Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2014.0531
Security Bulletin: Potential Denial of Service in IBM
WebSphere Application Server CVE-2014-0050
17 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
Publisher: IBM
Operating System: AIX
HP-UX
Linux variants
Solaris
Windows
z/OS
Impact/Access: Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0050
Reference: ESB-2014.0506
ESB-2014.0500
ESB-2014.0468
ESB-2014.0292
ESB-2014.0171
ESB-2014.0167
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21667254
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Potential Denial of Service in IBM WebSphere Application
Server CVE-2014-0050
Security Bulletin
Document information
More support for:
WebSphere Application Server
General
Software version:
6.1, 7.0, 8.0, 8.5, 8.5.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Software edition:
Base, Developer, Enterprise, Liberty, Network Deployment
Reference #:
1667254
Modified date:
2014-04-15
Summary
Apache Commons FileUpload used by IBM WebSphere Application Server may be
vulnerable to a denial of service.
Vulnerability Details
CVEID: CVE-2014-0050
Description: Potential denial of service in Apache Commons FileUpload
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions
VERSIONS AFFECTED: This problem affects the following versions of the
WebSphere Application Server:
Version 8.5 Full Profile and Liberty Profile
Version 8
Version 7
Version 6.1
This problem also affects the following versions of WebSphere Extended
Deployment Compute Grid:
Version 8 on WebSphere Application Server Version 7 or Version 8
Version 6.1 on WebSphere Application Server Version 7
Remediation/Fixes
Apache Commons FileUpload used by the Administrative Console and WebContainer
in WebSphere Application Server and batch processing in IBM Compute
Grid may be vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multi-part requests. By sending
a specially-crafted request, an attacker could exploit this vulnerability
to cause the application to enter into an infinite loop.
Although the file in error is present in several components, some instances
of having this file is not as severe as others.
If you have an application which uses MultipartConfig for File upload
supported by Java Servlet Specification 3.0 and above with version 8.0 or
version 8.5 for both Full profile and Liberty, it is extremely important
that you install the Web Container Interim Fix PI12926 since you are at
risk for this vulnerability. WebSphere Application Server Versions 7.0
and earlier are not affected by the fileupload vulnerability for the Web
Container component.
If you are using the Administrative Console or if you are administering
batch jobs in Compute Grid we recommend you apply the interim fix, however
there is not a way for an attacker to force the vulnerability to occur.
FileUpload is also present if you are using Struts version 1.x from the
optional libraries that are shipped with WebSphere Application Server,
you also may be vulnerable. If your application is using the FileUpload
in Struts as part of the MultipartStream constructor, you will need to
upgrade. WebSphere Application Server Version 7.0 deprecated the inclusion
of version 1.x of Struts in 2008. We recommend that you upgrade to include a
version of Struts in your code that is still supported by Apache or upgrade
your commons-fileupload.jar and prerequisites. Your application should
be thoroughly tested to verify that it does not have any issues. Please
refer to the Apache site for information and download: Apache Struts
Web site. (struts.apache.org) If this mitigation will not work for you,
please contact IBM Support. Please note: IBM does not plan on shipping any
fix for Struts 1.x as the fix is only available at the current levels of
Apache Struts which can only be obtained from the Apache Struts website.
Important! IBM is planning on removing and no longer shipping all 4 versions
of Struts Version 1.x from the optional Libraries starting in WebSphere
Application Server 7.0.0.37, 8.0.0.11, and 8.5.5.4. If you have copied the
optional Struts packages to your shared library for your applications to use,
you will need to take the following actions prior to moving to 7.0.0.37,
8.0.0.11, or 8.5.5.4.
- - Upgrade your applications to use a current level of Struts
- - Include a copy of the Struts 1.x package as part of your ear file
development.
