17 April 2014
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0531 Security Bulletin: Potential Denial of Service in IBM WebSphere Application Server CVE-2014-0050 17 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows z/OS Impact/Access: Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0050 Reference: ESB-2014.0506 ESB-2014.0500 ESB-2014.0468 ESB-2014.0292 ESB-2014.0171 ESB-2014.0167 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21667254 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Potential Denial of Service in IBM WebSphere Application Server CVE-2014-0050 Security Bulletin Document information More support for: WebSphere Application Server General Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Software edition: Base, Developer, Enterprise, Liberty, Network Deployment Reference #: 1667254 Modified date: 2014-04-15 Summary Apache Commons FileUpload used by IBM WebSphere Application Server may be vulnerable to a denial of service. Vulnerability Details CVEID: CVE-2014-0050 Description: Potential denial of service in Apache Commons FileUpload CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P) Affected Products and Versions VERSIONS AFFECTED: This problem affects the following versions of the WebSphere Application Server: Version 8.5 Full Profile and Liberty Profile Version 8 Version 7 Version 6.1 This problem also affects the following versions of WebSphere Extended Deployment Compute Grid: Version 8 on WebSphere Application Server Version 7 or Version 8 Version 6.1 on WebSphere Application Server Version 7 Remediation/Fixes Apache Commons FileUpload used by the Administrative Console and WebContainer in WebSphere Application Server and batch processing in IBM Compute Grid may be vulnerable to a denial of service, caused by the improper handling of Content-Type HTTP header for multi-part requests. By sending a specially-crafted request, an attacker could exploit this vulnerability to cause the application to enter into an infinite loop. Although the file in error is present in several components, some instances of having this file is not as severe as others. If you have an application which uses MultipartConfig for File upload supported by Java Servlet Specification 3.0 and above with version 8.0 or version 8.5 for both Full profile and Liberty, it is extremely important that you install the Web Container Interim Fix PI12926 since you are at risk for this vulnerability. WebSphere Application Server Versions 7.0 and earlier are not affected by the fileupload vulnerability for the Web Container component. If you are using the Administrative Console or if you are administering batch jobs in Compute Grid we recommend you apply the interim fix, however there is not a way for an attacker to force the vulnerability to occur. FileUpload is also present if you are using Struts version 1.x from the optional libraries that are shipped with WebSphere Application Server, you also may be vulnerable. If your application is using the FileUpload in Struts as part of the MultipartStream constructor, you will need to upgrade. WebSphere Application Server Version 7.0 deprecated the inclusion of version 1.x of Struts in 2008. We recommend that you upgrade to include a version of Struts in your code that is still supported by Apache or upgrade your commons-fileupload.jar and prerequisites. Your application should be thoroughly tested to verify that it does not have any issues. Please refer to the Apache site for information and download: Apache Struts Web site. (struts.apache.org) If this mitigation will not work for you, please contact IBM Support. Please note: IBM does not plan on shipping any fix for Struts 1.x as the fix is only available at the current levels of Apache Struts which can only be obtained from the Apache Struts website. Important! IBM is planning on removing and no longer shipping all 4 versions of Struts Version 1.x from the optional Libraries starting in WebSphere Application Server 188.8.131.52, 184.108.40.206, and 220.127.116.11. If you have copied the optional Struts packages to your shared library for your applications to use, you will need to take the following actions prior to moving to 18.104.22.168, 22.214.171.124, or 126.96.36.199. - - Upgrade your applications to use a current level of Struts - - Include a copy of the Struts 1.x package as part of your ear file development. FIXES: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. There are 3 separate interim fixes that may need to be applied, links are provided below: APARs PI12648 for the Administrative Console - not vulnerable in Liberty PI12926 for the Web Container - Not vulnerable prior to versions 8 PI13162 for Administering batch jobs in Compute Grid Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below: For affected IBM WebSphere Application Server: For V188.8.131.52 through 184.108.40.206 Full Profile: Apply Interim Fixes PI12648 and PI12926 - --OR-- Apply Fix Pack 220.127.116.11 or later (targeted to be available 28 April 2014). For V18.104.22.168 through 22.214.171.124 Liberty Profile: Apply Interim Fixes PI12926 - --OR-- Apply Fix Pack 126.96.36.199 or later (targeted to be available 28 April 2014). For V188.8.131.52 through 184.108.40.206 using Compute Grid: Apply Interim Fixes PI13162 - --OR-- Apply Fix Pack 220.127.116.11 or later (targeted to be available 28 April 2014). For V8.0 through 18.104.22.168: Apply Interim Fixes PI12648 and PI12926 - --OR-- Apply Fix Pack 22.214.171.124 or later (targeted to be available 23 June 2014). For V126.96.36.199 through 188.8.131.52: Apply Interim Fix PI12648 - --OR-- Apply Fix Pack 184.108.40.206 or later (targeted to be available 23 June 2014). For V220.127.116.11 through 18.104.22.168: Apply Interim Fix PI12648 For affected IBM WebSphere Application Server Extended Deployment Compute Grid: For Compute Grid V22.214.171.124 through 126.96.36.199 on WebSphere Application Server Version 8 or WebSphere Application Server Version 7 Apply Interim Fixes PI13162 - --OR-- Apply Compute Grid Fix Pack 188.8.131.52 or later (targeted to be available 23 June 2014). For Compute Grid V6.1 on WebSphere Application Server V7.0: Apply Interim Fixes PI13162 For Compute Grid V6.1 on WebSphere Application Server V6.1: Not affected - no updates needed Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 15 April 2014: Original Document Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Application Servers WebSphere Application Server Liberty Core Application Servers WebSphere Extended Deployment Compute Grid - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to firstname.lastname@example.org and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: email@example.com Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU09TjhLndAQH1ShLAQLdsA//TO4OYJRcpDcpF5Y6gf4Qalcjf8ZZux3i N73CZnAm0l1WnTYnSbLDnlku2eLTgal0iG1QQUJ3SSH3NR/+ehqIXrkq1J08DyMD eX52jzKDKIBERycPR7og2YG+J+BSOlPX4gdjRZNt85kkwKhke6U0pV+tJHE4708X 7N29UXs5yrLfaCSFXp7m1wMjPA8lzmXLCcFglEAyZY3hJcPsHbmqnpSOZ3f8f+gf kcefCrZnlzzIxITTuomUFGcQjprQAIeiTnm0/X5b8E8hCkThB5r62m6202T6GlYS pgpglRV5+GtZaItic1SCcCQF0Dgk0PoOdlPbOUwYQ9DPCBYt/NCKDbDkql+3xM8k 0C+1HqioYv9j1EzMHCVmrjr/9waSL5TLZwdVnPerqhmDELteaPrhmVQWUioO7VX/ mLA2TWx9y4qsl+ZRHBmLVLrU/uSev3V2Mfbluh9yANJJf+4JkSSOOoSm5QnYllLw lsb9tmXVaLzCxECjpdBNNvlZoHveAnL9zwVJlhGnTJOhxHkKpU2/7Uf0FRQhvTX2 XrFzwpFXnbugx2nZxbie3zkSvYyOxWndn34QXCmc1geRh+HJ2SUa0m6RAl/UAoUv 1f0/j+jio5g7rkkdM3BfBFd39Kbeegrp4ttwzhpgklMeUa/7d1tkTGETBYlob0mN OCxsXib2ulQ= =oofw -----END PGP SIGNATURE-----