Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1019
Security Bulletin: Multiple Security Vulnerabilities Affect
IBM WebSphere Application Server in IBM Cloud
23 March 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
Publisher: IBM
Operating System: Linux variants
Impact/Access: Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Remote/Unauthenticated
Execute Arbitrary Code/Commands -- Existing Account
Cross-site Scripting -- Remote with User Interaction
Create Arbitrary Files -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4163 CVE-2020-2659 CVE-2020-2604
CVE-2020-2593 CVE-2020-2583 CVE-2019-17495
CVE-2019-12406 CVE-2019-4732 CVE-2019-4720
CVE-2019-4670 CVE-2019-4663
Reference: ESB-2020.0592
ESB-2020.0402
ESB-2020.0382
Original Bulletin:
https://www.ibm.com/support/pages/node/6113998
- --------------------------BEGIN INCLUDED TEXT--------------------
Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in
IBM Cloud
Security Bulletin
Summary
There are multiple security vulnerabilities that affect the IBM WebSphere
Application Server in the IBM Cloud. There is a Swagger vulnerability that
affects WebSphere Application Server Liberty. This affects the mpOpen-1.x and
openAPI-3.x features. There is a cross-site scripting vulnerability in the
Liberty Admin Center. There is a denial of service vulnerablility in WebSphere
Application Server. There is an information disclosure in WebSphere Application
Server Admin Console. There is a denial of service in the Apache CXF library
used by WebSphere Application Server. WebSphere Application Server is
vulnerable to a command execution vulnerability. There are multiple
vulnerabilities in the IBM SDK, Java Technology Edition that is shipped with
IBM WebSphere Application Server.
Vulnerability Details
CVEID: CVE-2019-12406
DESCRIPTION: Apache CXF is vulnerable to a denial of service, caused by the
failure to restrict the number of message attachments present in a given
message. By sending a specially-crafted message containing an overly large
number of message attachments, a remote attacker could exploit this
vulnerability to cause a denial of service condition.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
170974 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-4670
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could
allow a remote attacker to obtain sensitive information caused by improper data
representation. IBM X-Force ID: 171319.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
171319 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2020-2604
DESCRIPTION: An unspecified vulnerability in Java SE could allow an
unauthenticated attacker to take control of the system.
CVSS Base score: 8.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174551 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2020-2593
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Networking component could allow an unauthenticated attacker to cause low
confidentiality impact, low integrity impact, and no availability impact.
CVSS Base score: 4.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174541 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N)
CVEID: CVE-2020-2659
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Networking component could allow an unauthenticated attacker to cause a denial
of service resulting in a low availability impact using unknown attack vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174606 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2020-2583
DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE
Serialization component could allow an unauthenticated attacker to cause a
denial of service resulting in a low availability impact using unknown attack
vectors.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174531 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2019-4732
DESCRIPTION: IBM SDK, Java Technology Edition Version 7.0.0.0 through
7.0.10.55, 7.1.0.0 through 7.1.4.55, and 8.0.0.0 through 8.0.6.0 could allow a
local authenticated attacker to execute arbitrary code on the system, caused by
DLL search order hijacking vulnerability in Microsoft Windows client. By
placing a specially-crafted file in a compromised folder, an attacker could
exploit this vulnerability to execute arbitrary code on the system. IBM X-Force
ID: 172618.
CVSS Base score: 7.2
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172618 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H)
CVEID: CVE-2019-4720
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is
vulnerable to a denial of service, caused by sending a specially-crafted
request. A remote attacker could exploit this vulnerability to cause the server
to consume all available memory. IBM X-Force ID: 172125.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
172125 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2019-17495
DESCRIPTION: Swagger UI could allow a remote attacker to obtain sensitive
information, caused by a CSS injection flaw. By using the relative path
overwrite (RPO) attack technique, an attacker could exploit this vulnerability
to obtain sensitive information.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
169050 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2019-4663
DESCRIPTION: IBM WebSphere Application Server - Liberty is vulnerable to
cross-site scripting. This vulnerability allows users to embed arbitrary
JavaScript code in the Web UI thus altering the intended functionality
potentially leading to credentials disclosure within a trusted session. IBM
X-Force ID: 171245.
CVSS Base score: 5.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
171245 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N)
CVEID: CVE-2020-4163
DESCRIPTION: IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0, under
specialized conditions, could allow an authenticated user to create a
maliciously crafted file name which would be misinterpreted as jsp content and
executed. IBM X-Force ID: 174397.
CVSS Base score: 6.6
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/
174397 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
These vulnerabilities affect the following versions and releases of IBM
WebSphere Application Server in IBM Cloud:
o Liberty
o Version 9.0
o Version 8.5
Remediation/Fixes
To patch an existing service instance, refer to the IBM WebSphere Application
Server bulletins listed below
o WebSphere Application Server Liberty is vulnerable to Cross-site Scripting
(CVE-2019-4663)
o Swagger vulnerability affects WebSphere Application Server Liberty
(CVE-2019-17495)
o WebSphere Application Server is vulnerable to a denial of service
(CVE-2019-4720)
o Information Disclosure in WebSphere Application Server Admin Console
(CVE-2019-4670)
o Vulnerability in Apache CXF affects WebSphere Application Server
(CVE-2019-12406)
o WebSphere Application Server is vulnerable to a command execution
vulnerability (CVE-2020-4163)
o Multiple Vulnerabilities in IBM Java SDK affect WebSphere Application
Server January 2020 CPU
Please see Updating your environment in the KnowlegeCenter for information on
applying service.
Alternatively, delete the vulnerable service instance and create a new
instance.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXnhUt2aOgq3Tt24GAQiyOxAAkTRlmw8c5UyLBt2dnTkbBqTYy5FT4tsn
5vf26A7sk4v5HNzuZFT6r/Ih+RU8WeifDXcav3DbfRvvw77bY5uAtsxdFmfcyNPN
XkB0NYX+7A2CPfsh9hTJ4dPg1u+RcVNMlWkUFxSyFtGcivzf1ZTXoTqVCqa/uP+7
WAtcbwZ9BoSUrhmyTP3skXZjF4ROHtR9SwG2TwtUsoF0/0zHBUESxAljIOIBu5Qj
TEamD+MK6uMbsWev7ov/atnRaarkKU6BbfwdQROWjjR13lZp6vsAuhYuTzFzN4a5
wHfcBhLqXazmF4RBVGRdlFxkJGopDIssbz21/sFEvENnv2pfX7TmSU3gzP19gaoA
HLclxendiTBRvE3istayyKQy9TpoAgtvOYJgbTzoBybeLMSsHakeiNavbYsxPctE
XkUZvp4PfbTjmeNLyXc1cAHYwnhJrQt6NnKuf3grPbhUwcjf7li1i8YEAnU2AdaF
YPPYKkkZOhfk0/rB0KIj9IG/l3tYf5+46BRs8vgpHtoqS/96+gW5l2QtLe4bZtrN
PZzTd/GdZ+acjwtbcx9F8jniZZE8wvcEgcDAU/pHzPU4krOJyc0iylJ6Xn0w8hZV
Lm1ira0kzQLNhhXg3GtEYSBZ868TeGbiTT2SPp1+AqG4jCghDKpnPyO/reDUaYqs
oQ0yVIMR3w0=
=2IOz
-----END PGP SIGNATURE-----