprise V2.5, V2.4, V2.3| Jazz for Service Management 1.1.0.1 \n \n\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Cloud Orchestrator, and supporting products IBM Business Process Manager Standard and IBM Tivoli System Automation Application Manager. \n \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator V2.5, through V2.5.0.2| IBM Business Process Manager Standard 8.5.6 - 8.5.7 \n \nIBM Tivoli System Automation Application Manager 4.1 - 4.1.0.1 \n \nWebSphere Application Server 8.5.5| [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \nIBM Cloud Orchestrator V2.4, through V2.4.0.4| IBM Business Process Manager Standard 8.5.0.1 \n \nIBM Tivoli System Automation Application Manager 4.1 \n \nWebSphere Application Server 8.0 \n \n \nRefer to the following security bulletins for vulnerability details and information about fixes addressed by Jazz for Service Management which is additionally shipped with IBM Cloud Orchestrator Enterprise edition. \n \n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Cloud Orchestrator Enterprise V2.5, through V2.5.0.2| Jazz for Service Management 1.1.0.1| [Security Bulletin: Potential Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg22002464>) \nIBM Cloud Orchestrator Enterprise V2.4, through V2.4.0.4 \nIBM Cloud Orchestrator V2.3, V2.3.0.1 All editions | IBM Business Process Manager Standard 8.5.0.1 \n \nIBM Tivoli System Automation Application Manager 4.1 \n \nWebSphere Application Server 8.0 \n \nJazz for Service Management 1.1.0| Contact _IBM Support_ \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:33:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T22:33:31", "id": "AFCC8D64778E095307228BB2EFC0BA7EFE364EEFBCC328895796C30B8AE8C830", "href": "https://www.ibm.com/support/pages/node/609295", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:41:37", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Rational ClearCase. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Rational ClearCase, ClearCase Remote Client (CCRC) WAN server/CM Server component. \n\n**Versions 8.0.0.x, 8.0.1.x, 9.0.0.x:**\n\n \nThis vulnerability only applies to the CCRC WAN server component, and only for certain levels of WebSphere Application Server. \n**Versions 7.1.x.x : Not affected.**\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server (WAS) which is shipped with IBM Rational ClearCase. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nIBM Rational ClearCase, versions 8.0.0.x, 8.0.1.x, 9.0.0.x| IBM WebSphere Application Server 9.0, 8.5.5, 8.5, 8.0, and 7.0.| [](<https://www-01.ibm.com/support/docview.wss?uid=swg21997743>)[Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) \n \n\n\n**ClearCase Versions**\n\n| \n\n** Applying the fix** \n \n---|--- \n8.0.0.x, 8.0.1.x, 9.0.0.x| \n\n 1. Determine the WAS version used by your CCRC WAN server. Navigate to the CCRC profile directory (either the profile you specified when installing ClearCase, or `<ccase-home>/common/ccrcprofile`), then execute the script: `bin/versionInfo.sh `(UNIX) or `bin\\versionInfo.bat `(Windows). The output includes a section \"IBM WebSphere Application Server\". Make note of the version listed in this section.\n 2. Identify the latest available fix (per the bulletin listed above) for the version of WAS used for CCRC WAN server.\n 3. Apply the appropriate WebSphere Application Server fix directly to your CCRC WAN server host. No ClearCase-specific steps are necessary. \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-07-10T08:34:12", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Rational ClearCase (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-07-10T08:34:12", "id": "7CACEC65AE1B6A93658FC1036992E1D68660EBEBF809E8F5624C791B2264E7F9", "href": "https://www.ibm.com/support/pages/node/294115", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:44:59", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1 and V1.5.0.2| IBM WebSphere Application Server V7.0 \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>)[](<http://www.ibm.com/support/docview.wss?uid=swg21992315>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:28:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T22:28:40", "id": "AA78017E77C6DE25EC48E196CEC49E926CC723505037966B91429F257DA144D2", "href": "https://www.ibm.com/support/pages/node/293973", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:38:36", "description": "## Summary\n\nWebSphere MQ V9.0 libraries are shipped in IBM Integration Bus and hence IBM Integration Bus is vulnerable to IBM WebSphere MQ JMS client deserialization RCE vulnerability. \n \n\n\n## Vulnerability Details\n\n \n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \nPlease consult the security bulletin [IBM WebSphere MQ JMS client deserialization RCE vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=swg21983457>) for more details \n.\n\n## Affected Products and Versions\n\nIBM Integration Bus V10.0.0.0 to V10.0.0.9, and V9.0.0.0 to V9.0.0.8\n\n## Remediation/Fixes\n\n**Product**\n\n| **VRMF**| **APAR**| **Remediation/Fix** \n---|---|---|--- \nIBM Integration Bus| V10.0.0.0 to V10.0.0.9| IT21160 | The APAR is available in fix pack 10.0.0.10 \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043943> \nIBM Integration Bus| V9.0.0.0 to V9.0.0.8| IT21160 | The APAR is available in fix pack 9.0.0.9 \n<http://www-01.ibm.com/support/docview.wss?uid=swg24043947> \n \n_Remediation for users of __ versions V9.0.0.7, V10.0.0.8__ and above:_ \nIf MQ JMS is used, then you are applicable to this vulnerability. To get around this vulnerability, the following steps are required \n1\\. Apply the fix for IBM Integration Bus APAR IT21160 \n2\\. Specify the whiltelist classes as below \n \nmqsichangeproperties &lt;INode&gt; -e &lt;IServer&gt; -o ComIbmJVMManager -n jvmSystemProperty -v &lt;full qualified class names in comma separated form&gt; \n \neg : mqsichangeproperties &lt;INode&gt; -e &lt;IServer&gt; -o ComIbmJVMManager -n jvmSystemProperty -v \\ \"-Dcom.ibm.mq.jms.allowlist=com.ibm.broker.class1,com.ibm.broker.class2,com.ibm.broker.classn\\\" \n \n_Remediation for users of versions prior to V10.0.0.8__ __and V9.0.0.7:_ \nYou will need to update MQ. Consult the security bulletin [IBM WebSphere MQ JMS client deserialization RCE vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=swg21983457>) for details. \n \n\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2020-03-23T20:41:52", "type": "ibm", "title": "Security Bulletin:IBM Integration Bus is affected by deserialization RCE vulnerability in IBM WebSphere JMS Client", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2020-03-23T20:41:52", "id": "0652F41D05CD120572DF6DD5C884CC6764A64E25C095F83A7BA314019036874F", "href": "https://www.ibm.com/support/pages/node/297039", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:34", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 7.0, 7.1, 7.1.1, 7.1.2, 8.5| WebSphere Application Server 7.0, 8.0, 8.5, 8.5.5,9.0| [_Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:09", "id": "7387456ACC07F9EBAAAF5AD5995B47629294A79264AE158FEE795E098E30CB66", "href": "https://www.ibm.com/support/pages/node/294019", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:18", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)_](<http://www.ibm.com/support/docview.wss?uid=swg21996748>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:08:58", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-16T20:08:58", "id": "50265EDE25BA65FCC20843B6501DB78AE1C7807F2BF5AD72A39FC8D805AF2A85", "href": "https://www.ibm.com/support/pages/node/294811", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:32", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager, WebSphere Process Server, and WebSphere Lombardi Edition. Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V7.5.0.0 through V7.5.1.2 \n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3\n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0\n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03\n\nNote that 8.5.7.0 Cumulative Fix 2017.03 cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and manually ensure that recommended security fixes are installed.\n\n \n_For__ earlier and unsupported versions of the products, IBM recommends upgrading to a fixed, supported version of the product._\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (BPM), WebSphere Process Server (WPS) and WebSphere Lombardi Edition (WLE) (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:10", "id": "C5589143DA30D86428255EFD2ADF121F96FF8D82C17B89DAF84BE0F7EC959B3C", "href": "https://www.ibm.com/support/pages/node/294141", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:50", "description": "## Summary\n\nThere is a potential security vulnerability with the WebSphere Application Server MQ JCA Resource adapter. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional: \n\n * Version 9.0 \n * Version 8.5 and Version 8.5.5\n * Version 8.0 \n * Version 7.0\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical. **After applying the Interim Fix or moving up to the fix pack level with fix, follow the ClassName allowlisting instructions in the Reference section****. **** \n** \n \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** \n** \nFor V9.0.0.0 through 9.0.0.2:** \n\u00b7 Upgrade to Fix Pack 9.0.0.1 or later and then apply Interim Fix [PI74874](<http://www-01.ibm.com/support/docview.wss?uid=swg24043423>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.3 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V8.5.0.0 through 8.5.5.11:** \n\u00b7 Upgrade to Fix Pack Level 8.5.5.9 or later and then apply Interim Fix [PI74862](<http://www-01.ibm.com/support/docview.wss?uid=swg24043427>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V8.0.0.0 through 8.0.0.13:** \n\u00b7 Upgrade to Fix Pack 8.0.0.12 or later and then apply Interim Fix [PI74468](<http://www-01.ibm.com/support/docview.wss?uid=swg24043424>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) \n** \nFor V7.0.0.0 through 7.0.0.41:** \n\u00b7 Upgrade to Fix Pack 7.0.0.41 and then apply Interim Fix [PI74468](<http://www-01.ibm.com/support/docview.wss?uid=swg24043424>) and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 7.0.0.43 or later and then follow instructions in reference section to apply [ClassName serialization allowlisting](<https://www.ibm.com/support/knowledgecenter/en/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>). [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognized senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:06:53", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:06:53", "id": "AD8E83B84BF33E4577A1D24CA6F2F237A0256DC3326C80B484D27451A6A17B82", "href": "https://www.ibm.com/support/pages/node/288853", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:56", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by potential vulnerability \n\n## Vulnerability Details\n\nCVEID: [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** ** \n**DESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:39:39", "type": "ibm", "title": "Security Bulletin: Potential Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-17T15:39:39", "id": "F69FE9789E75790A2606EEC4962F65D29A41EAB974BD13AE6241AFEF9E23156D", "href": "https://www.ibm.com/support/pages/node/559379", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:33", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult this Security Bulletin: \nPotential security vulnerability in WebSphere Application Server MQ JCA Resource adapter ([CVE-2016-0360](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>)) \n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Product and Versions** \n---|--- \nIBM Business Monitor V8.5.7 | WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3| WebSphere Application Server V8.0 \nIBM Business Monitor V8.0| WebSphere Application Server V8.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:09", "id": "28D594CDC7AC4D58CD521E460CE5103A7C34B637D887E2835F3EB2025D7850CA", "href": "https://www.ibm.com/support/pages/node/293867", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:30", "description": "## Summary\n\nThere is a potential security vulnerability with the WebSphere Application Server MQ JCA Resource adapter. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5 \n\n## Remediation/Fixes\n\nTo **patch an existing service instance** **or a new instance**, you must apply the following maintenance manually. Refer to the IBM WebSphere Application Server bulletin listed below: \n \n[**Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) \n\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognized senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Potential security vulnerability in IBM WebSphere Application Server in Bluemix MQ JCA Resource adapter (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "44DE506953329B74EBC446F3472B7B0F72221881CBEDE9145D187CE5F0BE1B2C", "href": "https://www.ibm.com/support/pages/node/294977", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:54:18", "description": "## Summary\n\nA potential vulnerability exists within the JMSObjectMessage class, which IBM WebSphere MQ provides as part of its Java Message Service implementation.\n\n## Vulnerability Details\n\nJMS Object messages depend on Java Serialization for marshalling/unmarshalling of the message payload. Deserialization of untrusted data can lead to security flaws; a remote attacker could use this to execute arbitrary code with the permissions of the application that is using a JMS ObjectMessage. Applications that consume ObjectMessage type of messages can be vulnerable as they deserialize objects on ObjectMessage.getObject() calls. Applications which call toString() on a javax.jms.Message which has an underlying type of ObjectMessage can also be vulnerable, as this method performs deserialization. The MQ classes for JMS trace will call toString() on a javax.jms.Message object, and so are also vulnerable if the underlying type is an ObjectMessage. \n\n** **\n\n**CVEID:** [_CVE-2016-0360_](<https://vulners.com/cve/CVE-2016-0360>)** \nDESCRIPTION:** IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/111930_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/111930>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n**_IBM MQ 9.0_**\n\nIBM MQ 9.0.0.0 only\n\n**_IBM WebSphere MQ 8.0_**\n\nIBM WebSphere MQ 8.0.0.0 through 8.0.0.5 maintenance levels\n\n**_IBM WebSphere MQ 7.5_**\n\nIBM WebSphere MQ 7.5.0.0 through 7.5.0.7 maintenance levels\n\n**_IBM WebSphere MQ 7.1_**\n\nIBM WebSphere MQ 7.1.0.0 through 7.1.0.8 maintenance levels\n\n**_IBM WebSphere MQ 7.0.1_**\n\nIBM WebSphere MQ 7.0.1.0 through 7.0.1.14 maintenance levels\n\n## Remediation/Fixes\n\n**_IBM MQ 9.0 (Long Term Support)_**\n\nApply 9.0.0.1 maintenance level when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=9.0.0.0-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n**_IBM MQ 9.0 (Continuous Delivery)_**\n\nSerialization allowlisting is available from IBM MQ 9.0.1. Upgrade to latest version of IBM MQ and follow instructions in the IBM Knowledge Center to apply [ClassName allowlisting in JMS ObjectMessage](<http://www.ibm.com/support/knowledgecenter/SSFKSJ_9.0.0/com.ibm.mq.dev.doc/q127290_.htm>).\n\n**_IBM WebSphere MQ 8.0_**\n\nApply [8.0.0.6](<http://www-01.ibm.com/support/docview.wss?uid=swg21995100>) maintenance level and follow instructions in the IBM Knowledge Center to apply [ClassName allowlisting in JMS ObjectMessage](<https://www.ibm.com/support/knowledgecenter/SSFKSJ_8.0.0/com.ibm.mq.dev.doc/q127290_.htm>).\n\n**_IBM WebSphere MQ 7.5_**\n\nApply Fixpack 7.5.0.8 when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.5.0.7-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n** ****_IBM WebSphere MQ 7.1_**\n\nApply Fixpack 7.1.0.9 when available. In the interim apply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.1.0.7-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n** ****_IBM WebSphere MQ 7.0.1_**\n\nApply patch for APAR [IT14385](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FWebSphere%2FWebSphere+MQ&fixids=7.0.1.14-WS-MQ-JavaVM-LAIT14385&source=dbluesearch&function=fixId&parent=ibm/WebSphere>) and follow instructions in the patch readme to apply serialization allowlisting.\n\n## Workarounds and Mitigations\n\nIBM WebSphere MQ supports Object Messages as part of the JMS specification, however ObjectMessage usage is discouraged. To mitigate this vulnerability, message types that do not contain this security flaw, such as JSON or XML, should be used. To ensure that messages come from recognised senders, a security mechanism, such as MQ's AMS (Advanced Message Security), can be used.