IBMF7C0FFB3F2B200725BDCBE585DE3B9FD3F35063BE6E87C05BA609522D6443916Security Bulletin: WebSphere Application Server may have insecure file permissions (CVE-2017-1382)
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N
Summary
WebSphere Application Server may have insecure file permissions after custom startup scripts are run. The custom startup script will not pull the umask from the server.xml. This may cause some log files to have different permissions then expected.
Vulnerability Details
CVEID: CVE-2017-1382**
DESCRIPTION:** IBM WebSphere Application Server might create files using the default permissions instead of the customized permissions when custom startup scripts are used. A local attacker could exploit this to gain access to files with an unknown impact.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/127153 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
This vulnerability affects the following versions and releases of IBM WebSphere Application Server traditional:
- Version 9.0
- Version 8.5
- Version 8.0
- Version 7.0
Remediation/Fixes
If you have a umask defined in your server.xml and you use custom startup scripts, you should verify that your log files have the correct permsissions that you expect. You will need to manually change these files permissions if they are not as expected. The interim fix below will only prevent this from happening in the future. It will not change your current log file permissions.
The recommended solution is to apply the interim fix, Fix Pack or PTF containing APAR PI79343 for each named product as soon as practical.**
For WebSphere Application Server traditional and WebSphere Application Server Hypervisor Edition:** **
For V9.0.0.0 through 9.0.0.4:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI79343
--OR–
· Apply Fix Pack 9.0.0.5 or later.**
For V8.5.0.0 through 8.5.5.11:**
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI79343
--OR–
· Apply Fix Pack 8.5.5.12 or later.
For V8.0.0.0 through 8.0.0.13:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI79343
--OR–
· Apply Fix Pack 8.0.0.14 or later.
For V7.0.0.0 through 7.0.0.43:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI79343
--OR–
· Apply Fix Pack 7.0.0.45 or later.
Related
7.1 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
3.6 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:P/A:N