FIXES: The recommended solution is to apply the Fix Pack or PTF for each
named product as soon as practical. There are 3 separate interim fixes
that may need to be applied, links are provided below:
APARs PI12648 for the Administrative Console - not vulnerable in Liberty
PI12926 for the Web Container - Not vulnerable prior to versions 8
PI13162 for Administering batch jobs in Compute Grid
Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below:
For affected IBM WebSphere Application Server:
For V8.5.0.0 through 8.5.5.1 Full Profile:
Apply Interim Fixes PI12648 and PI12926
- --OR--
Apply Fix Pack 8.5.5.2 or later (targeted to be available 28 April 2014).
For V8.5.0.0 through 8.5.5.1 Liberty Profile:
Apply Interim Fixes PI12926
- --OR--
Apply Fix Pack 8.5.5.2 or later (targeted to be available 28 April 2014).
For V8.5.0.0 through 8.5.5.1 using Compute Grid:
Apply Interim Fixes PI13162
- --OR--
Apply Fix Pack 8.5.5.2 or later (targeted to be available 28 April 2014).
For V8.0 through 8.0.0.8:
Apply Interim Fixes PI12648 and PI12926
- --OR--
Apply Fix Pack 8.0.0.9 or later (targeted to be available 23 June 2014).
For V7.0.0.0 through 7.0.0.31:
Apply Interim Fix PI12648
- --OR--
Apply Fix Pack 7.0.0.33 or later (targeted to be available 23 June 2014).
For V6.1.0.0 through 6.1.0.47:
Apply Interim Fix PI12648
For affected IBM WebSphere Application Server Extended Deployment Compute
Grid:
For Compute Grid V8.0.0.0 through 8.0.0.3 on WebSphere Application Server
Version 8 or WebSphere Application Server Version 7
Apply Interim Fixes PI13162
- --OR--
Apply Compute Grid Fix Pack 8.0.0.4 or later (targeted to be available
23 June 2014).
For Compute Grid V6.1 on WebSphere Application Server V7.0:
Apply Interim Fixes PI13162
For Compute Grid V6.1 on WebSphere Application Server V6.1:
Not affected - no updates needed
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
15 April 2014: Original Document Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product
Application Servers WebSphere Application Server Liberty Core
Application Servers WebSphere Extended Deployment Compute Grid
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU09TjhLndAQH1ShLAQLdsA//TO4OYJRcpDcpF5Y6gf4Qalcjf8ZZux3i
N73CZnAm0l1WnTYnSbLDnlku2eLTgal0iG1QQUJ3SSH3NR/+ehqIXrkq1J08DyMD
eX52jzKDKIBERycPR7og2YG+J+BSOlPX4gdjRZNt85kkwKhke6U0pV+tJHE4708X
7N29UXs5yrLfaCSFXp7m1wMjPA8lzmXLCcFglEAyZY3hJcPsHbmqnpSOZ3f8f+gf
kcefCrZnlzzIxITTuomUFGcQjprQAIeiTnm0/X5b8E8hCkThB5r62m6202T6GlYS
pgpglRV5+GtZaItic1SCcCQF0Dgk0PoOdlPbOUwYQ9DPCBYt/NCKDbDkql+3xM8k
0C+1HqioYv9j1EzMHCVmrjr/9waSL5TLZwdVnPerqhmDELteaPrhmVQWUioO7VX/
mLA2TWx9y4qsl+ZRHBmLVLrU/uSev3V2Mfbluh9yANJJf+4JkSSOOoSm5QnYllLw
lsb9tmXVaLzCxECjpdBNNvlZoHveAnL9zwVJlhGnTJOhxHkKpU2/7Uf0FRQhvTX2
XrFzwpFXnbugx2nZxbie3zkSvYyOxWndn34QXCmc1geRh+HJ2SUa0m6RAl/UAoUv
1f0/j+jio5g7rkkdM3BfBFd39Kbeegrp4ttwzhpgklMeUa/7d1tkTGETBYlob0mN
OCxsXib2ulQ=
=oofw
-----END PGP SIGNATURE-----