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:05:39", "type": "ibm", "title": "Security Bulletin: IBM WebSphere MQ JMS client deserialization RCE vulnerability (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:05:39", "id": "AE2A68E4F8401A456362A564ED54B4CEAC0C39CE22C8CC2EE89E0E27D1E479C0", "href": "https://www.ibm.com/support/pages/node/279485", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:29", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server shipped with WebSphere Patterns. IBM Websphere MQ JMS client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath.\n\n## Vulnerability Details\n\nConsult the security bulletin: Security Bulletin: [Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<https://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5.5\n * Version 8.0 \n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:12", "id": "9AB12E3E5A1E352D1EDD0AC6C89B0F13E8D11390EC630593D74A0E54BE01423A", "href": "https://www.ibm.com/support/pages/node/294769", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:58", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>)[Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2016-0360"], "modified": "2018-06-15T07:07:22", "id": "DCFBC967CAEFE6FF899B971BBA64A8091F1B74E3F469ADEA929AD9389A85883C", "href": "https://www.ibm.com/support/pages/node/557929", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-07T21:52:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin,[ Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>), for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products and Versions** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V7.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Transportation V1.5.0, or later \nBM Intelligent Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www.ibm.com/support/docview.wss?uid=swg21996748>). Installation instructions for the fix are included in the readme file that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2022-08-19T21:04:31", "id": "4EBA50C07BC037765C73A48B2FDA84919C2AD90247E0A724ED8571079559C261", "href": "https://www.ibm.com/support/pages/node/293897", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:49:55", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Potential security vulnerability in WebSphere Application Server MQ JCA Resource adapter (CVE-2016-0360)](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 7.0 \nMaximo Asset Management 7.1 \nMaximo Asset Management Essentials 7.1 \nMaximo Asset Management for Energy Optimization 7.1 \nMaximo for Government 7.1 \nMaximo for Nuclear Power 7.1 \nMaximo for Transportation 7.1 \nMaximo for Life Sciences 7.1 \nMaximo for Oil and Gas 7.1 \nMaximo for Utilities 7.1 \nMaximo Adapter for Primavera 7.1| IBM WebSphere Application Server 7.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 7.0 \n \n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2016-0360)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2022-09-22T03:02:31", "id": "0082EF69136DDF52FD30A1AD87BA70E90CD302F865DB0A1399F55BFA017CDC49", "href": "https://www.ibm.com/support/pages/node/557665", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:58", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of WebSphere Enterprise Service Bus. Information about the security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server ](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nWebSphere Enterprise Service Bus v7.0 and v 7.5 \nWebSphere Enterprise Service Bus Registry Edition v7.0 and v 7.5\n\n## ", "cvss3": {}, "published": "2018-06-15T07:07:22", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere \nApplication Server shipped with WebSphere Enterprise Service Bus (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:22", "id": "3E5F6D838B50632034BF7E67BCEB2D724189D53BF12F6055B9B362CCB99B9414", "href": "https://www.ibm.com/support/pages/node/557931", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T05:54:38", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of OpenPages GRC Platform. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [IBM WebSphere Application Server](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details.\n\n## Affected Products and Versions\n\n**Affected Product and Version(s)**\n\n| **Product and Version shipped as a component** \n---|--- \nOpenPages GRC Platform Standard Edition 7.3| IBM WebSphere Application Server 8.5.5.9 \nOpenPages GRC Platform Standard Edition 7.2| IBM WebSphere Application Server 8.5.5.5 \nOpenPages GRC Platform Standard Edition 7.1| IBM WebSphere Application Server 8.5.5.2 \nOpenPages GRC Platform Standard Edition 7.0| IBM WebSphere Application Server 8.5.5 \n \n## ", "cvss3": {}, "published": "2018-06-15T22:48:14", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with OpenPages GRC Platform (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T22:48:14", "id": "20A55E42E337FB65FD5A5C952D64105AF460AF02F0F9D2F936473CAA5A9FB7C7", "href": "https://www.ibm.com/support/pages/node/558041", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:56", "description": "## Summary\n\nWebSphere Application Server is shipped with IBM Tivoli System Automation Application Manager. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section.\n\n## Affected Products and Versions\n\nIBM Tivoli System Automation Application Manager 4.1.0.0 \u2013 4.1.0.1\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with IBM Tivoli System Automation Application Manager. \n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nIBM Tivoli System Automation Application Manager 4.1| WebSphere Application Server 8.5| [_http://www-01.ibm.com/support/docview.wss?uid=swg21999293_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {}, "published": "2018-06-17T15:37:48", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:37:48", "id": "27C3A52871836133D5312CCDBC3812D323A3609FA0DC9142701333F1EA057227", "href": "https://www.ibm.com/support/pages/node/294799", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-02-21T01:45:00", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with BM Integrated Information Core. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>),[](<http://www.ibm.com/support/docview.wss?uid=swg21991469>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product** \n---|--- \nIBM Integrated Information Core V1.5, V1.5.0.1, and V1.5.0.2| IBM WebSphere Application Server \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T22:28:40", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T22:28:40", "id": "4D438A3B2A5B98652ED5EFCAC7E346399FE5B15FB6EC9F7DFEA3A376D4BA2904", "href": "https://www.ibm.com/support/pages/node/294573", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:31", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Business Monitor. \nInformation about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult this Security Bulletin : **Privilege Escalation Vulnerability in WebSphere Application Server** ([CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)) \n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Product and Versions** \n---|--- \nIBM Business Monitor V8.5.7| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.6| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.5.5| WebSphere Application Server V8.5.5 \nIBM Business Monitor V8.0.1.3 | WebSphere Application Server V8.0 \nIBM Business Monitor V8.0| WebSphere Application Server V8.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: \u00a0A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Business Monitor (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:10", "id": "FE28FDD1ABECE35D04E6C20DAF0FDDBD033B4E422F1A982B7583C25FF919F568", "href": "https://www.ibm.com/support/pages/node/294099", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:47:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM Case Manager. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Versions\n\n| Affected Supporting Product and Versions \n---|--- \nIBM Case Manager 5.2.0 \nIBM Case Manager 5.2.1 \nIBM Case Manager 5.3.0| IBM WebSphere Application Server 8.0 \nIBM WebSphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T12:17:55", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Case Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T12:17:55", "id": "238C94A76C35B9E28D5EEC3382672C79D675E8074B52AC9B27881CAEDC44DA7D", "href": "https://www.ibm.com/support/pages/node/294461", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:45:57", "description": "## Summary\n\nWebsphere Application Server (WAS) is shipped as a component of Tivoli Netcool/OMNIbus WebGUI. Information about a security vulnerability affecting WAS has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nWebGUI 8.1.0 GA and FP| Websphere Application Server 8.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:37:43", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Tivoli Netcool/OMNIbus WebGUI (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:37:43", "id": "B8E29C1A22B44FD5885063AA1EC199F8FACE7810C68C738CFE28848D0ECBC504", "href": "https://www.ibm.com/support/pages/node/294545", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:28", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of IBM PureApplication System. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin [_Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>). \n \nThe WebSphere fixes can be installed using the IBM PureApplication System\u2019s Installation Manager Repository feature.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nPureApplication System versions 2.1, and 2.2| IBM WebSphere Application Server 8.0.0.0 \nIBM WebSphere Application Server 8.5.0.0 \nIBM WebSphere Application Server 8.5.5.0 \nIBM WebSphere Application Server 9.0.0.0 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:12", "type": "ibm", "title": "Security Bulletin: Privilege escalation vulnerability with IBM WebSphere Application Server shipped with IBM PureApplication System (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:12", "id": "8ED1793CA771BC0716D3207C034E4E856DBFA7BCA5969C297D05D82458D53725", "href": "https://www.ibm.com/support/pages/node/294725", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:32", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of IBM Business Process Manager (BPM). Information about a security vulnerability affecting IBM WebSphere Application Server Traditional have been published in a security bulletin. \n \nThe affected component is only available in case optional support for OpenID Connect has been configured.\n\n## Vulnerability Details\n\nPlease consult the [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<https://www.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n\\- IBM Business Process Manager V8.0.0.0 through V8.0.1.3 \n\n\\- IBM Business Process Manager V8.5.0.0 through V8.5.0.2\n\n\\- IBM Business Process Manager V8.5.5.0\n\n\\- IBM Business Process Manager V8.5.6.0 through V8.5.6.0 CF2\n\n\\- IBM Business Process Manager V8.5.7.0 through V8.5.7.0 Cumulative Fix 2017.03\n\nNote that 8.5.7.0 Cumulative Fix 2017.03 cannot automatically install interim fixes for the base Application Server. It is important to follow the complete installation instructions and to manually ensure that recommended security fixes are installed.\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:10", "type": "ibm", "title": "Security Bulletin: A security vulnerability in WebSphere Application Server might affect IBM Business Process Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:10", "id": "C4E2D8C57E54799CB038AA5522DC01329EEA1DECA150D909511519365D0BBC4C", "href": "https://www.ibm.com/support/pages/node/294135", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:49:48", "description": "## Summary\n\nIBM WebSphere Application Server (WAS) is shipped as a component of IBM Security Identity Manager (ISIM). Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nPlease consult the security bulletin [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\n**Product Version**\n\n| **WebSphere version** \n---|--- \nISIM 6.0| WAS v7.0, v8.5, v8.5.5 \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T22:07:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in\u00a0IBM Websphere Application Server\u00a0shipped with\u00a0IBM Security Identity Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-16T22:07:11", "id": "AA9DA667682DD6022644ED810DCC076C35747EE3DD59FA812A37A9D806EA881C", "href": "https://www.ibm.com/support/pages/node/571535", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:51:16", "description": "## Summary\n\nWebSphere Application Server is shipped with Financial Transaction Manager. Information about security vulnerabilities affecting WebSphere Application Server has been published in a security bulletin..\n\n## Vulnerability Details\n\nRefer to the security bulletin \n[_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www.ibm.com/support/docview.wss?uid=swg21999293>)\n\n## Affected Products and Versions\n\n**Principal Product and Version(s)**\n\n| **Affected Supporting Product and Version** \n---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0 \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with Financial Transaction Manager. \n \n\n\n**Principal Product and Version(s)**| **Affected Supporting Product and Version**| **Affected Supporting Product Security Bulletin** \n---|---|--- \nFinancial Transaction Manager for MP v2.0.0.0 through 2.0.0.5| WebSphere Application Server 7.0| [_Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www.ibm.com/support/docview.wss?uid=swg21999293>) \nFinancial Transaction Manager for MP v2.1.0.0 through 2.1.0.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v2.1.1.0 through 2.1.1.4| WebSphere Application Server 8.0 \nFinancial Transaction Manager for MP v3.0.0.0 through 3.0.0.6| WebSphere Application Server 8.5.5 \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-16T20:08:58", "type": "ibm", "title": "Security Bulletin: Security vulnerabilities have been identified in WebSphere Application Server shipped with Financial Transaction Manager (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-16T20:08:58", "id": "058DDC2F33F50DAD4A23F7AD1136D68A3C420F854E4FC1399C8340811395D507", "href": "https://www.ibm.com/support/pages/node/294819", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:29", "description": "## Summary\n\nWebSphere Application Server traditional \u3067\u3001OpenID Connect (OIDC) Trust Association Interceptor (TAI)\u3092\u4f7f\u7528\u3059\u308b\u5834\u5408\u3001\u7ba1\u7406\u8005\u304c\u610f\u56f3\u3057\u306a\u3044\u6a29\u9650\u6607\u683c\u304c\u767a\u751f\u3059\u308b\u8106\u5f31\u6027\u304c\u5831\u544a\u3055\u308c\u307e\u3057\u305f\u3002 \n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001WebSphere Application Server Liberty\u306b\u306f\u5f71\u97ff\u3057\u307e\u305b\u3093\u3002 \n \n\u6700\u65b0\u306e\u60c5\u5831\u306f\u4e0b\u8a18\u306e\u6587\u66f8\uff08\u82f1\u8a9e\uff09\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002 \nSecurity Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151) \nhttp://www.ibm.com/support/docview.wss?uid=swg21999293\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** OpenID Connect (OIDC) Trust Association Interceptor (TAI)\u304c\u69cb\u6210\u3055\u308c\u305fIBM WebSphere Application Server\u3067\u306f\u3001\u30b7\u30b9\u30c6\u30e0\u4e0a\u3067\u30e6\u30fc\u30b6\u30fc\u304c\u6607\u683c\u3057\u305f\u6a29\u9650\u3092\u53d6\u5f97\u3067\u304d\u308b\u53ef\u80fd\u6027\u304c\u3042\u308a\u307e\u3059\u3002 \nCVSS Base Score: 8.1 \nCVSS Temporal Score: \u73fe\u5728\u306e\u30b9\u30b3\u30a2\u306f[_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) \u3092\u53c2\u7167\u3057\u3066\u304f\u3060\u3055\u3044\u3002 \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\n\u3053\u306e\u8106\u5f31\u6027\u306f\u3001WebSphere Application Server \u306e\u4e0b\u8a18\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304a\u3088\u3073\u30ea\u30ea\u30fc\u30b9\u3067\u5f71\u97ff\u3092\u53d7\u3051\u307e\u3059\u3002 \nVersion 9.0 \nVersion 8.5 \nVersion 8.0 \n\n## Remediation/Fixes\n\n\u89e3\u6c7a\u7b56\u3068\u3057\u3066\u3001APAR PI74857\u3092\u542b\u3080\u500b\u5225\u4fee\u6b63\u3001\u307e\u305f\u306f\u3001Fix Pack\u30fbPTF\u3092\u9069\u7528\u3059\u308b\u3053\u3068\u3092\u63a8\u5968\u3057\u307e\u3059\u3002 \n \n**\u203b1\uff1a**\u30af\u30e9\u30b9\u30bf\u30fc\u69cb\u6210\u306e\u5834\u5408\u306f\u3001\u305d\u308c\u305e\u308c\u306e\u30af\u30e9\u30b9\u30bf\u30fc\u30fb\u30e1\u30f3\u30d0\u30fc\u306b\u500b\u5225\u4fee\u6b63\u3092\u9069\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002 \n \n**\u203b2\uff1a**\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR PI74857\u9069\u7528\u306b\u95a2\u3057\u3066\u3001\u304a\u4f7f\u3044\u306e\u30d0\u30fc\u30b8\u30e7\u30f3\u304c\u3001v8.0.0.12\u4ee5\u4e0b\u3001\u307e\u305f\u306fv8.5.5.9\u4ee5\u4e0b\u306e\u5834\u5408\u306f\u3001\u524d\u63d0\u6761\u4ef6\u3068\u3057\u3066[PI57465](<http://www-01.ibm.com/support/docview.wss?uid=swg24042452>)\u3092\u5408\u308f\u305b\u3066\u9069\u7528\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002 \n\uff08v8.5.5.10\u4ee5\u964d\u3001v9\u3092\u304a\u4f7f\u3044\u306e\u5834\u5408\u3001PI57465\u306f\u3059\u3067\u306b\u542b\u307e\u308c\u3066\u3044\u308b\u305f\u3081\u9069\u7528\u306e\u5fc5\u8981\u306f\u3042\u308a\u307e\u305b\u3093\u3002\uff09 \nPI57465: OIDC: Remove session cookie after logout ENABLEMENT FIXES \n<http://www-01.ibm.com/support/docview.wss?uid=swg24042452> \n \n**WebSphere Application Server traditional \u3068 Hypervisor Edition:**\n\n**\u30d0\u30fc\u30b8\u30e7\u30f3**| **\u5bfe\u5fdc\u7b56** \n---|--- \nV9.0.0.0\uff5eV9.0.0.3| \n\n * \u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 9.0.0.4\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 9.0.0.4\u306f\u3001 2017\u5e746\u670823\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \nV8.5.0.3\uff5eV8.5.5.11| \n\n * \u500b\u5225\u4fee\u6b63\u3067\u5fc5\u8981\u3068\u3055\u308c\u308bFix Pack 8.5.5.3\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u3001\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042908>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 8.5.5.12\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 8.5.5.12\u306f\u3001 2017\u5e748\u67084\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \nV8.0.0.10\uff5eV8.0.0.13| \n\n * \u500b\u5225\u4fee\u6b63\u3067\u5fc5\u8981\u3068\u3055\u308c\u308bFix Pack 8.0.0.10\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u3001\u500b\u5225\u4fee\u6b63\u30e2\u30b8\u30e5\u30fc\u30ebAPAR [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>)[](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042752>)[](<http://www.ibm.com/support/docview.wss?uid=swg24043247>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042637>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042445>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042357>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041971>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042637>)[](<https://www-01.ibm.com/support/docview.wss?uid=swg24042468>)\u3092\u9069\u7528\u3057\u307e\u3059\u3002\n**\\-- \u307e\u305f\u306f --**\n\n * Fix Pack 8.0.0.14\u4ee5\u964d\u3078\u30a2\u30c3\u30d7\u30c7\u30fc\u30c8\u3057\u307e\u3059\u3002\n\u203bFix Pack 8.0.0.14\u306f\u30012017\u5e7410\u670816\u65e5\u306b\u30ea\u30ea\u30fc\u30b9\u4e88\u5b9a\u3067\u3059\u3002\uff082017/03/21\u6642\u70b9\uff09 \n \n## Workarounds and Mitigations\n\n\u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30fb\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc \"com.ibm.websphere.security.InvokeTAIbeforeSSO\"\u306e\u5024\u306bOIDC TAI\u30af\u30e9\u30b9\u540d:\"com.ibm.ws.security.oidc.client.RelyingParty\" \u304c\u542b\u307e\u308c\u3066\u3044\u308b\u5834\u5408\u3001\u305d\u306e\u5024\u3092\u524a\u9664\u3057\u3066\u304f\u3060\u3055\u3044\u3002 \n \n\u3053\u306e\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306f\u3001\u7ba1\u7406\u30b3\u30f3\u30bd\u30fc\u30eb : \u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc &gt; \u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u304b\u3089\u5909\u66f4\u3067\u304d\u307e\u3059\u3002 \nInvokeTAIbeforeSSO\u304cOIDC TAI\u30af\u30e9\u30b9\u306b\u5bfe\u3057\u3066\u6709\u52b9\u3067\u306a\u3044\u5834\u5408\u3001\u30e6\u30fc\u30b6\u30fc\u30ed\u30b0\u30a4\u30f3\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u306f\u3001LTPA\u30c8\u30fc\u30af\u30f3\u306e\u30bf\u30a4\u30e0\u30a2\u30a6\u30c8\u5024\u306b\u306a\u308a\u307e\u3059\u3002 \n \n\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306e\u5909\u66f4\u306b\u3064\u3044\u3066\u306e\u8a73\u3057\u3044\u60c5\u5831\u306f\u3001\u4e0b\u8a18knowledge center\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002 \n \n\u30b0\u30ed\u30fc\u30d0\u30eb\u30fb\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u69cb\u6210\u307e\u305f\u306f\u30bb\u30ad\u30e5\u30ea\u30c6\u30a3\u30fc\u30fb\u30c9\u30e1\u30a4\u30f3\u69cb\u6210\u5185\u306e \u65e2\u5b58\u306e\u30ab\u30b9\u30bf\u30e0\u30fb\u30d7\u30ed\u30d1\u30c6\u30a3\u30fc\u306e\u524a\u9664 \n<https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_custprop_del.html>\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: traditional WebSphere Application Server\u3067\u306e\u6a29\u9650\u6607\u683c\u306e\u8106\u5f31\u6027(CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "A0F1D691A598C5E1F797B1E1D411F088FA56A3C79C6DE77F020B5D040678C45B", "href": "https://www.ibm.com/support/pages/node/294215", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:44:50", "description": "## Summary\n\nWebsphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS has been affected by privilege escalation vulnerability \n\n\n## Vulnerability Details\n\nCVEID: CVE-2017-1151 \nDESCRIPTION: IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/122292> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nJazz for Service Management version 1.1.0 - 1.1.3\n\n## Remediation/Fixes\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nJazz for Service Management version 1.1.0 - 1.1.3| Websphere Application Server Full Profile 8.5.5| [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## Workarounds and Mitigations\n\nPlease refer to WAS iFix\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-17T15:39:39", "type": "ibm", "title": "Security Bulletin: Privilege Escalation Vulnerability identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-17T15:39:39", "id": "8CA02EF42F5013CB0697B9E5AC09B6EE56FB242D567CFCD579D0D9302A025F7F", "href": "https://www.ibm.com/support/pages/node/559369", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:36", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in WebSphere Application Server traditional when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. \n\n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional: \nVersion 9.0 \nVersion 8.5 \nVersion 8.0 \n\n## Remediation/Fixes\n\nThe recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI74857 for each named product as soon as practical. **NOTE: **If you are operating in a cluster, the interim fix must be applied to each cluster member. ** \n** \n**For WebSphere Application Server traditional and WebSphere Application Server Hypervisor edition: ** \n** \nFor V9.0.0.0 through 9.0.0.3:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857 ](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 9.0.0.4 or later. \n** \nFor V8.5.5.3 through 8.5.5.11:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.5.5.12 or later. \n** \nFor V8.0.0.10 through 8.0.0.13:** \n\u00b7 Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI74857](<http://www-01.ibm.com/support/docview.wss?uid=swg24043444>) [](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042712>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24042513>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041604>)[](<http://www-01.ibm.com/support/docview.wss?uid=swg24041394>) \n\\--OR-- \n\u00b7 Apply Fix Pack 8.0.0.14 or later. \n** \n****REMINDER: **If you are operating in a cluster, the interim fix must be applied to each cluster member. \n\n## Workarounds and Mitigations\n\nChange the value for the com.ibm.websphere.security.InvokeTAIbeforeSSO custom property to not include the OIDC TAI class name: com.ibm.ws.security.oidc.client.RelyingParty. This property can be updated from the Administrative Console &gt; Global Security &gt; Custom Properties panel. When InvokeTAIbeforeSSO is not enabled for the OIDC TAI class, the timeout for the user login will be that of the LTPA token. \n \nFor more information about changing custom properties please refer to the knowledge center: <https://www.ibm.com/support/knowledgecenter/SSAW57_9.0.0/com.ibm.websphere.nd.multiplatform.doc/ae/tsec_custprop_del.html>\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:05", "type": "ibm", "title": "Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:05", "id": "73DBAAF76446700805D453AE802FCD87DBA6C6B1E9B33DE8A099FC433EBDFE3D", "href": "https://www.ibm.com/support/pages/node/292703", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:31", "description": "## Summary\n\nWebSphere Application Server is shipped with WebSphere Remote Server. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nRefer to the security bulletin(s) listed in the Remediation/Fixes section\n\n## Affected Products and Versions\n\nWebSphere Remote Server 8.5\n\n## Remediation/Fixes\n\nRefer to the following security bulletins for vulnerability details and information about fixes addressed by WebSphere Application Server which is shipped with WebSphere Remote Server. \n \n\n\nPrincipal Product and Version(s)| Affected Supporting Product and Version| Affected Supporting Product Security Bulletin \n---|---|--- \nWebSphere Remote Server 8.5| WebSphere Application Server 8.0, 8.5, 8.5.5, 9.0| [_Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)_](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with WebSphere Remote Server (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "EF9F63F010095739C07233F9C717ADF8FF540A4F2057023CF95B9A0C3CE4240C", "href": "https://www.ibm.com/support/pages/node/294403", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:52:46", "description": "## Summary\n\nIBM WebSphere Application Server is shipped with IBM Intelligent Operations Center. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin.\n\n## Vulnerability Details\n\nConsult the security bulletin, [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>), [](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>)for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\n**Principal Product and Versions**\n\n| **Affected Supporting Products** \n---|--- \nIBM Intelligent Operations Center V1.5, V1.5.0.1, V1.5.0.2, V1.6, V1.6.0.1, V1.6.0.2, and V1.6.0.3| IBM WebSphere Application Server V8.0, V8.5, and V9.0 \nIBM Intelligent City Planning and Operations V1.5, or later \nIBM Intelligent Operations Center for Emergency Management V1.6 \nIBM Intelligent Operations for Transportation V1.5.0, or later \nIBM Intelligent Operations for Water V1.5.0, or later \n \n## Remediation/Fixes\n\nDownload the correct version of the fix from the following link: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www.ibm.com/support/docview.wss?uid=swg21999293>). Installation instructions for the fix are included in the readme document that is in the fix package.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-08-19T21:04:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Intelligent Operations Center (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2022-08-19T21:04:31", "id": "EC05240EE77DDC84E58CE34E9DAA5BAA0AE07AC1B1E54421F5BD689DFB14DB26", "href": "https://www.ibm.com/support/pages/node/294161", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-06-07T21:49:50", "description": "## Summary\n\nIBM WebSphere Application Server is shipped as a component of Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), Maximo Adapter for Primavera, SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, Change and Configuration Management Database, and TRIRIGA Energy Optimization. Information about a security vulnerability affecting IBM WebSphere Application Server has been published in a security bulletin. \n\n## Vulnerability Details\n\nPlease consult the security bulletin [Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes.\n\n## Affected Products and Versions\n\nPrincipal Product and Version(s)\n\n| Affected Supporting Product and Version \n---|--- \nMaximo Asset Management 7.6 \nIBM Control Desk 7.6 \nMaximo for Aviation 7.6 \nMaximo for Life Sciences 7.6 \nMaximo for Transportation 7.6| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nMaximo Asset Management 7.5 \nMaximo Asset Management Essentials 7.5 \nMaximo for Government 7.5 \nMaximo for Nuclear Power 7.5 \nMaximo for Transportation 7.5 \nMaximo for Life Sciences 7.5 \nMaximo for Oil and Gas 7.5 \nMaximo for Utilities 7.5 \nMaximo Adapter for Primavera 7.5 \nIBM Control Desk 7.5 \nTRIRIGA Energy Optimization 1.1| IBM WebSphere Application Server 9.0 \nIBM WebSphere Application Server 8.5.5 Full Profile \nIBM WebSphere Application Server 8.5 Full Profile \nIBM WebSphere Application Server 8.0 \nTivoli Asset Management for IT 7.2 \nTivoli Service Request Manager 7.2 \nChange and Configuration Management Database 7.2| IBM WebSphere Application Server 8.5.5 Full Profile \n \n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-09-22T03:02:31", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with Asset and Service Management (CVE-2017-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2022-09-22T03:02:31", "id": "36BA5A9CF6B059E5B55E9376E4E9E87769F2597E8D12EE0B8E70E1D709D9B1A2", "href": "https://www.ibm.com/support/pages/node/559055", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T01:53:39", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server shipped with WebSphere Patterns when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. \n\n## Vulnerability Details\n\nConsult the security bulletin: [Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) for vulnerability details and information about fixes. \n\n## Affected Products and Versions\n\nThis vulnerability affects the following versions and releases of IBM WebSphere Application Server: \n\n * Version 9.0 \n * Version 8.5 \n * Version 8.0 \n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:11", "type": "ibm", "title": "Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2016-1151)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-1151", "CVE-2017-1151"], "modified": "2018-06-15T07:07:11", "id": "1AFAEA5C5F4B46AA3B2C5CA93EE062A1E8CE0DB25F687322C578A8B11458B9A6", "href": "https://www.ibm.com/support/pages/node/294143", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:48:29", "description": "## Summary\n\nWebSphere Application Server is shipped as a component of Rational Asset Manager. Information about security vulnerability affecting the WebSphere Application Server is published in this security bulletin. \n\n## Vulnerability Details\n\nYou must refer to the following security bulletins for vulnerability details and information about fixes: \n\n\n * [Security Bulletin: Information Disclosure in IBM WebSphere Application Server (CVE-2017-1151)](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>)\n * [Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137)](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>)\n * [Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>)\n\n## Affected Products and Versions\n\n \nIBM Rational Asset Manager 7.5, 7.5.1, 7.5.2, and 7.5.3. \n\n\n## Remediation/Fixes\n\nYou must refer to the appropriate security bulletin for fix pack releases or an iFix listed in the following table and apply it. \n \n\n\nRAM| Embedded WAS?| WAS 7.0| WAS 8.0| WAS 8.5 \n---|---|---|---|--- \n7.5| \n\nYes | See the [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix.| \n\nN/A | \n\nN/A \n7.5.1| See the [Security Bulletin - CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>), [Security Bulletin CVE-2017-1137](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) and [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix. \n7.5.2| \n\nNo | \n\nN/A | See the [Security Bulletin - CVE-2017-1151](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>), [Security Bulletin CVE-2017-1137](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) and [Security Bulletin - CVE-2017-1194](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) for fix. \n7.5.3 \n \n\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-17T05:21:09", "type": "ibm", "title": "Security Bulletin: A security vulnerability has been identified in WebSphere Application Server that ships with Rational Asset Manager (CVE-2017-1151, CVE-2017-1137, CVE-2017-1194)", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194"], "modified": "2018-06-17T05:21:09", "id": "126537C1F8F0F30E3E1F51F743F09DF0CD7BE1FC4C806F6317B231F16161C1D7", "href": "https://www.ibm.com/support/pages/node/560521", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-02-21T05:55:52", "description": "## Summary\n\nThere is a potential privilege escalation vulnerability in traditional WebSphere Application Server when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. There is a potential for weaker than expected security with the Administrative Console in WebSphere Application Server. There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider. \n\n## Vulnerability Details\n\n**CVEID:** [_CVE-2017-1151_](<https://vulners.com/cve/CVE-2017-1151>)** \nDESCRIPTION:** IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. \nCVSS Base Score: 8.1 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/122292_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/122292>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) \n \n**CVEID:** [_CVE-2017-1137_](<https://vulners.com/cve/CVE-2017-1137>)** \nDESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to the admin console. \nCVSS Base Score: 5.9 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/121549_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/121549>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) \n \n**CVEID:** [_CVE-2017-1194_](<https://vulners.com/cve/CVE-2017-1194>)** \nDESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. \nCVSS Base Score: 4.3 \nCVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/123669_](<https://exchange.xforce.ibmcloud.com/vulnerabilities/123669>) for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) \n\n## Affected Products and Versions\n\nIBM WebSphere Application Server Version 8.5.5 is affected by vulnerabilities listed. \nIBM WebSphere Application Server Version 9 is only affected by CVE-2017-1151 and CVE-2017-1194. \nIBM WebSphere Application Server Liberty is only affected by CVE-2017-1194.