Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)

Summary

There is an information disclosure and a bypass security vulnerability in WebSphere Application Server Liberty. These vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2019-4304 DESCRIPTION: IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160950&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-4305 DESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160951&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

These vulnerabilities affect the following versions and releases of IBM WebSphere Application Server:

• Liberty

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical.

For WebSphere Application Server Libertyusing appSecurity-1.0 or appSecurity-2.0 feature:

· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH15518
--OR–
· Apply Fix Pack 19.0.0.10 or later (targeted availability 4Q2019).