Lucene search

IBMF5167E1CFDFF9B4EE37936C1FA58812105895B49AA0634A90A81465E02D46D12

HistoryAug 30, 2019 - 7:48 a.m.

Security Bulletin: Cross-site request forgery in WebSphere Application Server (CVE-2017-1194)

2019-08-3007:48:35

www.ibm.com

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Summary

There is a potential cross-site request forgery in WebSphere Application Server OAuth service provider.

Vulnerability Details

CVEID: CVE-2017-1194**
DESCRIPTION:** IBM WebSphere Application Server is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123669 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

Liberty
Version 9.0
Version 8.5
Version 8.0
Version 7.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI77770 for each named product as soon as practical.**

For WebSphere Application Server Liberty: **** **
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI77770
--OR–
· Apply Liberty Fix Pack 17.0.0.2 or later. ** **
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:**
For V9.0.0.0 through 9.0.0.3:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI77770
--OR–
· Apply Fix Pack 9.0.0.4 or later**.** **
For V8.5.0.0 through 8.5.5.11:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI77770
--OR–
· Apply Fix Pack 8.5.5.12 or later.

For V8.0.0.0 through 8.0.0.13:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI77770

--OR–
· Apply Fix Pack 8.0.0.14 or later.

For V7.0.0.0 through 7.0.0.43:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI77770

--OR–
· Apply Fix Pack 7.0.0.45 or later.

CPENameOperatorVersion
websphere application servereq9.0
websphere application servereq8.5
websphere application servereq8.0
websphere application servereq7.0
websphere application server hypervisor editioneqany
websphere application server liberty coreeqany

Name	Operator	Version
websphere application server	eq	9.0
websphere application server	eq	8.5
websphere application server	eq	8.0
websphere application server	eq	7.0
websphere application server hypervisor edition	eq	any
websphere application server liberty core	eq	any

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

6.8 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

JSON

Related for F5167E1CFDFF9B4EE37936C1FA58812105895B49AA0634A90A81465E02D46D12