\n\n## Remediation/Fixes\n\nTo **patch an existing service instance** requires two steps: \n \n1\\. To update WebSphere Application Server refer to the IBM WebSphere Application Server bulletins listed below: \n \n[**Security Bulletin: Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2017-1151)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) \n \n[**Security Bulletin: Potential security vulnerability in WebSphere Application Server Administrative Console (CVE-2017-1137)**](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) \n \n[**Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)**](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) \n \n2\\. To apply the RHEL OS updates, run **yum update.** \n \nAlternatively, delete the vulnerable service instance and create a new instance. \n\n## ", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "REQUIRED"}, "impactScore": 5.9}, "published": "2018-06-15T07:07:36", "type": "ibm", "title": "Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix (CVE-2017-1151, CVE-2017-1137, CVE-2017-1194 )", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194"], "modified": "2018-06-15T07:07:36", "id": "F4CBE0BEFD1DA8501A4EEEFE2185F79E326C343FB6859A3E2FE3486A19C907D6", "href": "https://www.ibm.com/support/pages/node/561987", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2022-07-27T22:03:06", "description": "## Question\n\nIs there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server?\n\n## Answer\n\nThe following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number not by the last one published.\n\nNote the IBM Java runtime included with WebSphere Application Server provides an execution environment for non-IBM code. While the below table includes all IBM Java vulnerabilities related to the WebSphere Application Server product, there might be additional IBM Java vulnerabilities which impact non-IBM code running in your WebSphere Application Server environment. For a listing of all IBM Java security bulletins, refer to [_IBM Java Security Alerts_](<https://www.ibm.com/developerworks/java/jdk/alerts/>). To determine the Java SDK version used with WebSphere Application Server, refer to the [_Verify Java SDK version shipped with WebSphere Application Server_](<http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27005002>).\n\nTo avoid preventable security issues, it is recommended that you stay up-to-date on the most current maintenance options for your products. You can also subscribe to the security bulletins for each of your products as provided in this link, [_IBM Security Bulletins_](<http://www.ibm.com/security/secure-engineering/bulletins.html>).\n\nWhen significant updates have been made to security bulletins, it will be noted with the date of the last update in the bulletin columns.\n\nNote: Starting 07/16/2020, the most recent fix published will be added to the top of this list below as well as in numerical order by year.\n\n**Recent CVEs (previous 15 published from most recent to least recent)**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21299 | 5.3 | [IBM Java SDK for April 2022](<https://www.ibm.com/support/pages/node/6594523>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n \n**2022 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2022-31813 | 5.3 | Not affected | [Bypass Security](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-30556 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-29404 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28615 | 6.5 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-28614 | 5.3 | Not affected | [Information Disclosure](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-26377 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6595149>) | 7.0,8.0,8.5,9.0 \n| CVE-2022-25315 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25313 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25236 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-25235 | 3.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6560814>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23990 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23852 | 9.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-23307 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23305 | 6.5 | [SQL Injection](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-23302 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6557248>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2022-22827 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22826 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22825 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22824 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22823 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22822 | 7.8 | Not affected | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6559296>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22721 | 7.3 | Not affected | [Buffer Overflow](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22720 | 7.3 | Not affected | [HTTP Request Smuggling](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22719 | 5.3 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6565413>) | 9.0,8.5,8.0,7.0 \n| CVE-2022-22477 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6603417>) | Not affected | 9.0,8.5 \n| CVE-2022-22476 | 5.0 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6602015>) | Not affected | Liberty \n| CVE-2022-22475 | 7.1 | [Identity Spoofing](<https://www.ibm.com/support/pages/node/6586734>) | Not affected | Liberty \n| CVE-2022-22473 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6603421>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22393 | 3.1 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6585704>) | Not affected | Liberty \n| CVE-2022-22365 | 5.6 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6587947>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2022-22310 | 4.8 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6541530>) | Not affected | Liberty \n| CVE-2022-21496 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n| CVE-2022-21340 | 5.3 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2022-21229 | 5.3 | [IBM Java SDK for April 2022 CPU](<https://www.ibm.com/support/pages/node/6594523>) | | 9.0,8.5,Liberty \n \n**2021 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2021-46708 | 4.3 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2021-46143 | 7.8 | Not affected | [Remote Code Execution](<https://Denial of Service>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45960 | 5.5 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6559296>) | 7.0,8.0,8.5,9.0 \n| CVE-2021-45105 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-45046 | 9.0 | [Denial of Service](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-44832 | 6.6 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6538148>) | Not affected | 9.0, 8.5 \n| CVE-2021-44790 | 9.8 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \nLog4Shell | CVE-2021-44228 | 10 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6525706>) | Not affected | 9.0, 8.5 \n| CVE-2021-44224 | 8.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6540288>) | 9.0 \n| CVE-2021-40438 | 9.0 | Not affected | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-39275 | 3.7 | Not affected | [Buffer overflow](<https://www.ibm.com/support/pages/node/6493845>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-39038 | 4.4 | [Clickjacking vulnerability](<https://www.ibm.com/support/pages/node/6559044>) | Not affected | 9.0, Liberty \n| CVE-2021-39031 | 7.5 | [LDAP Injection](<https://www.ibm.com/support/pages/node/6550488>) | Not affected | Liberty \n| CVE-2021-38951 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6524674>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-36090 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-35603 | 3.7 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35578 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35564 | 5.3 | [IBM Java SDK for October 2021 CPU](<https://www.ibm.com/support/pages/node/6520468>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-35550 | 5.9 | [IBM Java SDK for January 2022 CPU](<https://www.ibm.com/support/pages/node/6559306>) | Not affected | 9.0,8.5,Liberty \n| CVE-2021-35517 | 5.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/6489683>) | Not affected | Liberty \n| CVE-2021-34798 | 5.9 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/6493841>) | 9.0 \n| CVE-2021-30641 | 5.3 | Not affected | [Weaker Security](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-29842 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6489485>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-29754 | 4.2 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6462627>) | Not affected | 9.0, 8.5, 8.0. 7.0 \n| CVE-2021-29736 | 5.0 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6476678>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-26691 | 5.9 | Not affected | [Heap Buffer Overflow](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26690 | 3.7 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6467651>) | 9.0 \n| CVE-2021-26296 | 8.8 | [Cross-site request forgery](<https://www.ibm.com/support/pages/node/6441433>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-23450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6558594>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-20517 | 6.4 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6456955>) | Not affected | 9.0, 8.5 \n| CVE-2021-20492 | 6.5 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6456017>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2021-20480 | 4.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6441063>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2021-20454 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445481>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-20453 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6445171>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20354 | 5.9 | [Directory traversal](<https://www.ibm.com/support/pages/node/6415959>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2021-20353 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6413709>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2021-4104 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6526750>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2021-2369 | 4.3 | [IBM Java SDK for July 2021 CPU](<https://www.ibm.com/support/pages/node/6481135>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2021-2161 | 5.9 | [IBM Java SDK for April 2021 CPU](<https://www.ibm.com/support/pages/node/6454853>) | Not affected | 9.0, 8.5, Liberty \n \n**2020 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2020-27221 | 9.8 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14797 | 3.7 | [IBM Java SDK for October 2020 CPU](<https://www.ibm.com/support/pages/node/6379260>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14782 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14781 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14621 | 5.3 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14581 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14579 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14578 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-14577 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-13938 | 6.2 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6464029>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-11985 | 5.3 | Not affected | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6324789>) | 9.0 \n| CVE-2020-10693 | 5.3 | [Bypass security](<https://www.ibm.com/support/pages/node/6348216>) | Not affected | Liberty \n| CVE-2020-5258 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6443101>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2020-5016 | 5.3 | [Directory traversal](<https://www.ibm.com/support/pages/node/6427873>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4949 | 8.2 | [XXE vulnerability](<https://www.ibm.com/support/pages/node/6408244>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4782 | 6.5 | [Directory Traversal](<https://www.ibm.com/support/pages/node/6356083>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4643 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6334311>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4629 | 2.9 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339255>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4590 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6333623>) | Not affected | Liberty \n| CVE-2020-4589 | 8.1 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6258333>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4578 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6328895>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4576 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6339807>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2020-4575 | 4.7 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6323293>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4534 | 7.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6255074>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4464 | 8.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6250059>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4450 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220294>) | Not affected | 9.0,8.5 \n| CVE-2020-4449 | 7.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6220296>) | Not affected | 9.0, 8.5, 8.0,7.0 \n| CVE-2020-4448 | 9.8 | [Remote Code Execution](<https://www.ibm.com/support/pages/node/6220336>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2020-4421 | 5.0 | [Identity spoofing](<https://www.ibm.com/support/pages/node/6205926>) | Not affected | Liberty \n| CVE-2020-4365 | 5.3 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6209099>) | Not affected | 8.5 \n| CVE-2020-4362 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6174417>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4329 | 4.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6201862>) | Not affected | 9.0,8.5,8.0,7.0,Liberty \n| CVE-2020-4304 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4303 | 6.1 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/6147195>) | Not affected | Liberty \n| CVE-2020-4276 | 7.5 | [Privilege Escalation](<https://www.ibm.com/support/pages/node/6118222>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-4163 | 6.6 | [Command Execution](<https://www.ibm.com/support/pages/node/1288786>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2020-2800 | 4.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2781 | 5.3 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2773 | 3.7 | [IBM Java SDK for January 2021 CPU](<https://www.ibm.com/support/pages/node/6415639>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2755 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2754 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2654 | 3.7 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2601 | 6.8 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2593 | 4.8 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-2590 | 3.7 | [IBM Java SDK for July 2020 CPU](<https://www.ibm.com/support/pages/node/6256732>) | Not affected | 9.0,8.5,Liberty \n| CVE-2020-1934 | 8.1 | Not affected | [Denial of Service](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n| CVE-2020-1927 | 7.4 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/6191631>) | 9.0,8.5,8.0,7.0 \n \n**2019 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2019-17573 | 6.1 | [Cross-site Scripting](<https://www.ibm.com/support/pages/node/6100132>) | Not affected | Liberty \n| CVE-2019-17566 | 7.5 | [Server-side request forgery](<https://www.ibm.com/support/pages/node/6322683>) | Not affected | 9.0,8.5,8.0 \n| CVE-2019-17495 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1274596>) | Not affected | Liberty \n| CVE-2019-12402 | 4.