Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server

Summary

The following security issues have been identified in the WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server.

Vulnerability Details

CVEID: CVE-2015-0899

DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/101770&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2012-5783

DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject’s Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79984&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2018-1643

DESCRIPTION: The Installation Verification Tool of IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144588&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2018-1567

DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources.
CVSS Base Score: 9.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/143024&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2018-1621

DESCRIPTION: IBM WebSphere Application Server could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties.
CVSS Base Score: 4.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144346&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1695

DESCRIPTION: IBM WebSphere Application Server installations using Form Login could allow a remote attacker to conducts spoofing attacks.
CVSS Base Score: 7.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/145769&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2018-1770

DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148686&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1797

DESCRIPTION: IBM WebSphere Application Server using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing “dot dot slash” sequences (…/), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as “Zip-Slip”.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/149427&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

CVEID: CVE-2014-7810

DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager.

CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/103155&gt;

for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/

Affected Products and Versions

IBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above.

IBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE’s except for CVE-2018-1643 and CVE-2018-1797

Remediation/Fixes

Fix

| VMRF |Remediation/First Fix
—|—|—
6.X.X-TIV-ITM_TEPS_EWAS_8.0.15.02 | 6.3.0.x | <https://www.ibm.com/support/docview.wss?uid=ibm10869914&gt;
Technote | 6.2.3.x | <http://www.ibm.com/support/docview.wss?uid=swg21633720&gt;

Contains information and script which the details for downloading and installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The scripts provided are for supported unix, linux and windows platforms.

Workarounds and Mitigations

None