Lucene search

IBMEF61A033C6A44ABED02FF77F9A0688DFAD8C83CE73FB8C1E117F7095D410430D

HistoryJun 15, 2018 - 7:04 a.m.

Security Bulletin: Cross-site scripting vulnerability in IBM WebSphere Application Server (CVE-2015-7417)

2018-06-1507:04:32

www.ibm.com

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

JSON

Summary

There is a cross-site scripting vulnerability in IBM WebSphere Application Server for any consumers of the OAuth provider output.

Vulnerability Details

CVEID: CVE-2015-7417**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/107575 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server for any consumers of the OAuth provider output

Version 8.5.5 Full Profile and Liberty Profile
Version 8.5 Full Profile and Liberty Profile
Version 8.0
Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI49272 for each named product as soon as practical. **

For WebSphere Application Server:** **
For V8.5.0.0 through 8.5.5.8 Liberty Profile:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI49272

--OR–
· Apply Fix Pack 8.5.5.9 or later.

For V8.5.0.0 through 8.5.5.8 Full Profile:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI49272

--OR–
· Apply Fix Pack 8.5.5.9 or later.

For V8.0.0.0 through 8.0.0.11:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI49272

--OR–
· Apply Fix Pack 8.0.0.12 or later.

**
For V7.0.0.0 through 7.0.0.39:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI49272

--OR–
· Apply Fix Pack 7.0.0.41 or later.

Workarounds and Mitigations

none

CPENameOperatorVersion
websphere application servereq8.5.5
websphere application servereq8.5
websphere application servereq8.0
websphere application servereq7.0
websphere application server hypervisor editioneqany

Name	Operator	Version
websphere application server	eq	8.5.5
websphere application server	eq	8.5
websphere application server	eq	8.0
websphere application server	eq	7.0
websphere application server hypervisor edition	eq	any

5.4 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

JSON

Related for EF61A033C6A44ABED02FF77F9A0688DFAD8C83CE73FB8C1E117F7095D410430D