ESB-2018.0547 - [Win][Linux][Solaris][AIX] IBM WebSphere Application Server: Multiple vulnerabilities 2018-02-23

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0547
        IBM WebSphere Application Server and WebSphere Application
                 Server Edge Caching Proxy vulnerabilities
                             23 February 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Application Server
                   IBM WebSphere Application Server Edge Caching Proxy
Publisher:         IBM
Operating System:  Linux variants
                   Windows
                   Solaris
                   AIX
Impact/Access:     Cross-site Scripting           -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
                   Reduced Security               -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-1503 CVE-2017-1382 CVE-2017-1380

Reference:         ASB-2017.0203
                   ESB-2017.1806
                   ESB-2017.1805

Original Bulletin: 
   http://www.ibm.com/support/docview.wss?uid=swg22013859
   http://www.ibm.com/support/docview.wss?uid=swg22013865
   http://www.ibm.com/support/docview.wss?uid=swg22013852

Comment: This bulletin contains three (3) IBM security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: WebSphere Application Server Administration Console
Vulnerability of Cross-site Scripting ( CVE-2017-1380 )


Document information

More support for: IBM Campaign 3rd Party Configuration
Software version: 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, Linux, Solaris, Windows
Software edition: Enterprise
Reference #: 2013859
Modified date: 21 February 2018


Summary

WebSphere Application Server Administration Console is vulnerable to cross-site
scripting, caused by improper validation of user supplied input by the
Administrative Console. A remote authenticated attacker could exploit this
vulnerability using unspecified attack vectors to inject script in a victim's
Web browser within the security context of the hosting Web site.

Vulnerability Details

CVEID: CVE-2017-1380
DESCRIPTION: IBM WebSphere Application Server is vulnerable to cross-site
scripting. This vulnerability allows users to embed arbitrary JavaScript code
in the Web UI thus altering the intended functionality potentially leading to
credentials disclosure within a trusted session.
CVSS Base Score: 5.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
127151 for the current score

Affected Products and Versions

IBM WebSphere Application Server Versions 7.0, 8.0, 8.5, 9.0

Remediation/Fixes

The recommended solution is to apply the interim fix, Fix Pack or PTF
containing APAR PI82078 for each named product as soon as practical.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:
For V9.0.0.0 through 9.0.0.4:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI82078      
- --OR--
- - Apply Fix Pack 9.0.0.5 or later.

For V8.5.0.0 through 8.5.5.11:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI82078      
- --OR--
- - Apply Fix Pack 8.5.5.12 or later.
For V8.0.0.0 through 8.0.0.13:
- - Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PI82078  

- --OR--
- - Apply Fix Pack 8.0.0.14 or later.

For V7.0.0.0 through 7.0.0.43:
- - Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PI82078 

- --OR--
- - Apply Fix Pack 7.0.0.45 or later (targeted availability 2Q 2018).

For more details refer to link http://www-01.ibm.com/support/docview.wss?uid=
swg22004786

Workarounds and Mitigations

Mitigation is to apply applicable WebSphere Application Server (WAS) fixpack .
For details on WAS fixpacks refer to link http://www-01.ibm.com/support/
docview.wss?uid=swg22004786

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------


Security Bulletin: WebSphere Application Server Edge Caching Proxy may be
Vulnerable to HTTP Response Splitting (CVE-2017-1503)


Document information

More support for: IBM Leads
3rd Party Configuration
Software version: 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, Linux, Solaris, Windows
Software edition: Enterprise
Reference #: 2013865
Modified date: 21 February 2018


Summary

The Edge Caching Proxy component of WebSphere Application Server may be
vulnerable to an HTTP response splitting attack. This is a separate install
from WebSphere Application Server. You only need to apply this if you use the
Edge Caching Proxy.

Vulnerability Details

CVEID: CVE-2017-1503
DESCRIPTION: IBM WebSphere Application Server is vulnerable to HTTP response
splitting attacks. A remote attacker could exploit this vulnerability using
specially-crafted URL to cause the server to return a split response, once the
URL is clicked. This would allow the attacker to perform further attacks, such
as Web cache poisoning, cross-site scripting, and possibly obtain sensitive
information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
129578 for the current score

Affected Products and Versions

IBM WebSphere Application Server Edge Caching Proxy Version 7.0, 8.0, 8.5, &
9.0

Remediation/Fixes

The recommended solution is to apply the Fix Pack or PTF for each named product
as soon as practical.

Fix:
Apply an Interim Fix, Fix Pack or PTF containing APAR PI82587 if you use the
Edge Caching Proxy component (separate install from WebSphere Application
Server) as noted below:  

For IBM WebSphere Application Server
For V9.0.0.0 through 9.0.0.4:

  o Upgrade to 9.0.0.3 fix pack level then apply Interim Fix PI82587

- -- OR

  o Upgrade to 9.0.0.4 fix pack level then apply Interim Fix PI82587

- -- OR

  o Apply Fix Pack 5 (9.0.0.5), or later.

 
For V8.5.0.0 through 8.5.5.12:

  o Upgrade to 8.5.5.11 fix pack level then apply Interim Fix PI82587

- -- OR

  o Upgrade to 8.5.5.12 fix pack level then apply Interim Fix PI82587

- -- OR

  o Apply Fix Pack 13 (8.5.5.13), or later (targeted availability 5 February
    2018).