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1074156>) | Not affected | Liberty \n| CVE-2019-12406 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/1288774>) | Not affected | 9.0,Liberty \n| CVE-2019-11777 | 7.5 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6602039>) | Not affected | Liberty \n| CVE-2019-10098 | 3.7 | Not affected | [Phishing attack](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10092 | 4.7 | Not affected | [Cross-site scripting](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-10086 | 5.3 | [Unauthorized Access](<https://www.ibm.com/support/pages/node/1115085>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-9518 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9517 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9515 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9514 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9513 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-9512 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1072860>) | Not affected | Liberty \n| CVE-2019-4732 | 7.2 | [IBM Java SDK for January 2020 CPU](<https://www.ibm.com/support/pages/node/1289194>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-4720 | 7.5 | [Denial of Service](<https://www.ibm.com/support/pages/node/1285372>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4670 | 6.5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/1289152>) | Not affected | 9.0,8.5,8.0,7.0 \n| CVE-2019-4663 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/1127367>) | Not affected | Liberty \n| CVE-2019-4505 | 3.7 | [Information Disclosure](<https://www.ibm.com/support/pages/node/964766>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4477 | 5.3 | [Information Disclosure](<https://www.ibm.com/support/pages/node/960290>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4442 | 4.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/959021>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4441 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/959023>) | Not affected | 9.0, 8.5, 8.0, 7.0 Liberty \n| CVE-2019-4305 | 5.3 | [Information disclosure](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4304 | 6.3 | [Bypass security](<https://www.ibm.com/support/pages/node/960171>) | Not affected | Liberty \n| CVE-2019-4285 | 5.4 | [Clickjacking vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884064>) | Not affected | Liberty \n| CVE-2019-4279 | 9.0 | [Remote Code Execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10883628>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4271 | 3.5 | [HTTP Parameter Pollution](<https://www.ibm.com/support/pages/node/884040>) | Not affected | 9.0, 8.5, 7.0Virtual Enterprise \n| CVE-2019-4270 | 5.4 | [Cross-site scripting](<https://www.ibm.com/support/pages/node/884036>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4269 | 5.3 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10884032>) | Not affected | 9.0 \n| CVE-2019-4268 | 5.3 | [Path Traversal](<https://www.ibm.com/support/pages/node/884030>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4080 | 6.5 | [Denial of Service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10875692>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-4046 | 5.9 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869570>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2019-4030 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869406>) | Not affected | 9.0, 8.5, 8.0VE, 7.0VE \n| CVE-2019-2989 | 6.8 | [IBM Java SDK for October 2019 CPU](<https://www.ibm.com/support/pages/node/1126887>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-2949 | 6.8 | [IBM Java SDK for April 2020 CPU](<https://www.ibm.com/support/pages/node/6206850>) | Not affected | 9.0,8.5,Liberty \n| CVE-2019-2426 | 3.7 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2019-0220 | 5.3 | Not affected | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2019-0211 | 8.2 | Not affected | [Privilege Escalation](<https://www-01.ibm.com/support/docview.wss?uid=ibm10880413>) | 9.0 \n \n**2018 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| N/A | 8.1 | [Remote code execution in JSF](<http://www-01.ibm.com/support/docview.wss?uid=ibm10716525>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-25031 | 5.4 | [Spoofing vulnerability](<https://www.ibm.com/support/pages/node/6569505>) | Not affected | Liberty \n| CVE-2018-20843 | 3.3 | Not affected | [Denial of service](<https://www.ibm.com/support/pages/node/964768>) | 9.0, 8.5, 8.0, 9.0 \n| CVE-2018-17199 | 5.3 | Not affected | [Bypass security ](<http://www-01.ibm.com/support/docview.wss?uid=ibm10869064>) | 9.0 \n| CVE-2018-12547 | 9.8 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-12539 | 8.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-10237 | 7.5 | \n\n[Denial of service](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795696>)\n\n| Not affected | 9.0, 8.5, Liberty \n| CVE-2018-8039 | 7.5 | [Man-in-the-Middle](<https://www-01.ibm.com/support/docview.wss?uid=ibm10720065>) | Not affected | 9.0 Liberty \n| CVE-2018-3180 | 5.6 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-3139 | 3.1 | [IBM Java SDK for October 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729607>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2800 | 4.2 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2783 | 7.4 | [IBM Java SDK for April 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22016282>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2637 | 7.4 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2634 | 6.8 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2633 | 8.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2603 | 5.3 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2602 | 4.5 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-2579 | 3.7 | [IBM Java SDK for January 2018 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22013818>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1996 | 5.3 | [Weaker Security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10793421>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1957 | 4.0 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10744247>) | Not affected | 9.0 \n| CVE-2018-1926 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1905 | 7.1 | [XXE vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738721>) | Not affected | 9.0 \n| CVE-2018-1904 | 8.1 | [Remote Code execution](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738735>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1902 | 3.1 | [Spoofing Vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10795115>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1901 | 5.0 | [Privilege Escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10738727>) | Not affected | 9.0, 8.5, Liberty \n| CVE-2018-1890 | 5.6 | [IBM Java SDK for January 2019 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10873042>) | Not affected | 9.0, 8.5, Library \n| CVE-2018-1851 | 7.3 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=ibm10735105>) | Not affected | Liberty \n| CVE-2018-1840 | 6.0 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=ibm10735767>) | Not affected | \n\n9.0, 8.5 \n \n| CVE-2018-1798 | 6.1 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730703>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1797 | 6.3 | [Directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=ibm10730699>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1794 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729571>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1793 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729563>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1777 | 5.4 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10730631>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1770 | 6.5 | [Directory traversal](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729521>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1767 | 6.1 | [Cross-site scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729547>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1755 | 5.9 | [Information Disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10728689>) | Not affected | Liberty \n| CVE-2018-1719 | 5.9 | [Weaker security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10718837>) | Not affected | 9.0, 8.5 \n| CVE-2018-1695 | 7.3 | [Spoofing vulnerability](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716523>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2018-1683 | 5.9 | [Information disclosure](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716533>) | Not affected | Liberty \n| CVE-2018-1656 | 7.4 | [IBM Java SDK for July 2018 CPU](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729349>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2018-1643 | 6.1 | [Cross-site Scripting](<https://www-01.ibm.com/support/docview.wss?uid=ibm10716857>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2018-1626 | 4.3 | [Cross-site Request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=ibm10742301>) | Not affected | 9.0, 8.5 \n| CVE-2018-1621 | 4.4 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016821>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1614 | 5.8 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016887>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1567 | 9.8 | [Code execution](<https://www-01.ibm.com/support/docview.wss?uid=swg22016254>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1553 | 5.3 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22016218>) | Not affected | Liberty \n| CVE-2018-1447 | 5.1 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1427 | 6.2 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2018-1426 | 7.4 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \nROBOT | CVE-2018-1388 | 9.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22014196>) | 7.0 \n| CVE-2018-1301 | 5.3 | Not affected | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n \n**2017 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2017-15715 | 3.7 | Not affected | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-15710 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22015344>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12624 | 5.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013597>) | Not affected | 9.0, Liberty \n| CVE-2017-12618 | 5.5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-12613 | 9.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22013598>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-10388 | 7.5 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10356 | 6.2 | [IBM Java SDK for October 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22010560>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10116 | 8.3 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10115 | 7.5 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-10102 | 9.0 | [IBM Java SDK for July 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22007002>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-9798 | 7.5 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22009782>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7679 | 5.3 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-7668 | 5.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-5638 | 7.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg22000122>) | \n| CVE-2017-3736 | 5.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3732 | 5.3 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-3511 | 7.7 | [IBM Java SDK for April 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg22003016>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-3167 | 5.3 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22005280>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1788 | 5.3 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg22012341>) | Not affected | 9.0, Liberty \n| CVE-2017-1743 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22013601>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1741 | 4.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22012342>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1731 | 8.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg22012345>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1681 | 4.0 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22010419>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1583 | 5.3 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2017-1504 | 5.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006803>) | Not affected | 9.0 \n| CVE-2017-1503 | 6.1 | [HTTP response splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg22006815>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1501 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg22006810>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1382 | 5.1 | [Insecure file permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg22004785>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1381 | 2.9 | [Information disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg22004792>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1380 | 5.4 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22004786>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2017-1194 | 4.3 | [Cross-site request forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg22001226>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2017-1151 | 8.1 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21999293>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2017-1137 | 5.9 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21998469>) | Not affected | 8.5, 8.0 \n| CVE-2017-1121 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21997743>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n \n**2016 CVEs**\n\n**Name **\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2016-1000031 | 9.8 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg22011428>) | Not affected | 9.0, 8.5, 8.0, Liberty \n| CVE-2016-9736 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21991469>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2016-8934 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21992315>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-8919 | 5.9 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21993797>) | Not affected | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-8743 | 6.1 | Not affected | [Response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21996847>) | 9.0,8.5, 8.0, 7.0 \n| CVE-2016-7056 | 4.0 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-5986 | 3.7 | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21990056>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5983 | 7.5 | [Gain Privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21990060>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5597 | 5.9 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5573 | 8.3 | [IBM Java SDK for October 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21993440>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5549 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5548 | 6.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5547 | 5.3 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-5546 | 7.5 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \nHTTPOXY | CVE-2016-5387 | 8.1 | Not affected | [Redirect HTTP traffic](<http://www-01.ibm.com/support/docview.wss?uid=swg21988019>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4975 | 6.1 | Not affected | Superseded by CVE-2016-8743 | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-4472 | 5.3 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-3485 | 2.9 | [IBM Java SDK for July 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21988339>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3427 | 10 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3426 | 4.3 | [IBM Java SDK for April 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21982223>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3092 | 5.3 | [Apache Commons FileUpload Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21987864>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-3042 | 5.4 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986716>) | Not affected | Liberty \n| CVE-2016-3040 | 6.3 | [Open Redirect Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21986715>) | Not affected | Liberty \n| CVE-2016-2960 | 3.7 | [Denial of Service with SIP Services](<http://www-01.ibm.com/support/docview.wss?uid=swg21984796>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-2945 | 5.0 | [Weaker security in Liberty API discovery feature](<http://www-01.ibm.com/support/docview.wss?uid=swg21984502>) | Not affected | Liberty \n| CVE-2016-2923 | 5.