Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.0811 Security Bulletin: IBM WebSphere Application Server Multiple Vulnerabilities 8 March 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: Linux variants Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2020-27221 CVE-2020-14803 CVE-2020-14781 CVE-2020-2773 Reference: ESB-2021.0773 ESB-2021.0618 ESB-2020.4389 Original Bulletin: https://www.ibm.com/support/pages/node/6425553 - --------------------------BEGIN INCLUDED TEXT-------------------- Multiple vulnerabilities in IBM Java SDK affects WebSphere Application Server January 2021 CPU that is bundled with IBM WebSphere Application Server Patterns Document Information Document number : 6425553 Modified date : 05 March 2021 Product : WebSphere Application Server Patterns Component : Not Applicable Software version : Version Independent Operating system(s): Linux AIX Edition : All Editions Summary There are multiple vulnerabilities in the IBM SDK Java Technology Edition that is shipped with IBM WebSphere Application Server. These issues were disclosed in the IBM Java SDK updates in January 2021. Vulnerability Details CVEID: CVE-2020-14803 DESCRIPTION: An unspecified vulnerability in Java SE could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 5.3 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 190121 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) CVEID: CVE-2020-27221 DESCRIPTION: Eclipse OpenJ9 is vulnerable to a stack-based buffer overflow when the virtual machine or JNI natives are converting from UTF-8 characters to platform encoding. By sending an overly long string, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the application to crash. CVSS Base score: 9.8 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 195353 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) CVEID: CVE-2020-2773 DESCRIPTION: An unspecified vulnerability in Java SE related to the Java SE Security component could allow an unauthenticated attacker to cause a denial of service resulting in a low availability impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 179673 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) CVEID: CVE-2020-14781 DESCRIPTION: An unspecified vulnerability in Java SE related to the JNDI component could allow an unauthenticated attacker to obtain sensitive information resulting in a low confidentiality impact using unknown attack vectors. CVSS Base score: 3.7 CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/ 190099 for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N) Affected Products and Versions IBM Java SDK shipped with IBM WebSphere Application Server Patterns 1.0.0.0 through 1.0.0.7 and 2.2.0.0 through 2.3.3.3. Remediation/Fixes Please see the IBM Java SDK Security Bulletin for WebSphere Application Server to determine which WebSphere Application Server versions are affected and to obtain the JDK fixes. The interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2101 can be used to apply the January 2021 SDK iFixes in a PureApplication or Cloud Pak System Environment. Download and apply the interim fix 1.0.0.0-WS-WASPATTERNS-JDK-2101. Workarounds and Mitigations None Get Notified about Future Security Bulletins References Complete CVSS v3 Guide On-line Calculator v3 Off Change History 19 Feb 2021: Initial Publication Document Location Worldwide - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYEVz5+NLKJtyKPYoAQgvrA//f67ImWsFVE1lUYT5RnAlhRT6DHmm6XDy x3NwJqIqcCEjdH+usfe8LqgF01K6o7EZpz1ip/xkxX+dnJ0xgQIuLxTZs+cVDlT6 XAE/gX91DYE2kRJC6EfYyzD7YPbek7pNFmkgxNASsZqfV6VUsBFr4neb/LD1XZOM bYIYEmGN2K6xVKGAJAsJkbCCh+HUfdE2vbkGHj+nnitqa4tozoqf4Fzj5Kr/YObX VIRvGgPGqdXZNwbRsFn9lXXV7CUS18Jdi89mqe4BnJHyzFzxxVc2d2xM4WnRxN5B uWFVr6Ie36/qPY418KvxN8h/RNncKD3Or+wIZCOCdtq2t4xQzk1Syya0lbdgQhh7 kumucjzdxEOMb6ZXbvdbvCEOVdmAahSC5d9MxnLaLR7RzWf9UDKuH9NVQTOIb066 RAyunbTCK9S/vTbZUJIAzh8soHpihZ4NGhsYNuzAuXnos5IUJ/t1cSx8xOlmwIsW 22TJBGOCIZMaG8/17cMNEidsaKa0Vvzzg5Ks4LpeNGCBxY/VgeBeb0inyQiYA+W8 NEFdvEHvpIap+IeQRsFTBhwpfde009KoXutnObTkKZJRkmbYsmj2OlAK6VV9VMiB dLISmHU/ffvMy0o+f3mCJxon8anUZnmJb0MT8c6GjRQ1ZK9ssCLLZAk6JAxJVruO PcToAjzO95M= =397r -----END PGP SIGNATURE-----