 
For V8.0.0.0 through 8.0.0.1 3:

  o Apply Fix Pack 14 (8.0.0.14), or later.


For V7.0.0.0 through 7.0.0.43:

  o Upgrade to a minimum of 7.0.0.41 fix pack level then apply Interim Fix  
    PI82587

- -- OR

  o Apply Fix Pack 45 (7.0.0.45), or later (targeted availability 2Q 2018).

 
For more details about WAS fixpack refer to link http://www-01.ibm.com/support/
docview.wss?uid=swg22006815

Workarounds and Mitigations

Mitigation is to apply relevant WAS fixpack. For more detail refer to link
http://www-01.ibm.com/support/docview.wss?uid=swg22006815

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


- --------------------------------------------------------------------------------


Security Bulletin: WebSphere Application Server may have Insecure File
Permissions (CVE-2017-1382)


Document information

More support for: IBM Campaign 3rd Party Configuration
Software version: 7.0, 8.0, 8.5, 9.0
Operating system(s): AIX, Linux, Solaris, Windows
Software edition: Enterprise
Reference #: 2013852
Modified date: 21 February 2018


Summary

WebSphere Application Server may have insecure file permissions after custom
startup scripts are run. The custom startup script will not pull the umask from
the server.xml. This may cause some log files to have different permissions
then expected.

Vulnerability Details

CVEID: CVE-2017-1382
DESCRIPTION: IBM WebSphere Application Server might create files using the
default permissions instead of the customized permissions when custom startup
scripts are used. A local attacker could exploit this to gain access to files
with an unknown impact.
CVSS Base Score: 5.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/
127153 for the current score

Affected Products and Versions

IBM Campaign V7.0, V8.0, V8.5, V9.0

Remediation/Fixes

If you have a umask defined in your server.xml and you use custom startup
scripts, you should verify that your log files have the correct permissions
that you expect. You will need to manually change these files permissions if
they are not as expected. The interim fix below will only prevent this from
happening in the future. It will not change your current log file permissions.


The recommended solution is to apply the interim fix, Fix Pack or PTF
containing APAR PI79343 for each named product as soon as practical.

For WebSphere Application Server traditional and WebSphere Application Server
Hypervisor Edition:
For V9.0.0.0 through 9.0.0.4:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI79343      
- --OR--
- - Apply Fix Pack 9.0.0.5 or later.

For V8.5.0.0 through 8.5.5.11:
- - Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PI79343       
- --OR--
- - Apply Fix Pack 8.5.5.12 or later.

For V8.0.0.0 through 8.0.0.13:
- - Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PI79343  

- --OR--
- - Apply Fix Pack 8.0.0.14 or later.

For V7.0.0.0 through 7.0.0.43:
- - Upgrade to a minimal fix pack levels as required by interim fix and then
apply Interim Fix PI79343 

- --OR--
- - Apply Fix Pack 7.0.0.45 or later (targeted availability 2Q 2018).

For more details visit link : http://www-01.ibm.com/support/docview.wss?uid=
swg22004785

Workarounds and Mitigations

Mitigation is to apply WebSphere Application Server fix as per details provided
in the link http://www-01.ibm.com/support/docview.wss?uid=swg22004785

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support
alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWo+0bIx+lLeg9Ub1AQiQYQ/+MVt3cFSkxf4EzZ1O44hk3vEQamLtmVEQ
YBp6aX9jJTI68oz/D3aQei0eG05gY/3Suupn6Znuv+xFZLw2bvgdIwebc8RQfrJ5
uEaH9qlKDUYmgCztNhlzRcBslhwUIwzjf8oBndJ82DF6bwLjX21dWy0pad3gOTwn
Un7Lhm3YDbB5qD78f/bCXN5HhkORVlS0KkcLNizB1OD8Yuwlw+1+u56IKSVHgaFk
oy6B52c7R0dVfakRgGOe0B2r6ICyh99Jok1l4RpcADZinBaiYi/7yJfVhYH6CU5p
Lau4Cc03U4zAQ3U3GyPtmeeHXkKrhs/obYTR51/TtQm+iKEbV8QYB63f2Qd8vTr2
32jKcXt/RVrntQLsY8+Cp7YtbSOBBWRcJGWpRvyoNOyoaWMuQ+4wcQjNSb6B3C3u
qwN9z3eMZbF3tvB2vV36B265QmlrYgF6Pmbo1mb14/E7habqT+QJqYuBicw2IdpH
Atg/mLYjPIU3NINz8rMSpR3cTRsDOj+SZTyU0gqy24SO8uNwGr6mpD2Sc2M0hIS0
TSkHYAI821x6Ck6V5NaiObS63bOJy/NmaSuaEceLWsf/smQLN9Wi/MSvsxzRWfwF
Wo4AhjbhpXa4JwLmuooA6TvPmn2ZnlJnk9i6HnHHaKREZyY10FUVvIetMnN9Vooe
yCp7P1cred0=
=Xu5i
-----END PGP SIGNATURE-----

« Back to bulletins