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21983700>) | Not affected | Liberty \nSWEET32 | CVE-2016-2183 | 3.7 | [IBM Java SDK for January 2017 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21998379>) | [IBM HTTP Server and Sweet32](<http://www-01.ibm.com/support/docview.wss?uid=swg21991548>) (21 Dec 2017) | 9.0 8.5, 8.0, 7.0, Liberty \n| CVE-2016-1182 \n \nCVE-2016-1182 | 4.8 \n \n4.8 | [Bypass Security Restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n[Bypass Security Restrictions UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-1181 \n \nCVE-2016-1181 | 8.1 \n \n8.1 | [Execute Code](<http://www-01.ibm.com/support/docview.wss?uid=swg21985995>) \n \n[Execute Code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected \n \nNot affected | 9.0, 8.5, 8.0, 7.0 \n9.0, 8.5. 8.0, 7.0 \nDROWN | CVE-2016-0800 | | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978292>) | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21978317>) | \n| CVE-2016-0718 | 9.8 | Not affected | [Denial of Service with Expat](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) (13 Sept 2016) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0702 | 2.9 | Not affected | [Vulnerability in GSKit Component](<http://www-01.ibm.com/support/docview.wss?uid=swg22015347>) | 9.0, 8.5, 8.0 \n| CVE-2016-0488 | 4.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0475 | 5.8 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0466 | 5.0 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0389 | 5.3 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21982012>) | Not affected | Liberty \n| CVE-2016-0385 | 3.1 | [Bypass security restrictions](<http://www-01.ibm.com/support/docview.wss?uid=swg21982588>) | Not affected | 9.0, 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0378 | 3.7 | [Information Disclosure Vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21981529>) | Not affected | Liberty \n| CVE-2016-0377 | 4.3 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21980645>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2016-0360 | 8.1 | [Deserialize objects with MQ Resource adapter](<http://www-01.ibm.com/support/docview.wss?uid=swg21996748>) 14.03.2017 | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2016-0359 | 6.1 | [HTTP Response Splitting](<http://www-01.ibm.com/support/docview.wss?uid=swg21982526>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2016-0306 | 3.7 | [Security vulnerability if FIPS 140-2 is enabled](<http://www-01.ibm.com/support/docview.wss?uid=swg21979231>) | Not affected | 8.5, 8.0,7.0, Liberty \n| CVE-2016-0283 | 6.1 | [Cross-site scripting vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21978293>) | Not affected | Liberty \n| CVE-2016-0201 | 5.9 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n \n**2015 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \nSLOTH | CVE-2015-7575 | 7.1 | [IBM Java SDK for January 2016 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21975424>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-7450 | 9.8 | \n\n[Vulnerability in Apache Commons affects IBM WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21970575>) (21 Dec 2017)\n\n[Knowledge Center updates ](<https://www.ibm.com/support/pages/node/1107105>) (14 Nov 2019)\n\n| Not affected | \n\n8.5, 8.0, 7.0, Liberty\n\n9.0 \n \n| CVE-2015-7420 | 3.7 | Not affected | [Vulnerability in GSKit component](<http://www-01.ibm.com/support/docview.wss?uid=swg21974507>) | 8.5, 8.0, 7.0 \n| CVE-2015-7417 | 5.4 | [Cross-site scripting with OAuth](<http://www-01.ibm.com/support/docview.wss?uid=swg21974520>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-5262 | 5.3 | [Denial of Service](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2015-5006 | 4.6 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4947 | 7.5 | Not affected | [Stack buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21965419>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-4938 | 3.5 | [Spoof servlet vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-4872 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4749 | 4.3 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-4734 | 5.0 | [IBM Java SDK for October 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21969620>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \nLog Jam | CVE-2015-4000 | 4.3 | [Logjam with Diffie-Hellman ciphers](<http://www-01.ibm.com/support/docview.wss?uid=swg21957980>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-3183 | 6.1 | Not affected | [HTTP Request smuggling](<http://www-01.ibm.com/support/docview.wss?uid=swg21963361>) | 8.5, 8.0, 7.0, 6.1 \nBar Mitzvah | CVE-2015-2808 | 5.0 | [Vulnerability in RC4 stream cipher affects WebSphere Application Server](<https://www-01.ibm.com/support/docview.wss?uid=swg21701503>) | [Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy](<https://www-01.ibm.com/support/docview.wss?uid=swg21701072>) | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2625 | 2.6 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2613 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2601 | 5.0 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-2017 | 5.0 | [HTTP response splitting attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21966837>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1946 | 4.1 | [Gain elevated privileges](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1936 | 4 | [Hijack users session vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0 \n| CVE-2015-1932 | 5 | [Information Disclosure vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21963275>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2015-1931 | 2.1 | [IBM Java SDK for July 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21962931>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1927 | 6.8 | [Gain elevated privileges vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1920 | 9.3 | [Security vulnerability with management port in WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21883573>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1916 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-1885 | 9.3 | [Gain elevated privileges with OAuth grant password](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2015-1882 | 8.5 | [Gain elevated privileges with EJB](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \n| CVE-2015-1829 | 5.0 | Not affected | [Denial of Service on Windows with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21959081>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-1788 | 5.0 | Not affected | [Denial of Service in GSKIT with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21963362>) | 8.5, 8.0 \n| CVE-2015-1283 | 6.8 | Not affected | [Denial of Service with IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21964428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0899 | 4.3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg22015348>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2015-0488 | 5.0 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0478 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0410 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0400 | 5.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2015-0254 | 7.5 | [Security vulnerability in Apache Standard Taglibs](<http://www-01.ibm.com/support/docview.wss?uid=swg21978495>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0250 | 4.3 | [Security vulnerability in Apache Batik](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nGhost | CVE-2015-0235 | | Not affected | Not affected | \n| CVE-2015-0226 | 5.0 | [Security vulnerability in Apache WSS4J](<http://www-01.ibm.com/support/docview.wss?uid=swg21959083>) | Not affected | 8.5 \n| CVE-2015-0204 | 4.3 | [IBM Java SDK for April 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21902260>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2015-0174 | 3.5 | [Information disclosure with SNMP](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | 8.5 \n| CVE-2015-0175 | 4.0 | [Gain elevated privileges with authData elements](<http://www-01.ibm.com/support/docview.wss?uid=swg21697368>) | Not affected | Liberty \nFREAK | CVE-2015-0138 | 4.3 | [Vulnerability with RSA export Keys affects WebSphere Application Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698613>) | [Vulnerability with RSA export keys affects IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21698959>) | 8.5, 8.0, 7.0, 6.1, Liberty \n \n**2014 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2014-8917 | 4.3 | [Cross-site Scripting in Dojo Toolkit](<http://www-01.ibm.com/support/docview.wss?uid=swg21697284>) | Not affected | 8.5, 8.0 \n| CVE-2014-8890 | 5.1 | [Elevated Privileges in Liberty](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | Liberty \nTLS Padding | CVE-2014-8730 | 4.3 | [Not affected bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21692484>) | [TLS Padding in IBM HTTP Server](<http://www-01.ibm.com/support/docview.wss?uid=swg21692502>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-7810 | 5.0 | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | [Bypass security](<https://www-01.ibm.com/support/docview.wss?uid=ibm10729557>) | 9.0, 8.5, 8.0, 7.0, Liberty \nShell shock | CVE-2014-7189 \nCVE-2014-7186 \nCVE-2014-7169 \nCVE-2014-6278 \nCVE-2014-6277 \nCVE-2014-6271 | | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | [Bash Vulnerabilities](<http://www-01.ibm.com/support/docview.wss?uid=swg21685433>) \n \nNot affected but applications could be | Customer application might be vulnerable \n| CVE-2014-6593 | 4.0 | [IBM Java SDK for January 2015 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21695362>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6558 | 2.6 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6512 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6457 | 4.0 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-6174 | 4.3 | [Click jacking vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-6167 | | [Cross-site scripting](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-6166 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0 \n| CVE-2014-6164 | 4.3 | [Spoofing vulnerability](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5 \n| CVE-2014-4816 | 3.5 | Not affected | [Cross-site scripting vulnerability](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4770 | 3.5 | Not affected | [Cross-site request forgery](<https://www-304.ibm.com/support/docview.wss?uid=swg21682767>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-4767 | 4.3 | [Weaker than expected security](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | Liberty \n| CVE-2014-4764 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0 \n| CVE-2014-4263 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-4244 | 4.0 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3603 | 6.5 | [Spoofing](<https://www.ibm.com/support/pages/node/964764>) | Not affected | Liberty \n| CVE-2014-3577 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \nPOODLE | CVE-2014-3566 | 4.3 | [IBM Java SDK for October 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21687740>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3083 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-3070 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3068 | 2.4 | [IBM Java SDK for July 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21680418>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-3022 | 5.0 | [Bypass security](<https://www-304.ibm.com/support/docview.wss?uid=swg21676222>) | Not affected | 8.5, 8.0 \n| CVE-2014-3021 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21690185>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0965 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0964 | 7.1 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 6.1 \n| CVE-2014-0963 | 7.1 | Not affected | [CPU exhaustion](<https://www-304.ibm.com/support/docview.wss?uid=swg21672843>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0896 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | Liberty \n| CVE-2014-0891 | 5.0 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2014-0878 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0859 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2014-0857 | 4.0 | [Obtain Information](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0 \n| CVE-2014-0823 | 4.3 | [View Files](<http://www-01.ibm.com/support/docview.wss?uid=swg21671835>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2014-0460 | 5.8 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0453 | 4.0 | [IBM Java SDK for April 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21673013>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0411 | 4.0 | [IBM Java SDK for January 2014 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21663938>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0231 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0226 | 7.5 | Not affected | [Heap buffer overflow](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \nHeartbleed | CVE-2014-0160 | | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | [Not affected Bulletin](<http://www-01.ibm.com/support/docview.wss?uid=swg21669774>) | \n| CVE-2014-0118 | 5.0 | Not affected | [Denial of Service](<https://www-304.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1, 6.0 \n| CVE-2014-0114 \nCVE-2014-0114 | 7.5 \n7.5 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21672316>) \n[Execute code UDDI](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) (21 June 2018) | Not affected | 7.0, 6.1 \n9.0, 8.5, 8.0, 7.0 \n| CVE-2014-0098 | 5.0 | Not affected | [Denial of service](<https://www-304.ibm.com/support/docview.wss?uid=swg21667526>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2014-0076 | 2.1 | Not affected | [Information Disclosure](<http://www-01.ibm.com/support/docview.wss?uid=swg21681249>) | 8.5, 8.0 \n| CVE-2014-0050 | 5.0 | [Denial of service](<http://www-01.ibm.com/support/docview.wss?uid=swg21667254>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n \n**2013 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2013-6747 | 7.1 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6738 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-6725 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6440 | 4.3 | [XML External Entity](<http://www-01.ibm.com/support/docview.wss?uid=swg22010415>) | Not affected | Liberty \n| CVE-2013-6438 | 4.3 | Not affected | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | 8.5, 8.0, 7.0 \n| CVE-2013-6330 | 2.1 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 7.0 \n| CVE-2013-6329 | 7.8 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21659548>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-6325 | 4.3 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21661323>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-6323 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21669554>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5802 | 2.6 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5780 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5704 | 5 | Not affected | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21672428>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-5425 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-5418 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5417 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 Liberty \n| CVE-2013-5414 | 3.