Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.2892 Multiple vulnerabilities have been identified in IBM WebSphere Portal 26 September 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Portal Publisher: IBM Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Increased Privileges -- Existing Account Modify Permissions -- Existing Account Cross-site Scripting -- Existing Account Access Confidential Data -- Remote/Unauthenticated Provide Misleading Information -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-8013 CVE-2018-1820 CVE-2018-1736 CVE-2018-1716 CVE-2018-1673 CVE-2018-1672 CVE-2018-1660 CVE-2018-1420 CVE-2017-1423 Reference: ASB-2018.0164 ASB-2018.0163 ESB-2018.1666 ESB-2018.1616 ESB-2018.1601 ESB-2017.2289 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=ibm10732287 http://www.ibm.com/support/docview.wss?uid=ibm10715923 http://www.ibm.com/support/docview.wss?uid=ibm10731155 http://www.ibm.com/support/docview.wss?uid=ibm10729323 http://www.ibm.com/support/docview.wss?uid=ibm10716981 http://www.ibm.com/support/docview.wss?uid=swg22011400 http://www.ibm.com/support/docview.wss?uid=ibm10729683 http://www.ibm.com/support/docview.wss?uid=swg22014276 http://www.ibm.com/support/docview.wss?uid=ibm10731435 http://www.ibm.com/support/docview.wss?uid=swg22015586 Comment: This bulletin contains ten (10) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Cross-Site Scripting Vulnerability Affects IBM WebSphere Portal (CVE-2018-1820) Security Bulletin Document information More support for: WebSphere Portal Software version: 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0732287 Modified date: 25 September 2018 Summary A fix is available for a cross-site scripting vulnerability in IBM WebSphere Portal (CVE-2018-1820). Vulnerability Details CVEID: CVE-2018-1820 DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 150096 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF16| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF16| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | |Upgrade to Cumulative Fix 16 (CF16) and then | |WebSphere |9.0 |PH02925|apply the Interim Fix PH02925. | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | |Upgrade to Cumulative Fix 16 (CF16) and then | |WebSphere |8.5 |PH02925|apply the Interim Fix PH02925. | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PH02925|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PH02925. | +----------+-----------+-------+----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1660) Security Bulletin Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0715923 Modified date: 25 September 2018 Summary A fix is available for a cross-site scripting vulnerability in IBM WebSphere Portal (CVE-2018-1660). Vulnerability Details CVEID: CVE-2018-1660 DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 5.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144886 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ |IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30| +--------------------+----------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |9.0 |PI98353|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |8.5 |PI98353|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PI98353|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PI98353. | +----------+-----------+-------+----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative | |WebSphere |through |PI98353|Fix 30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PI98353. | +----------+-----------+-------+----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1673) Security Bulletin Summary A fix is available for a cross-site scripting vulnerability in IBM WebSphere Portal (CVE-2018-1673). Vulnerability Details CVEID: CVE-2018-1673 DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 145108 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ |IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30| +--------------------+----------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +---------+-----------+-------+-----------------------------------------------+ | Product | VRMF | APARs | Fix | +---------+-----------+-------+-----------------------------------------------+ | | |PH00469| | |IBM | |PH00542| | |WebSphere|9.0 |PH02132|Upgrade to Cumulative Fix 16 (CF16). | |Portal | |PH02133| | | | |PH02134| | | | |PH02136| | +---------+-----------+-------+-----------------------------------------------+ | | |PH00469| | |IBM | |PH00542| | |WebSphere|8.5 |PH02132|Upgrade to Cumulative Fix 16 (CF16). | |Portal | |PH02133| | | | |PH02134| | | | |PH02136| | +---------+-----------+-------+-----------------------------------------------+ |IBM |8.0.0.0 |PH00469|Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix| |WebSphere|through |PH00542|23 (CF23) and then apply the Interim Fixes | |Portal |8.0.01 | |PH00469, PH00542. | +---------+-----------+-------+-----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix| |WebSphere|through |PH00469|30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PH00469. | +---------+-----------+-------+-----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement The vulnerability was reported to IBM by Giulio Comi Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0731155 Modified date: 25 September 2018 - -------------------------------------------------------------------------------- Security Bulletin: Cross-Site Scripting Vulnerability in IBM WebSphere Portal (CVE-2018-1716) Security Bulletin Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0729323 Modified date: 25 September 2018 Summary A fix is available for a cross-site scripting vulnerability in IBM WebSphere Portal (CVE-2018-1716). Vulnerability Details CVEID: CVE-2018-1716 DESCRIPTION: IBM WebSphere Portal is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. CVSS Base Score: 6.1 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147164 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ |IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30| +--------------------+----------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |9.0 |PH00535|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |8.5 |PH00535|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PH00535|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PH00535. | +----------+-----------+-------+----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative | |WebSphere |through |PH00535|Fix 30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PH00535. | +----------+-----------+-------+----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Impersonation Issue Affects IBM WebSphere Portal (CVE-2018-1672) Security Bulletin Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0716981 Modified date: 25 September 2018 Summary Impersonation may lead to incorrect user context in IBM WebSphere Portal (CVE-2018-1672) Vulnerability Details CVEID: CVE-2018-1672 DESCRIPTION: IBM WebSphere Portal may fail to set the correct user context in certain impersonation scenarios, which can allow a user to act with the identity of a different user. CVSS Base Score: 5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 144958 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L) Affected Products and Versions +-----------------------------+-------------------------+ | Affected Product | Affected Versions | +-----------------------------+-------------------------+ |IBM WebSphere Portal |9.0.0.0 - 9.0.0.0 CF15 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |8.5.0.0 - 8.5.0.0 CF15 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |8.0.0.0 - 8.0.0.1 CF23 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |7.0.0.0 - 7.0.0.2 CF30 | +-----------------------------+-------------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |9.0 |PH00088|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |8.5 |PH00088|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PH00088|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PH00088. | +----------+-----------+-------+----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative | |WebSphere |through |PH00088|Fix 30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PH00088. | +----------+-----------+-------+----------------------------------------------+ Workarounds and Mitigations Disable impersonation feature. See https://www.ibm.com/support/knowledgecenter/ SSHRKX_8.5.0/mp/admin-system/impers_enable_disable.html for details. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Information Disclosure Vulnerability in IBM WebSphere Portal (CVE-2017-1423) Security Bulletin Document information More support for: WebSphere Portal Component: --, ">More... Software version: 8.5, 9.0 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows Reference #: 2011400 Modified date: 25 September 2018 Summary IBM WebSphere Portal has addressed an information disclosure vulnerability related to the Web Application Bridge component (CVE-2017-1423). Vulnerability Details CVEID: CVE-2017-1423 DESCRIPTION: IBM WebSphere Portal exposes backend server URLs that are configured for usage by the Web Application Bridge component. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 127476 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +------------------------+-------------------------------+ | Affected Product | Affected Versions | +------------------------+-------------------------------+ |IBM WebSphere Portal |9.0.0.0 - 9.0.0.0 CF15 | +------------------------+-------------------------------+ |IBM WebSphere Portal |8.5.0.0 - 8.5.0.0 CF15 | +------------------------+-------------------------------+ Remediation/Fixes +-------------+-----------+-------+-------------------------------------------+ |Product |VRMF |APARs |Fix | +-------------+-----------+-------+-------------------------------------------+ |IBM WebSphere|9.0 |PI83352|Upgrade to Cumulative Fix 15 (CF15) or | |Portal | | |higher and apply the listed additional | | | | |manual steps *). | +-------------+-----------+-------+-------------------------------------------+ |IBM WebSphere|8.5 |PI83352|Upgrade to Cumulative Fix 15 (CF15) or | |Portal | | |higher and apply the listed additional | | | | |manual steps *). | +-------------+-----------+-------+-------------------------------------------+ *) Additional manual steps: 1. Log into the WebSphere Integrated Solutions Console as an admin user. 2. In the menu on the left, select Resources -> Resource Environment -> Resource Environment Providers 3. In the list of Resource Environment Providers, click on the "WP ConfigService" one. 4. Click on "Custom properties" under the "Additional Properties" heading. 5. Click on the "New..." button. 6. In the "Name" field, enter "wab.url.mapping.enabled" (without the quotes). 7. In the "Value" field, enter "true" (without the quotes). 8. Click the "OK" button. 9. Click the "Save directly to the master configuration" link. 10. Restart WebSphere Portal. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v2 Guide On-line Calculator v2 Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 15 December 2017: Original Version Published 25 September 2018: Clarified that manual steps are required in CF15 and higher *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2018-1736) Security Bulletin Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0729683 Modified date: 25 September 2018 Summary A fix is available for an Open Redirect Vulnerability in IBM WebSphere Portal (CVE-2018-1736). Vulnerability Details CVEID: CVE-2018-1736 DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim. CVSS Base Score: 7.4 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 147906 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ |IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30| +--------------------+----------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |9.0 |PH01459|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |8.5 |PH01459|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PH01459|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PH01459. | +----------+-----------+-------+----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative | |WebSphere |through |PH01459|Fix 30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PH01459. | +----------+-----------+-------+----------------------------------------------+ Note: PH01459 introduces a configurable white list for external hosts, which are allowed as redirects via the CategoryProfileUpdater Module. Server relative redirects are continuously working. Redirects to external hosts not specified in the white list are blocked. You can configure this whitelist via the WCMConfigService: +------------------------------------------------------+----------------------+ | Property | Description | +------------------------------------------------------+----------------------+ | |The value is a | | |boolean. It is used to| | |enable/disable the | | |white list. Possible | | |values are "true" and | |categoryProfileUpdaterModule.redirectURL.restrictHosts|"false". If set to | | |"false", the behavior | | |prior to the fix is | | |restored (not | | |recommended). Default | | |is "true" (white list | | |enabled). | +------------------------------------------------------+----------------------+ | |White list to allow | | |only certain hosts. | | |The list is a | |categoryProfileUpdaterModule.redirectURL.allowedHosts |comma-delimited | | |string. Default is | | |empty (no hosts are | | |allowed). | +------------------------------------------------------+----------------------+ Example: categoryProfileUpdaterModule.redirectURL.restrictHosts=true categoryProfileUpdaterModule.redirectURL.allowedHosts=www.ibm.com Having these set would only allow the redirect URL to be to arbitrary urls at the www.ibm.com host (E.g. http://www.ibm.com/, https://www.ibm.com/us-en/). If redirects are blocked, a message containing the URL can be found in the log: "The redirect URL '<REDIRECT_URL>' for the CategoryProfileUpdater Module is unauthorized and has been blocked. To configure a whitelist of permitted hosts for the redirect URL use WCMConfigService property categoryProfileUpdaterModule.redirectURL.allowedHosts, or temporarily disable (not recommended) using categoryProfileUpdaterModule.redirectURL.restrictHosts= false. See PH01459 / CVE-2018-1736." Based on this message you need to decide, whether to enhance the white list for a valid scenario or leave it blocked. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Security Misconfiguration during Combined Cumulative Fix Installation Affects IBM WebSphere Portal (CVE-2018-1420) Security Bulletin Document information More support for: WebSphere Portal Component: --, ">More... Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Reference #: 2014276 Modified date: 25 September 2018 Summary IBM WebSphere Portal resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the installation (CVE-2018-1420). Vulnerability Details CVEID: CVE-2018-1420 DESCRIPTION: IBM WebSphere Portal resets access control settings to the out of the box configuration during Combined Cumulative Fix (CF) installation. This can lead to security miss-configuration of the installation. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 138950 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N) Affected Products and Versions +-----------------------------+-------------------------+ | Affected Product | Affected Versions | +-----------------------------+-------------------------+ |IBM WebSphere Portal |9.0.0.0 - 9.0.0.0 CF15 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |8.5.0.0 - 8.5.0.0 CF15 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |8.0.0.0 - 8.0.0.1 CF22 | +-----------------------------+-------------------------+ |IBM WebSphere Portal |7.0.0.0 - 7.0.0.2 CF30 | +-----------------------------+-------------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +---------+-------+----------------+------------------------------------------+ | Product | VRMF | APARs | Fix | +---------+-------+----------------+------------------------------------------+ | | |PI91232, |Upgrade only to Cumulative Fix 16 (CF16) | | | |PI94709, |or newer Cumulative Fixes. If Cumulative | |IBM | |PI94883, |Fix 15 (CF15) or any older Cumulative Fix | |WebSphere|9.0 |PI95100, |has been applied, you might need to | |Portal | |PI95153, |correct access control settings of out of | | | |PI95154, |the box resources manually. See | | | |PI95155, PI95156|"Workarounds and Mitigations" section for | | | | |details. | +---------+-------+----------------+------------------------------------------+ | | | |Upgrade only to Cumulative Fix 16 (CF16) | | | |PI91232, |or newer Cumulative Fixes. If Cumulative | | | |PI94709, |Fix 15 (CF15) or any older Cumulative Fix | |IBM | |PI94883, |has been applied, you might need to | |WebSphere|8.5 |PI95100, |correct access control settings of out of | |Portal | |PI95153, |the box resources manually. See | | | |PI95154, |"Workarounds and Mitigations" section for | | | |PI95155, PI95156|details. | | | | | | +---------+-------+----------------+------------------------------------------+ | | |PI91232, |Upgrade to Fix Pack 8.0.0.1 and apply only| | | |PI94709, |Cumulative Fix 23 (CF23) or newer. If | |IBM |8.0.0.0|PI94883, |Cumulative Fix 22 (CF22) or any older | |WebSphere|through|PI95100, |Cumulative Fix has been applied, you might| |Portal |8.0.01 |PI95153, |need to correct access control settings of| | | |PI95154, |out of the box resources manually. See | | | |PI95155, PI95156|"Workarounds and Mitigations" section for | | | | |details. | +---------+-------+----------------+------------------------------------------+ | | | |There will no further Cumulative Fixes be | | | | |issued. If Cumulative Fix 30 (CF30) or | |IBM |7.0.0.0| |any older Cumulative Fix has been applied,| |WebSphere|through| |you might need to correct access control | |Portal |7.0.0.2| |settings of out of the box resources | | | | |manually. See " Workarounds and | | | | |Mitigations" section for details. | +---------+-------+----------------+------------------------------------------+ Workarounds and Mitigations Prior to the fixed Cumulative Fix versions as listed in the "Remediation/ Fixes", the installation of a Combined Cumulative Fix (CF) resets access control settings for the IBM WebSphere Portal out of the box resources. The out of the box access control settings are restored for them. If the access control settings of these out of the box resources had been changed before, you need to set them again to their customized values after Cumulative Fix installation. See the IBM Knowledge center how to manage the access control and get an overview of initial access control settings. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Security Vulnerability in Apache Batik Affects IBM WebSphere Portal (CVE-2018-8013) Security Bulletin Document information More support for: WebSphere Portal Software version: 7.0, 8.0, 8.5, 9.0 Operating system(s): Platform Independent Reference #: 0731435 Modified date: 25 September 2018 Summary A fix is available for a vulnerability in Apache Batik that affects IBM WebSphere Portal (CVE-2018-8013). Vulnerability Details CVEID: CVE-2018-8013 DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information, caused by an error when deserializing subclass of `AbstractDocument`. An attacker could exploit this vulnerability to reveal files and obtain sensitive information. CVSS Base Score: 5.3 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 143678 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions +--------------------+----------------------+ | Affected Product | Affected Versions | +--------------------+----------------------+ |IBM WebSphere Portal|9.0.0.0 - 9.0.