IBMF4CBE0BEFD1DA8501A4EEEFE2185F79E326C343FB6859A3E2FE3486A19C907D6Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix (CVE-2017-1151, CVE-2017-1137, CVE-2017-1194 )
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
Summary
There is a potential privilege escalation vulnerability in traditional WebSphere Application Server when using the OpenID Connect (OIDC) Trust Association Interceptor (TAI). This does not affect WebSphere Application Server Liberty. There is a potential for weaker than expected security with the Administrative Console in WebSphere Application Server. There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider.
Vulnerability Details
CVEID: CVE-2017-1151**
DESCRIPTION:** IBM WebSphere Application Server configured with OpenID Connect (OIDC) Trust Association Interceptor (TAI) could allow a user to gain elevated privileges on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122292 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1137**
DESCRIPTION:** IBM WebSphere Application Server could provide weaker than expected security. A remote attacker could exploit this weakness to obtain sensitive information and gain unauthorized access to the admin console.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/121549 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-1194**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
Affected Products and Versions
IBM WebSphere Application Server Version 8.5.5 is affected by vulnerabilities listed.
IBM WebSphere Application Server Version 9 is only affected by CVE-2017-1151 and CVE-2017-1194.
IBM WebSphere Application Server Liberty is only affected by CVE-2017-1194.
Remediation/Fixes
To patch an existing service instance requires two steps:
1. To update WebSphere Application Server refer to the IBM WebSphere Application Server bulletins listed below:
Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)
2. To apply the RHEL OS updates, run yum update.
Alternatively, delete the vulnerable service instance and create a new instance.
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm websphere application server in ibm cloud | eq | any |
Related
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P