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2013-5372 | 4.3 | [IBM Java SDK for Oct 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21655990>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4053 | 6.8 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4052 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4039 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21647485>) | Not affected | 8.5 \n| CVE-2013-4006 | 3.5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | Liberty \n| CVE-2013-4005 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-4004 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0 \n| CVE-2013-3029 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21640799>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-3024 | 6.9 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5 \n| CVE-2013-2976 | 1.9 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-2967 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21639553>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1896 | 4.3 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21643362>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1862 | 5.1 | Not affected | [Command execution](<http://www-01.ibm.com/support/docview.wss?uid=swg21635991>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-1768 | 10 | [Deserialization](<http://www-01.ibm.com/support/docview.wss?uid=swg21635999>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-1571 | 4.3 | [Clickjacking](<http://www-01.ibm.com/support/docview.wss?uid=swg21641387>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0599 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0597 | 3.5 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21635998>) | Not affected | 8.5, 8.0, 7.0, Liberty \n| CVE-2013-0596 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21647522>) | Not affected | 6.1 \n| CVE-2013-0565 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5 \n| CVE-2013-0544 | 3.5 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0543 | 6.8 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0542 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0541 | 1.9 | [Buffer overflow](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0540 | 4.9 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | Liberty \n| CVE-2013-0482 | 2.6 | [Spoofing](<http://www-01.ibm.com/support/docview.wss?uid=swg21634646>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0467 | 4 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5 \n| CVE-2013-0464 | 4.3 | [Execute code](<http://www-01.ibm.com/support/docview.wss?uid=swg21651880>) | Not affected | 8.5, 8.0, \n| CVE-2013-0462 | 6.5 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21632423>) | Not affected | 8.5, 8.0, 7.0, 6.1, Liberty \n| CVE-2013-0461 | 1.2 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0460 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0459 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0458 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21622444>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0443 | 4 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2013-0440 | 5 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | Not affected | 8.5, 8.0, 7.0, 6.1 \nLucky Thirteen | CVE-2013-0169 | 4.3 | [IBM Java SDK for Feb 2013 CPU](<http://www-01.ibm.com/support/docview.wss?uid=swg21627634>) | [Side Channel Attack](<http://www-01.ibm.com/support/docview.wss?uid=swg21635988>) | 8.5, 8.0, 7.0, 6.1 \n \n**2012 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2012-6153 | 4.3 | [Spoofing Vulnerability](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2012-5783 | 4.3 | [Spoofing attacks](<http://www-01.ibm.com/support/docview.wss?uid=swg22016216>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-4853 | 4.3 | [Cross-site request Forgery](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-4851 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-4850 | 7.5 | [Privilege escalation](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>) | Not affected | Liberty \n| CVE-2012-3330 | 5 | [Denial of Servic](<http://www-01.ibm.com/support/docview.wss?uid=swg21614265>)e | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3325 | 6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21609067>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3311 | 3 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3306 | 4.3 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0 \n| CVE-2012-3305 | 5.8 | [File directory traversal](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3304 | 6.8 | [Hijack session](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-3293 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21611313>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2191 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2190 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-2170 | 4.3 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg21595172>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-2159 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21606096>) | Not affected | 8.5, 8.0 \n| CVE-2012-2098 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21644047>) | Not affected | 8.5, 8.0, 7.0, 6.1 \n| CVE-2012-1148 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-1007 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg22016214>) | Not affected | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0876 | 5 | Not affected | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21988026>) | 9.0, 8.5, 8.0, 7.0 \n| CVE-2012-0720 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0717 | 2.6 | [Bypass security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 7.0, 6.1 \n| CVE-2012-0716 | 4.3 | [Cross-site scripting](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2012-0193 | 5 | [Denial of Service](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**2011 CVEs**\n\n**Name**\n\n| \n\n**CVE**\n\n| \n\n**CVSS Score**\n\n| \n\n**WebSphere Application Server Bulletin or Assessment**\n\n| \n\n**IBM HTTP Server Bulletin or Assessment**\n\n| \n\n**Versions Affected** \n \n---|---|---|---|---|--- \n| CVE-2011-4889 | 5 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-4343 | 5 | [Obtain sensitive information](<http://www-01.ibm.com/support/docview.wss?uid=swg22008707>) | Not affected | 8.5, 8.0, Liberty \n| CVE-2011-1498 | 5 | [Information Disclosure](<https://www.ibm.com/support/pages/node/6453091>) | Not affected | 9.0, 8.5, 8.0 \n| CVE-2011-1377 | 2.1 | [Weaker security](<http://www-01.ibm.com/support/docview.wss?uid=swg21589257>) | Not affected | 8.0, 7.0, 6.1 \n| CVE-2011-1376 | 4.4 | [Insecure permissions](<http://www-01.ibm.com/support/docview.wss?uid=swg21587015>) | Not affected | 8.0, 7.0, 6.1 \n \n**Important note: **IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](<https://www.ibm.com/it-infrastructure/z/capabilities/system-integrity>). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.\n\n[{\"Product\":{\"code\":\"SSEQTP\",\"label\":\"WebSphere Application Server\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\"Security\",\"Platform\":[{\"code\":\"PF002\",\"label\":\"AIX\"},{\"code\":\"PF010\",\"label\":\"HP-UX\"},{\"code\":\"PF012\",\"label\":\"IBM i\"},{\"code\":\"PF016\",\"label\":\"Linux\"},{\"code\":\"PF027\",\"label\":\"Solaris\"},{\"code\":\"PF033\",\"label\":\"Windows\"},{\"code\":\"PF035\",\"label\":\"z\\/OS\"}],\"Version\":\"9.0.0.0;8.5.5;8.5;8.0;7.0;6.1\",\"Edition\":\"Advanced;Base;Developer;Express;Liberty;Network Deployment\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSEQTJ\",\"label\":\"IBM HTTP Server\"},\"Business Unit\":{\"code\":\"BU053\",\"label\":\"Cloud \\u0026 Data Platform\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"\",\"label\":\"\"}},{\"Product\":{\"code\":\"SSCKBL\",\"label\":\"WebSphere Application Server Hypervisor Edition\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}},{\"Product\":{\"code\":\"SSD28V\",\"label\":\"WebSphere Application Server Liberty Core\"},\"Business Unit\":{\"code\":\"BU059\",\"label\":\"IBM Software w\\/o TPS\"},\"Component\":\" \",\"Platform\":[{\"code\":\"\",\"label\":\"\"}],\"Version\":\"\",\"Edition\":\"\",\"Line of Business\":{\"code\":\"LOB45\",\"label\":\"Automation\"}}]", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2022-07-13T18:04:48", "type": "ibm", "title": "WebSphere Application Server and IBM HTTP Server Security Bulletin List", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": true, "obtainUserPrivilege": false}, "cvelist": ["CVE-2011-1376", "CVE-2011-1377", "CVE-2011-1498", "CVE-2011-4343", "CVE-2011-4889", "CVE-2012-0193", "CVE-2012-0716", "CVE-2012-0717", "CVE-2012-0720", "CVE-2012-0876", "CVE-2012-1007", "CVE-2012-1148", "CVE-2012-2098", "CVE-2012-2159", "CVE-2012-2170", "CVE-2012-2190", "CVE-2012-2191", "CVE-2012-3293", "CVE-2012-3304", "CVE-2012-3305", "CVE-2012-3306", "CVE-2012-3311", "CVE-2012-3325", "CVE-2012-3330", "CVE-2012-4850", "CVE-2012-4851", "CVE-2012-4853", "CVE-2012-5783", "CVE-2012-6153", "CVE-2013-0169", "CVE-2013-0440", "CVE-2013-0443", "CVE-2013-0458", "CVE-2013-0459", "CVE-2013-0460", "CVE-2013-0461", "CVE-2013-0462", "CVE-2013-0464", "CVE-2013-0467", "CVE-2013-0482", "CVE-2013-0540", "CVE-2013-0541", "CVE-2013-0542", "CVE-2013-0543", "CVE-2013-0544", "CVE-2013-0565", "CVE-2013-0596", "CVE-2013-0597", "CVE-2013-0599", "CVE-2013-1571", "CVE-2013-1768", "CVE-2013-1862", "CVE-2013-1896", "CVE-2013-2967", "CVE-2013-2976", "CVE-2013-3024", "CVE-2013-3029", "CVE-2013-4004", "CVE-2013-4005", "CVE-2013-4006", "CVE-2013-4039", "CVE-2013-4052", "CVE-2013-4053", "CVE-2013-5372", "CVE-2013-5414", "CVE-2013-5417", "CVE-2013-5418", "CVE-2013-5425", "CVE-2013-5704", "CVE-2013-5780", "CVE-2013-5802", "CVE-2013-6323", "CVE-2013-6325", "CVE-2013-6329", "CVE-2013-6330", "CVE-2013-6438", "CVE-2013-6440", "CVE-2013-6725", "CVE-2013-6738", "CVE-2013-6747", "CVE-2014-0050", "CVE-2014-0076", "CVE-2014-0098", "CVE-2014-0114", "CVE-2014-0118", "CVE-2014-0160", "CVE-2014-0226", "CVE-2014-0231", "CVE-2014-0411", "CVE-2014-0453", "CVE-2014-0460", "CVE-2014-0823", "CVE-2014-0857", "CVE-2014-0859", "CVE-2014-0878", "CVE-2014-0891", "CVE-2014-0896", "CVE-2014-0963", "CVE-2014-0964", "CVE-2014-0965", "CVE-2014-3021", "CVE-2014-3022", "CVE-2014-3068", "CVE-2014-3070", "CVE-2014-3083", "CVE-2014-3566", "CVE-2014-3577", "CVE-2014-3603", "CVE-2014-4244", "CVE-2014-4263", "CVE-2014-4764", "CVE-2014-4767", "CVE-2014-4770", "CVE-2014-4816", "CVE-2014-6164", "CVE-2014-6166", "CVE-2014-6167", "CVE-2014-6174", "CVE-2014-6271", "CVE-2014-6277", "CVE-2014-6278", "CVE-2014-6457", "CVE-2014-6512", "CVE-2014-6558", "CVE-2014-6593", "CVE-2014-7169", "CVE-2014-7186", "CVE-2014-7189", "CVE-2014-7810", "CVE-2014-8730", "CVE-2014-8890", "CVE-2014-8917", "CVE-2015-0138", "CVE-2015-0174", "CVE-2015-0175", "CVE-2015-0204", "CVE-2015-0226", "CVE-2015-0235", "CVE-2015-0250", "CVE-2015-0254", "CVE-2015-0400", "CVE-2015-0410", "CVE-2015-0478", "CVE-2015-0488", "CVE-2015-0899", "CVE-2015-1283", "CVE-2015-1788", "CVE-2015-1829", "CVE-2015-1882", "CVE-2015-1885", "CVE-2015-1916", "CVE-2015-1920", "CVE-2015-1927", "CVE-2015-1931", "CVE-2015-1932", "CVE-2015-1936", "CVE-2015-1946", "CVE-2015-2017", "CVE-2015-2601", "CVE-2015-2613", "CVE-2015-2625", "CVE-2015-2808", "CVE-2015-3183", "CVE-2015-4000", "CVE-2015-4734", "CVE-2015-4749", "CVE-2015-4872", "CVE-2015-4938", "CVE-2015-4947", "CVE-2015-5006", "CVE-2015-5262", "CVE-2015-7417", "CVE-2015-7420", "CVE-2015-7450", "CVE-2015-7575", "CVE-2016-0201", "CVE-2016-0283", "CVE-2016-0306", "CVE-2016-0359", "CVE-2016-0360", "CVE-2016-0377", "CVE-2016-0378", "CVE-2016-0385", "CVE-2016-0389", "CVE-2016-0466", "CVE-2016-0475", "CVE-2016-0488", "CVE-2016-0702", "CVE-2016-0718", "CVE-2016-0800", "CVE-2016-1000031", "CVE-2016-1181", "CVE-2016-1182", "CVE-2016-2183", "CVE-2016-2923", "CVE-2016-2945", "CVE-2016-2960", "CVE-2016-3040", "CVE-2016-3042", "CVE-2016-3092", "CVE-2016-3426", "CVE-2016-3427", "CVE-2016-3485", "CVE-2016-4472", "CVE-2016-4975", "CVE-2016-5387", "CVE-2016-5546", "CVE-2016-5547", "CVE-2016-5548", "CVE-2016-5549", "CVE-2016-5573", "CVE-2016-5597", "CVE-2016-5983", "CVE-2016-5986", "CVE-2016-7056", "CVE-2016-8743", "CVE-2016-8919", "CVE-2016-8934", "CVE-2016-9736", "CVE-2017-10102", "CVE-2017-10115", "CVE-2017-10116", "CVE-2017-10356", "CVE-2017-10388", "CVE-2017-1121", "CVE-2017-1137", "CVE-2017-1151", "CVE-2017-1194", "CVE-2017-12613", "CVE-2017-12618", "CVE-2017-12624", "CVE-2017-1380", "CVE-2017-1381", "CVE-2017-1382", "CVE-2017-1501", "CVE-2017-1503", "CVE-2017-1504", "CVE-2017-15710", "CVE-2017-15715", "CVE-2017-1583", "CVE-2017-1681", "CVE-2017-1731", "CVE-2017-1741", "CVE-2017-1743", "CVE-2017-1788", "CVE-2017-3167", "CVE-2017-3511", "CVE-2017-3732", "CVE-2017-3736", "CVE-2017-5638", "CVE-2017-7668", "CVE-2017-7679", "CVE-2017-9798", "CVE-2018-10237", "CVE-2018-12539", "CVE-2018-12547", "CVE-2018-1301", "CVE-2018-1388", "CVE-2018-1426", "CVE-2018-1427", "CVE-2018-1447", "CVE-2018-1553", "CVE-2018-1567", "CVE-2018-1614", "CVE-2018-1621", "CVE-2018-1626", "CVE-2018-1643", "CVE-2018-1656", "CVE-2018-1683", "CVE-2018-1695", "CVE-2018-1719", "CVE-2018-17199", "CVE-2018-1755", "CVE-2018-1767", "CVE-2018-1770", "CVE-2018-1777", "CVE-2018-1793", "CVE-2018-1794", "CVE-2018-1797", "CVE-2018-1798", "CVE-2018-1840", "CVE-2018-1851", "CVE-2018-1890", "CVE-2018-1901", "CVE-2018-1902", "CVE-2018-1904", "CVE-2018-1905", "CVE-2018-1926", "CVE-2018-1957", "CVE-2018-1996", "CVE-2018-20843", "CVE-2018-25031", "CVE-2018-2579", "CVE-2018-2602", "CVE-2018-2603", "CVE-2018-2633", "CVE-2018-2634", "CVE-2018-2637", "CVE-2018-2783", "CVE-2018-2800", "CVE-2018-3139", "CVE-2018-3180", "CVE-2018-8039", "CVE-2019-0211", "CVE-2019-0220", "CVE-2019-10086", "CVE-2019-10092", "CVE-2019-10098", "CVE-2019-11777", "CVE-2019-12402", "CVE-2019-12406", "CVE-2019-17495", "CVE-2019-17566", "CVE-2019-17573", "CVE-2019-2426", "CVE-2019-2949", "CVE-2019-2989", "CVE-2019-4030", "CVE-2019-4046", "CVE-2019-4080", "CVE-2019-4268", "CVE-2019-4269", "CVE-2019-4270", "CVE-2019-4271", "CVE-2019-4279", "CVE-2019-4285", "CVE-2019-4304", "CVE-2019-4305", "CVE-2019-4441", "CVE-2019-4442", "CVE-2019-4477", "CVE-2019-4505", "CVE-2019-4663", "CVE-2019-4670", "CVE-2019-4720", "CVE-2019-4732", "CVE-2019-9512", "CVE-2019-9513", "CVE-2019-9514", "CVE-2019-9515", "CVE-2019-9517", "CVE-2019-9518", "CVE-2020-10693", "CVE-2020-11985", "CVE-2020-13938", "CVE-2020-14577", "CVE-2020-14578", "CVE-2020-14579", "CVE-2020-14581", "CVE-2020-14621", "CVE-2020-14781", "CVE-2020-14782", "CVE-2020-14797", "CVE-2020-1927", "CVE-2020-1934", "CVE-2020-2590", "CVE-2020-2593", "CVE-2020-2601", "CVE-2020-2654", "CVE-2020-27221", "CVE-2020-2754", "CVE-2020-2755", "CVE-2020-2773", "CVE-2020-2781", "CVE-2020-2800", "CVE-2020-4163", "CVE-2020-4276", "CVE-2020-4303", "CVE-2020-4304", "CVE-2020-4329", "CVE-2020-4362", "CVE-2020-4365", "CVE-2020-4421", "CVE-2020-4448", "CVE-2020-4449", "CVE-2020-4450", "CVE-2020-4464", "CVE-2020-4534", "CVE-2020-4575", "CVE-2020-4576", "CVE-2020-4578", "CVE-2020-4589", "CVE-2020-4590", "CVE-2020-4629", "CVE-2020-4643", "CVE-2020-4782", "CVE-2020-4949", "CVE-2020-5016", "CVE-2020-5258", "CVE-2021-20353", "CVE-2021-20354", "CVE-2021-20453", "CVE-2021-20454", "CVE-2021-20480", "CVE-2021-20492", "CVE-2021-20517", "CVE-2021-2161", "CVE-2021-23450", "CVE-2021-2369", "CVE-2021-26296", "CVE-2021-26690", "CVE-2021-26691", "CVE-2021-29736", "CVE-2021-29754", "CVE-2021-29842", "CVE-2021-30641", "CVE-2021-34798", "CVE-2021-35517", "CVE-2021-35550", "CVE-2021-35564", "CVE-2021-35578", "CVE-2021-35603", "CVE-2021-36090", "CVE-2021-38951", "CVE-2021-39031", "CVE-2021-39038", "CVE-2021-39275", "CVE-2021-40438", "CVE-2021-4104", "CVE-2021-44224", "CVE-2021-44228", "CVE-2021-44790", "CVE-2021-44832", "CVE-2021-45046", "CVE-2021-45105", "CVE-2021-45960", "CVE-2021-46143", "CVE-2021-46708", "CVE-2022-21229", "CVE-2022-21299", "CVE-2022-21340", "CVE-2022-21496", "CVE-2022-22310", "CVE-2022-22365", "CVE-2022-22393", "CVE-2022-22473", "CVE-2022-22475", "CVE-2022-22476", "CVE-2022-22477", "CVE-2022-22719", "CVE-2022-22720", "CVE-2022-22721", "CVE-2022-22822", "CVE-2022-22823", "CVE-2022-22824", "CVE-2022-22825", "CVE-2022-22826", "CVE-2022-22827", "CVE-2022-23302", "CVE-2022-23305", "CVE-2022-23307", "CVE-2022-23852", "CVE-2022-23990", "CVE-2022-25235", "CVE-2022-25236", "CVE-2022-25313", "CVE-2022-25315", "CVE-2022-26377", "CVE-2022-28614", "CVE-2022-28615", "CVE-2022-29404", "CVE-2022-30556", "CVE-2022-31813"], "modified": "2022-07-13T18:04:48", "id": "7E0744D5936EDC5F018B0850D801B665D388060D6A81B986BC7AD81C9A78C0EE", "href": "https://www.ibm.com/support/pages/node/710969", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-06-09T14:03:16", "description": "IBM Websphere MQ JMS 7.0.1, 7.1, 7.5, 8.0, and 9.0 client provides classes that deserialize objects from untrusted sources which could allow a malicious user to execute arbitrary Java code by adding vulnerable classes to the classpath. IBM Reference #: 1983457.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-02-15T19:59:00", "type": "cve", "title": "CVE-2016-0360", "cwe": ["CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-0360"], "modified": "2017-07-27T01:29:00", "cpe": ["cpe:/a:ibm:websphere_mq_jms:7.0.1", "cpe:/a:ibm:websphere_mq_jms:9.0", "cpe:/a:ibm:websphere_mq_jms:7.5", "cpe:/a:ibm:websphere_mq_jms:7.1", "cpe:/a:ibm:websphere_mq_jms:8.0"], "id": "CVE-2016-0360", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0360", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:websphere_mq_jms:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_mq_jms:7.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_mq_jms:7.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_mq_jms:7.