Security Bulletin: Vulnerabilities in Websphere Liberty and OpenLiberty

Summary

There are vulnerabilities in Websphere Liberty used by IBM Streams. IBM Streams has addressed the applicable CVEs.

Vulnerability Details

CVEID:CVE-2014-3603
**DESCRIPTION:**The (1) HttpResource and (2) FileBackedHttpResource implementations in Shibboleth Identity Provider (IdP) before 2.4.1 and OpenSAML Java 2.6.2 do not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

NOTE: Fix Packs are available on IBM Fix Central.

To remediate/fix this issue, follow the instructions below:

Version 4.3.x: Apply 4.3.0 Fix Pack 1 (4.3.1.1) or higher .
Version 4.2.x: Apply 4.2.1 Fix Pack 4 (4.2.1.9) or higher .
Version 4.1.x: Apply 4.1.1 Fix Pack 6 (4.1.1.11) or higher .
Versions 4.0.x,3.2.x, 3.1.x, and 3.0.x: For versions earlier than 4.x.x, IBM recommends upgrading to a fixed, supported version/release/platform of the product. Customers who cannot upgrade and need to secure their installation should open a PMR with IBM Technical Support and request assistance securing their InfoSphere Streams system against the vulnerabilities identified in this Security Bulletin.

Workarounds and Mitigations

None