Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2020.1019 Security Bulletin: Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud 23 March 2020 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: WebSphere Application Server Publisher: IBM Operating System: Linux variants Impact/Access: Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Reduced Security -- Remote/Unauthenticated Execute Arbitrary Code/Commands -- Existing Account Cross-site Scripting -- Remote with User Interaction Create Arbitrary Files -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-4163 CVE-2020-2659 CVE-2020-2604 CVE-2020-2593 CVE-2020-2583 CVE-2019-17495 CVE-2019-12406 CVE-2019-4732 CVE-2019-4720 CVE-2019-4670 CVE-2019-4663 Reference: ESB-2020.0592 ESB-2020.0402 ESB-2020.0382 Original Bulletin: https://www.ibm.com/support/pages/node/6113998 - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud Security Bulletin Summary There are multiple security vulnerabilities that affect the IBM WebSphere Application Server in the IBM Cloud. There is a Swagger vulnerability that affects WebSphere Application Server Liberty. This affects the mpOpen-1.x and openAPI-3.x features. There is a cross-site scripting vulnerability in the Liberty Admin Center. There is a denial of service vulnerablility in WebSphere Application Server. There is an information disclosure in WebSphere Application Server Admin Console. There is a denial of service in the Apache CXF library used by WebSphere Application Server. WebSphere Application Server is vulnerable to a command execution vulnerability. There are multiple vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with IBM WebSphere Application Server. Vulnerability Details CVEID: CVE-2019-12406 DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by the failure to restrict the number of message attachments present in a given message. By sending a specially-crafted message containing an overly large number of message attachments, a remote attacker could exploit this vulnerability to cause a denial of service condition. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 170974 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2019-4670 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could allow a remote attacker to obtain sensitive information caused by improper data representation. IBM X-Force ID: 171319. CVSS Base score: 6.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171319 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) CVEID: CVE-2020-2604 DESCRIPTION: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to take control of the system. CVSS Base score: 8.1 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174551 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-2593 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause low confidentiality impact, low integrity impact, and no availability impact. CVSS Base score: 4.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174541 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) CVEID: CVE-2020-2659 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Networking component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174606 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-2583 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Serialization component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174531 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2019-4732 DESCRIPTION: IBM SDK, Java Technology Edition Version 7.0.0.0 through 7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a local authenticated attacker to execute arbitrary code on the system, caused by DLL search order hijacking vulnerability in Microsoft Windows client. By placing a specially-crafted file in a compromised folder, an attacker could exploit this vulnerability to execute arbitrary code on the system. IBM X-Force ID: 172618. CVSS Base score: 7.2 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172618 for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H) CVEID: CVE-2019-4720 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to a denial of service, caused by sending a specially-crafted request. A remote attacker could exploit this vulnerability to cause the server to consume all available memory. IBM X-Force ID: 172125. CVSS Base score: 7.5 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 172125 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CVEID: CVE-2019-17495 DESCRIPTION: Swagger UI could allow a remote attacker to obtain sensitive information, caused by a CSS injection flaw. By using the relative path overwrite (RPO) attack technique, an attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 169050 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2019-4663 DESCRIPTION: IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245. CVSS Base score: 5.4 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 171245 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N) CVEID: CVE-2020-4163 DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under specialized conditions, could allow an authenticated user to create a maliciously crafted file name which would be misinterpreted as jsp content and executed. IBM X-Force ID: 174397. CVSS Base score: 6.6 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 174397 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions These vulnerabilities affect the following versions and releases of IBM WebSphere Application Server in IBM Cloud: o Liberty o Version 9.0 o Version 8.5 Remediation/Fixes To patch an existing service instance, refer to the IBM WebSphere Application Server bulletins listed below o WebSphere Application Server Liberty is vulnerable to Cross-site Scripting (CVE-2019-4663) o Swagger vulnerability affects WebSphere Application Server Liberty (CVE-2019-17495) o WebSphere Application Server is vulnerable to a denial of service (CVE-2019-4720) o Information Disclosure in WebSphere Application Server Admin Console (CVE-2019-4670) o Vulnerability in Apache CXF affects WebSphere Application Server (CVE-2019-12406) o WebSphere Application Server is vulnerable to a command execution vulnerability (CVE-2020-4163) o Multiple Vulnerabilities in IBM Java SDK affect WebSphere Application Server January 2020 CPU Please see Updating your environment in the KnowlegeCenter for information on applying service. Alternatively, delete the vulnerable service instance and create a new instance. Workarounds and Mitigations None Get Notified about Future Security Bulletins References - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXnhUt2aOgq3Tt24GAQiyOxAAkTRlmw8c5UyLBt2dnTkbBqTYy5FT4tsn 5vf26A7sk4v5HNzuZFT6r/Ih+RU8WeifDXcav3DbfRvvw77bY5uAtsxdFmfcyNPN XkB0NYX+7A2CPfsh9hTJ4dPg1u+RcVNMlWkUFxSyFtGcivzf1ZTXoTqVCqa/uP+7 WAtcbwZ9BoSUrhmyTP3skXZjF4ROHtR9SwG2TwtUsoF0/0zHBUESxAljIOIBu5Qj TEamD+MK6uMbsWev7ov/atnRaarkKU6BbfwdQROWjjR13lZp6vsAuhYuTzFzN4a5 wHfcBhLqXazmF4RBVGRdlFxkJGopDIssbz21/sFEvENnv2pfX7TmSU3gzP19gaoA HLclxendiTBRvE3istayyKQy9TpoAgtvOYJgbTzoBybeLMSsHakeiNavbYsxPctE XkUZvp4PfbTjmeNLyXc1cAHYwnhJrQt6NnKuf3grPbhUwcjf7li1i8YEAnU2AdaF YPPYKkkZOhfk0/rB0KIj9IG/l3tYf5+46BRs8vgpHtoqS/96+gW5l2QtLe4bZtrN PZzTd/GdZ+acjwtbcx9F8jniZZE8wvcEgcDAU/pHzPU4krOJyc0iylJ6Xn0w8hZV Lm1ira0kzQLNhhXg3GtEYSBZ868TeGbiTT2SPp1+AqG4jCghDKpnPyO/reDUaYqs oQ0yVIMR3w0= =2IOz -----END PGP SIGNATURE-----