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_mq_jms:9.0:*:*:*:*:*:*:*"]}, {"lastseen": "2023-06-08T14:45:35", "description": "IBM WebSphere Application Server 8.0, 8.5, 8.5.5, and 9.0 using OpenID Connect (OIDC) configured with a Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system. IBM Reference #: 1999293.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2017-03-20T16:59:00", "type": "cve", "title": "CVE-2017-1151", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-1151"], "modified": "2019-10-03T00:03:00", "cpe": ["cpe:/a:ibm:websphere_application_server:8.5", "cpe:/a:ibm:websphere_application_server:8.5.5", "cpe:/a:ibm:websphere_application_server:9.0", "cpe:/a:ibm:websphere_application_server:8.0"], "id": "CVE-2017-1151", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-1151", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*", "cpe:2.3:a:ibm:websphere_application_server:8.5.5:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2023-05-19T14:19:08", "description": "The IBM WebSphere Application Server running on the remote host is version 8.0.0.10 prior to 8.0.0.14, 8.5.5.3 prior to 8.5.5.12, or 9.0.0.0 prior to 9.0.0.4. It is, therefore, affected by a privilege escalation vulnerability in the OpenID Connect (OIDC) Trust Association Interceptor (TAI) that is triggered when the com.ibm.websphere.security.InvokeTAIbeforeSSO custom property includes the OIDC TAI class name com.ibm.ws.security.oidc.client.RelyingParty.\nAn unauthenticated, remote attacker can exploit this to gain elevated privileges.", "cvss3": {}, "published": "2017-03-21T00:00:00", "type": "nessus", "title": "IBM WebSphere Application Server 8.0.0.10 < 8.0.0.14 / 8.5.5.3 < 8.5.5.12 / 9.0.0.0 < 9.0.0.4 OIDC Privilege Escalation", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:ibm:websphere_application_server"], "id": "WEBSPHERE_9_0_0_4.NASL", "href": "https://www.tenable.com/plugins/nessus/97858", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(97858);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\"CVE-2017-1151\");\n script_bugtraq_id(96841);\n\n script_name(english:\"IBM WebSphere Application Server 8.0.0.10 < 8.0.0.14 / 8.5.5.3 < 8.5.5.12 / 9.0.0.0 < 9.0.0.4 OIDC Privilege Escalation\");\n script_summary(english:\"Reads the version number from the SOAP and GIOP services.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web application server is affected by a privilege\nescalation vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The IBM WebSphere Application Server running on the remote host is\nversion 8.0.0.10 prior to 8.0.0.14, 8.5.5.3 prior to 8.5.5.12, or\n9.0.0.0 prior to 9.0.0.4. It is, therefore, affected by a privilege\nescalation vulnerability in the OpenID Connect (OIDC) Trust\nAssociation Interceptor (TAI) that is triggered when the\ncom.ibm.websphere.security.InvokeTAIbeforeSSO custom property includes\nthe OIDC TAI class name com.ibm.ws.security.oidc.client.RelyingParty.\nAn unauthenticated, remote attacker can exploit this to gain elevated\nprivileges.\");\n script_set_attribute(attribute:\"see_also\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21999293\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply IBM WebSphere Application Server version 8.0 Fix Pack 14 \n(8.0.0.14) / 8.5 Fix Pack 12 (8.5.5.12) / 9.0 Fix Pack 4 (9.0.0.4) \nor later. Alternatively, upgrade to the minimal fix pack levels \nrequired by the interim fix and then apply Interim Fix PI74857. As a\nworkaround, disable InvokeTAIbeforeSSO for the OIDC TAI class per the\nvendor advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2017-1151\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/03/10\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/03/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/21\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_application_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_detect.nasl\");\n script_require_keys(\"www/WebSphere\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 8880, 8881, 9001);\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"http.inc\");\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\nport = get_http_port(default:8880, embedded:FALSE);\n\nversion = get_kb_item_or_exit(\"www/WebSphere/\"+port+\"/version\");\nsource = get_kb_item_or_exit(\"www/WebSphere/\"+port+\"/source\");\n\napp_name = \"IBM WebSphere Application Server\";\n\nif (version =~ \"^([89](\\.0)?|8\\.5)$\")\n audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version);\n\nfix = FALSE; # Fixed version for compare\nmin = FALSE; # Min version for branch\npck = FALSE; # Fix pack name (tacked onto fix in report)\nitr = \"PI74857\"; # Interim fix\n\nif (version =~ \"^9\\.0\\.\")\n{\n fix = '9.0.0.4';\n min = '9.0.0.0';\n pck = \" (Fix Pack 4)\";\n}\nelse if (version =~ \"^8\\.5\\.\")\n{\n fix = '8.5.5.12';\n min = '8.5.5.3';\n pck = \" (Fix Pack 12)\";\n}\nelse if (version =~ \"^8\\.0\\.\")\n{\n fix = '8.0.0.14';\n min = '8.0.0.10';\n pck = \" (Fix Pack 14)\";\n}\nelse\n audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);\n\nreport =\n '\\n Version source : ' + source +\n '\\n Installed version : ' + version;\n\nif (ver_compare(ver:version, minver:min, fix:fix, strict:FALSE) < 0)\n report +=\n '\\n Fixed version : ' + fix + pck +\n '\\n Interim fix : ' + itr;\nelse audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);\n\nreport += '\\n';\n\nsecurity_report_v4(port:port, severity:SECURITY_WARNING, extra:report);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:09:55", "description": "According to its self-reported version, the IBM WebSphere MQ server installed on the remote Windows host is version 7.0.1.x without patch APAR IT14385, 7.1.0.x prior to 7.1.0.9, 7.5.0.x prior to 7.5.0.8, 8.0.0.x prior to 8.0.0.6, or 9.0.0.x prior to 9.0.0.1. It is, therefore, affected by multiple vulnerabilities :\n\n - A flaw exists in the Java Message Service (JMS) in the JMSObjectMessage class due to improper sanitization of input when deserializing Java objects. An authenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-0360)\n\n - A flaw exists due to improper data conversion handling that allows an authenticated, remote attacker to crash the MQ channel. (CVE-2016-3013)\n\n - A flaw exists that under nonstandard configurations causes password data to be sent in cleartext over the network. A man-in-the-middle attacker can exploit this to disclose passwords. (CVE-2016-3052)\n\n - An unspecified flaw exists that allows an authenticated, remote attacker, who has access to the queue manager and queue, to cause a denial of service to other channels running under the same process. (CVE-2016-8915)\n\n - A flaw exists that allows an unauthenticated, remote attacker to have an unspecified impact. No other details are available. (CVE-2016-8971)\n\n - An unspecified flaw exists that allows an authenticated, remote attacker, who has access to the queue manager, to disrupt MQ channels using specially crafted HTTP requests, resulting in a denial of service condition.\n (CVE-2016-8986)\n\n - An unspecified flaw exists that allows an authenticated, remote attacker, who has authority to create cluster objects, to cause a denial of service condition in MQ clustering. (CVE-2016-9009)", "cvss3": {}, "published": "2017-03-03T00:00:00", "type": "nessus", "title": "IBM WebSphere MQ 7.0.1.x / 7.1.0.x < 7.1.0.9 / 7.5.0.x < 7.5.0.8 / 8.0.0.x < 8.0.0.6 / 9.0.0.x < 9.0.0.1 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0360", "CVE-2016-3013", "CVE-2016-3052", "CVE-2016-8915", "CVE-2016-8971", "CVE-2016-8986", "CVE-2016-9009"], "modified": "2019-11-13T00:00:00", "cpe": ["cpe:/a:ibm:websphere_mq"], "id": "WEBSPHERE_MQ_SWG21983457.NASL", "href": "https://www.tenable.com/plugins/nessus/96663", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\nif (!defined_func(\"nasl_level\") || nasl_level() < 6000 ) exit(0);\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(96663);\n script_version(\"1.7\");\n script_cvs_date(\"Date: 2019/11/13\");\n\n script_cve_id(\n \"CVE-2016-0360\",\n \"CVE-2016-3013\",\n \"CVE-2016-3052\",\n \"CVE-2016-8915\",\n \"CVE-2016-8971\",\n \"CVE-2016-8986\",\n \"CVE-2016-9009\"\n );\n script_bugtraq_id(\n 95317,\n 96394,\n 96400,\n 96403,\n 96412,\n 96441\n );\n\n script_name(english:\"IBM WebSphere MQ 7.0.1.x / 7.1.0.x < 7.1.0.9 / 7.5.0.x < 7.5.0.8 / 8.0.0.x < 8.0.0.6 / 9.0.0.x < 9.0.0.1 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of IBM WebSphere MQ.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A message queuing service installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the IBM WebSphere MQ server\ninstalled on the remote Windows host is version 7.0.1.x without patch\nAPAR IT14385, 7.1.0.x prior to 7.1.0.9, 7.5.0.x prior to 7.5.0.8,\n8.0.0.x prior to 8.0.0.6, or 9.0.0.x prior to 9.0.0.1. It is,\ntherefore, affected by multiple vulnerabilities :\n\n - A flaw exists in the Java Message Service (JMS) in the\n JMSObjectMessage class due to improper sanitization of\n input when deserializing Java objects. An authenticated,\n remote attacker can exploit this to execute arbitrary\n code. (CVE-2016-0360)\n\n - A flaw exists due to improper data conversion handling\n that allows an authenticated, remote attacker to crash\n the MQ channel. (CVE-2016-3013)\n\n - A flaw exists that under nonstandard configurations\n causes password data to be sent in cleartext over the\n network. A man-in-the-middle attacker can exploit this\n to disclose passwords. (CVE-2016-3052)\n\n - An unspecified flaw exists that allows an authenticated,\n remote attacker, who has access to the queue manager and\n queue, to cause a denial of service to other channels\n running under the same process. (CVE-2016-8915)\n\n - A flaw exists that allows an unauthenticated, remote\n attacker to have an unspecified impact. No other details\n are available. (CVE-2016-8971)\n\n - An unspecified flaw exists that allows an authenticated,\n remote attacker, who has access to the queue manager,\n to disrupt MQ channels using specially crafted HTTP\n requests, resulting in a denial of service condition.\n (CVE-2016-8986)\n\n - An unspecified flaw exists that allows an authenticated,\n remote attacker, who has authority to create cluster\n objects, to cause a denial of service condition in\n MQ clustering. (CVE-2016-9009)\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg21983457\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www-01.ibm.com/support/docview.wss?uid=swg1SE66318\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate fix pack, APAR patch, or mitigation :\n\n - For versions 7.0.1.x, apply the patch APAR IT14385 and\n follow the instructions in the patch readme to apply\n serialization whitelisting.\n\n - For versions 7.1.0.x, apply fix pack 9 (7.1.0.9) when\n available. In the interim, apply the patch APAR IT14385\n and follow the instructions in the patch readme to apply\n serialization whitelisting.\n\n - For versions 7.5.0.x, apply fix pack 8 (7.5.0.8) when\n available. In the interim, apply the patch APAR IT14385\n and follow the instructions in the patch readme to apply\n serialization whitelisting.\n\n - For versions 8.0.0.x, apply fix pack 6 (8.0.0.6) when\n available. In the interim, use JSON or XML rather than\n ObjectMessage and enable MQ's Advanced Message Security\n (AMS) mechanism.\n\n - For versions 9.0.0.x, apply fix pack 1 (9.0.0.1) when\n available. In the interim, apply the patch APAR IT14385\n and follow the instructions in the patch readme to apply\n serialization whitelisting.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0360\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2017/01/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2017/03/03\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:ibm:websphere_mq\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"websphere_mq_installed.nasl\");\n script_require_keys(\"installed_sw/IBM WebSphere MQ\", \"Settings/ParanoidReport\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"bsal.inc\");\ninclude(\"byte_func.inc\");\ninclude(\"zip.inc\");\n\napp_name = \"IBM WebSphere MQ\";\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\nversion = install['version'];\npath = install['path'];\ntype = install['Type'];\nfix = FALSE;\nflag = FALSE;\n\nswitch[=~] (version)\n{\n case \"^7\\.0\\.1\\.\":\n contents = hotfix_get_file_contents(path + \"\\java\\lib\\com.ibm.mqjms.jar\");\n prop = zip_parse(blob:contents['data'], 'com/ibm/msg/client/commonservices/resources/JMSCS_MessageResourceBundle.properties');\n if (\"IT14385\" >!< prop)\n {\n fix = \"7.0.1.14 & IT14385\";\n flag = TRUE;\n }\n break;\n case \"^7\\.1\\.0\\.\":\n fix = \"7.1.0.9\";\n break;\n case \"^7\\.5\\.0\\.\":\n fix = \"7.5.0.8\";\n break;\n case \"^8\\.0\\.0\\.\":\n fix = \"8.0.0.6\";\n break;\n case \"^9\\.0\\.0\\.\":\n fix = \"9.0.0.1\";\n break;\n default:\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n}\n\n\n# Check affected version\nif(flag || ver_compare(ver:version, fix:fix, strict:FALSE) == -1)\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n report =\n '\\n Path : ' + path +\n '\\n Installed version : ' + version +\n '\\n Fixed version : ' + fix +\n '\\n';\n security_report_v4(port:port, extra:report, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, path);\n", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2019-05-29T18:34:27", "description": "This host is installed with IBM Websphere\n application server and is prone to remote privilege escalation vulnerability.", "cvss3": {}, "published": "2017-08-04T00:00:00", "type": "openvas", "title": "IBM Websphere Application Server Remote Privilege Escalation Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-1151"], "modified": "2019-02-21T00:00:00", "id": "OPENVAS:1361412562310811442", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310811442", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ibm_was_remote_privilege_escalation_vul.nasl 13803 2019-02-21 08:24:24Z cfischer $\n#\n# IBM Websphere Application Server Remote Privilege Escalation Vulnerability\n#\n# Authors:\n# Kashinath T <tkashinath@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2017 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:ibm:websphere_application_server\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.811442\");\n script_version(\"$Revision: 13803 $\");\n script_cve_id(\"CVE-2017-1151\");\n script_tag(name:\"cvss_base\", value:\"6.8\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-21 09:24:24 +0100 (Thu, 21 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2017-08-04 11:32:43 +0530 (Fri, 04 Aug 2017)\");\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n ## Qod Reduced, IBM WAS should be configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI)\n script_name(\"IBM Websphere Application Server Remote Privilege Escalation Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with IBM Websphere\n application server and is prone to remote privilege escalation vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to a potential privilege\n escalation vulnerability in WebSphere Application Server traditional when using\n the OpenID Connect (OIDC) Trust Association Interceptor (TAI).\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow a user to\n gain elevated privileges on the system.\");\n\n script_tag(name:\"affected\", value:\"IBM WebSphere Application Server (WAS)\n V9.0.0.0 through 9.0.0.3, V8.5.5.3 through 8.5.5.11, V8.0.0.10 through 8.0.0.13\");\n\n script_tag(name:\"solution\", value:\"Upgrade to IBM WebSphere Application\n Server (WAS) 9.0.0.4 or 8.5.5.12 or 8.0.0.14 or later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_xref(name:\"URL\", value:\"http://www-01.ibm.com/support/docview.wss?uid=swg21999293\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2017 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_ibm_websphere_detect.nasl\");\n script_mandatory_keys(\"ibm_websphere_application_server/installed\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif(!wasVer = get_app_version(cpe:CPE, nofork:TRUE))\n exit(0);\n\nif(wasVer =~ \"^[89]\")\n{\n if(wasVer =~ \"^8\\.0\\.0\\.1\")\n {\n if(version_in_range(version:wasVer, test_version:\"8.0.0.10\", test_version2:\"8.0.0.13\")){\n fix = \"8.0.0.14\";\n }\n }\n else if(wasVer =~ \"^8\\.5\\.5\")\n {\n if(version_in_range(version:wasVer, test_version:\"8.5.5.3\", test_version2:\"8.5.5.11\")){\n fix = \"8.5.5.12\";\n }\n }\n else if(wasVer =~ \"^9\\.0\\.0\")\n {\n if(version_in_range(version:wasVer, test_version:\"9.0.0.0\", test_version2:\"9.0.0.3\")){\n fix = \"9.0.0.4\";\n }\n }\n\n if(fix)\n {\n report = report_fixed_ver(installed_version:wasVer, fixed_version:fix);\n security_message(port:0, data:report);\n exit(0);\n }\n}\n\nexit(99);", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}