IBMFB60355B6CF5CA4E3D9A93696E60907CED58B5F39B8C42390AB3184786F3B132Security Bulletin: A vulnerability in IBM WebSphere Application Server may affect IBM Streams (CVE-2016-5983)
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
Summary
There is a serialization vulnerability in IBM WebSphere Application Server which is used by IBM Streams. IBM Streams has addressed this vulnerability.
Vulnerability Details
CVEID: CVE-2016-5983**
DESCRIPTION:** IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
The following versions may be impacted:
-
- IBM Streams Version 4.2.0.2 and earlier
- IBM InfoSphere Streams Version 4.1.1.2 and earlier
- IBM InfoSphere Streams Version 4.0.1.3 and earlier
- IBM InfoSphere Streams Version 3.2.1.6 and earlier
- IBM InfoSphere Streams Version 3.1.0.8 and earlier
Remediation/Fixes
NOTE: Fix Packs are available on IBM Fix Central.
* **Version 4.2.0:**
* Apply [4.2.0 Fix Pack 3 (4.2.0.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.2.0.0&platform=All&function=all>)
* **Version 4.1.1**:
* Apply [4.1.1 Fix Pack 3 (4.1.1.3) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.1.1.0&platform=All&function=all>)
* **Version 4.0.1:**
* Apply [4.0.1 Fix Pack 4 (4.0.1.4) or higher.](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~Information%2BManagement&product=ibm/Information+Management/InfoSphere+Streams&release=4.0.1.0&platform=All&function=all>)
* **Versions 3.2.1 and 3.1.0:**
* For versions earlier than 4.x.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.
Workarounds and Mitigations
None
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm streams | eq | 3.1 | |
| ibm streams | eq | 3.2 | |
| ibm streams | eq | 3.2.1 | |
| ibm streams | eq | 4.0 | |
| ibm streams | eq | 4.0.1 | |
| ibm streams | eq | 4.1 | |
| ibm streams | eq | 4.1.1 | |
| ibm streams | eq | 4.2 | |
| ibm streams | eq | 3.1 | |
| ibm streams | eq | 3.2 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P