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.5.0.0 - 8.5.0.0 CF15| +--------------------+----------------------+ |IBM WebSphere Portal|8.0.0.0 - 8.0.0.1 CF23| +--------------------+----------------------+ |IBM WebSphere Portal|7.0.0.0 - 7.0.0.2 CF30| +--------------------+----------------------+ For unsupported versions IBM recommends upgrading to a fixed, supported version of the product. Remediation/Fixes +----------+-----------+-------+----------------------------------------------+ | Product | VRMF | APARs | Fix | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |9.0 |PH02735|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM | | | | |WebSphere |8.5 |PH02735|Upgrade to Cumulative Fix 16 (CF16). | |Portal | | | | +----------+-----------+-------+----------------------------------------------+ |IBM |8.0.0.0 | |Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through |PH02735|Fix 23 (CF23) and then apply the Interim Fix | |Portal |8.0.01 | |PH02735. | +----------+-----------+-------+----------------------------------------------+ |IBM |7.0.0.0 | |Upgrade to Fix Pack 7.0.0.2 with Cumulative | |WebSphere |through |PH02735|Fix 30 (CF30) and then apply the Interim Fix | |Portal |7.0.0.2 | |PH02735. | +----------+-----------+-------+----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - -------------------------------------------------------------------------------- Security Bulletin: Vulnerability in CKEditor Might Affect IBM WebSphere Portal Security Bulletin Document information More support for: WebSphere Portal Software version: 8.0, 8.5, 9.0 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Reference #: 2015586 Modified date: 25 September 2018 Summary A vulnerability in CKEditor might affect IBM WebSphere Portal. Vulnerability Details CVEID: Not available DESCRIPTION: CKEditor could allow a remote attacker with access to a spoofed version of ckeditor.com to gain unauthorized access to a victim's system. An attacker could exploit this vulnerability using a DNS spoofing attack to modify the current URL of an SSL protected opening page. CVSS Base Score: 3.7 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 141623 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N) Affected Products and Versions +--------------------------------------+--------------------------------+ | Affected Product | Affected Versions | +--------------------------------------+--------------------------------+ |IBM WebSphere Portal |9.0.0.0 - 9.0.0.0 CF15 | +--------------------------------------+--------------------------------+ |IBM WebSphere Portal |8.5.0.0 - 8.5.0.0 CF15 | +--------------------------------------+--------------------------------+ |IBM WebSphere Portal |8.0.0.0 - 8.0.0.1 CF22 | +--------------------------------------+--------------------------------+ Remediation/Fixes +------------+---------+-------+----------------------------------------------+ |Product |VRMF |APARs |Fix | +------------+---------+-------+----------------------------------------------+ |IBM |9.0 |PI95413|Upgrade to Cumulative Fix 16 (CF16). | |WebSphere | | |(Combined Cumulative Fixes for WebSphere | |Portal | | |Portal 9.0) | +------------+---------+-------+----------------------------------------------+ |IBM |8.5 |PI95413|Upgrade to Cumulative Fix 16 (CF16). | |WebSphere | | |(Combined Cumulative Fixes for WebSphere | |Portal | | |Portal 8.5.0.0) | +------------+---------+-------+----------------------------------------------+ |IBM |8.0.0 |PI95413|Upgrade to Fix Pack 8.0.0.1 with Cumulative | |WebSphere |through | |Fix 23 (CF23). | |Portal |8.0.0.1 | |(Combined Cumulative Fixes for WebSphere | | | | |Portal 8.0.0.1) | +------------+---------+-------+----------------------------------------------+ Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important Note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. Reference Complete CVSS v3 Guide On-line Calculator v3 Related Information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 25 September 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBW6sLN2aOgq3Tt24GAQi6Vg//UufVHm8RZhpfrrUei73VKZBId4dTXu8M ik01r4dnDYcSBUPXQ5U2hLCQ/m+r3DyUKpuc2XllPapDMIQ0dxVs1wHDOnIXb3VU 2763YCbmcJQN0hXP7u5880a+HY/bTgHMPqXOiFVlskQQV2kheaQw52cHgqdNzTXH bNxa58g54EUIz0CFRiVBHpzcb9/TCviBRUhdXUF44ieRH+QmYzMxyU/O6wXrgP9Z T1198s9ePqf/wV3Xk3VTxdvkC93V6rpDrzIiP3+T9uJnFQkFgkhfXh+9ctOjj9aG 0fOPKirAljdydNdXNdg0yIORKGll6p/TRoWlOg2DqkPla9nXr7AAqkPsYapDXiwD B7QeaMZuVYxVU+Ku1fupqsW9GUrQ30KYj8pvKAJAWFKQc8d10xMDjM7WxmfZepq0 zQR2MOwk3QNAcRR02dWsAYWT5az60yifK1dqGJ4ToCjVIJULmiYkOXQvhnBBd/Ua nWZrQaCzn4Yoi5g54TBhbfmfP1awaByJ/VIjWjBwJYOPSFuDscmmDjAZZfyUaUNT pLtOi0PJSmEKJTHJ1R/zHghcb7nRksUnTCoNs1tPhe7Z+p9iTmThbS2a0WBPRV48 g/M0WqVeocA4m6wJDu6Tm2eci5L1pENHxmUSKQB8yFix31XW0/BTPkj2RthGlmsD yNB0G24OEhU= =wZYi -----END PGP SIGNATURE-----