Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2020.1696.2
Security Bulletin: WebSphere Application Server is vulnerable to a
server-side request forgery vulnerability (CVE-2020-4365)
19 May 2020
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: WebSphere Application Server
WebSphere Remote Server - Product Family
Publisher: IBM
Operating System: Windows
AIX
HP-UX
IBM i
Linux variants
Solaris
z/OS
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2020-4365
Original Bulletin:
https://www.ibm.com/support/pages/node/6209099
https://www.ibm.com/support/pages/node/6210534
Comment: This bulletin contains two (2) IBM security advisories.
Revision History: May 19 2020: Vendor released minor update
May 14 2020: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: WebSphere Application Server is vulnerable to a server-side
request forgery vulnerability (CVE-2020-4365)
Document Information
Product : WebSphere Application Server
Software version : 8.5
Operating system(s): AIX
HP-UX
IBM i
Linux
Solaris
Windows
z/OS
Document number : 6209099
Modified date : 13 May 2020
Summary
WebSphere Application Server is vulnerable to a server-side request forgery
vulnerability. This has been addressed.
Vulnerability Details
CVEID: CVE-2020-4365
DESCRIPTION: IBM WebSphere Application Server is vulnerable to server-side
request forgery. By sending a specially crafted request, a remote
authenticated attacker could exploit this vulnerability to obtain sensitive
data.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities
/178964 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
+----------------------------+----------+
|Affected Product(s) |Version(s)|
+----------------------------+----------+
|WebSphere Application Server|8.5 |
+----------------------------+----------+
Remediation/Fixes
For WebSphere Application Server and WebSphere Application Server Hypervisor
Edition:
For V8.5.0.0 through 8.5.5.17:
Upgrade to minimal fix pack levels as required by interim fix and then apply
Interim Fix PH23638
- --OR--
Apply Fix Pack 8.5.5.18 or later (targeted availability 3Q2020).
Additional interim fixes may be available and linked off the interim fix
download page.
Workarounds and Mitigations
None
Change History
13 May 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
- -------------------------------------------------------------------------------
Security Bulletin: A security vulnerability has been identified in WebSphere
Application Server shipped with WebSphere Remote Server (CVE-2020-4365)
Security Bulletin
Summary
WebSphere Application Server is shipped with WebSphere Remote Server.
Information about a security vulnerability affecting WebSphere Application
Server has been published in a security bulletin.
Vulnerability Details
Refer to the security bulletin(s) listed in the Remediation/Fixes section
Affected Products and Versions
+--------------------------------------------+----------+
|Affected Product(s) |Version(s)|
+--------------------------------------------+----------+
|IBM WebSphere Remote Server - Product Family|8.5 |
+--------------------------------------------+----------+
Remediation/Fixes
Refer to the following security bulletins for vulnerability details and
information about fixes addressed by WebSphere Application Server which is
shipped with WebSphere Remote Server.
+--------------+-----------------+--------------------------------------------+
|Principal |Affected | |
|Product and |Supporting |Affected Supporting Product Security |
|Version(s) |Product and |Bulletin |
| |Version | |
+--------------+-----------------+--------------------------------------------+
|WebSphere |WebSphere |WebSphere Application Server is vulnerable |
|Remote Server |Application |to a server-side request forgery |
| 8.5 |Server 8.5 |vulnerability (CVE-2020-4365) |
+--------------+-----------------+--------------------------------------------+
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
References
Complete CVSS v3 Guide
On-line Calculator v3
Off
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
18 May 2020: Initial Publication
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXsMcC+NLKJtyKPYoAQi9UA/+PLB0MWYm9wGtVjy5WBY6Y+dlcqtJ/jdX
yMSlBAdh+jgaT0sBkkgN8EDRqVRUJL9AUEanECMKxpnpvnyZCazylS33iyIcndoe
jM4QmvOcK6wxnEW9i72RF50jzWTL/UsaTGWbiXmAp3iM7tzgOaYe4DVUx7dELTYF
nNdononiprWY51PozFQWsCPoaOFsZCgoVbt4NYPl5dotVkdDNzxrPiTucfF/cxLe
56Mdyyh0kSsMI0QRHAIbwHJXJzBghYyiIYMsVIJO+sD9yDuQGvBAFsZVuWbOkzIw
o4bNGDr4D6jbJ2bh59a7bZIkQY2xzBIa9tiZdCqD2e6nUvpT/JrJTCAF45EZxoBX
JH1bvc+rKAsrVBN9iPCZWfFE0SzXD1WD8ta8oWIbEMHQD9fBN0JCs2KU84+Pk1Ow
V6JAi8iLQTAwoUwH+OC/ZfpxyYv14O0xnLI2DkkXJapGd9wODYw+zVqjzKUy6sWW
vN4hrn59OrQfSWPJdrksD31o5mEhtmwFf9l5RdPHjcb6Y+M4QDekC1qJUoy70w+V
7CMi33R6ZjzPAfzoh2XZOq1vx9S/KH77RX7NQdWV+7N0nsV5bGE9O+8eF1RC01Ak
e/PqWaHeDg01dThk2dHvGjvymSP71vdnPdOSBJcQZDpcu8wVDQeGnNvZiMT/Fvff
rSwTw5on8Lc=
=meNB
-----END PGP SIGNATURE-----