Hash: SHA1

             AUSCERT External Security Bulletin Redistribution

           Security Bulletin: Potential Denial of Service in IBM
                WebSphere Application Server CVE-2014-0050
                               17 April 2014


        AusCERT Security Bulletin Summary

Product:           IBM WebSphere Application Server
Publisher:         IBM
Operating System:  AIX
                   Linux variants
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0050  

Reference:         ESB-2014.0506

Original Bulletin: 

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Potential Denial of Service in IBM WebSphere Application
Server CVE-2014-0050

Security Bulletin

Document information
More support for:

WebSphere Application Server

Software version:
6.1, 7.0, 8.0, 8.5, 8.5.5

Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Software edition:
Base, Developer, Enterprise, Liberty, Network Deployment

Reference #:

Modified date:


Apache Commons FileUpload used by IBM WebSphere Application Server may be
vulnerable to a denial of service.

Vulnerability Details

CVEID: CVE-2014-0050
Description: Potential denial of service in Apache Commons FileUpload
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Affected Products and Versions

VERSIONS AFFECTED: This problem affects the following versions of the
WebSphere Application Server:
Version 8.5 Full Profile and Liberty Profile
Version 8
Version 7
Version 6.1
This problem also affects the following versions of WebSphere Extended
Deployment Compute Grid:
Version 8 on WebSphere Application Server Version 7 or Version 8
Version 6.1 on WebSphere Application Server Version 7


Apache Commons FileUpload used by the Administrative Console and WebContainer
in WebSphere Application Server and batch processing in IBM Compute
Grid may be vulnerable to a denial of service, caused by the improper
handling of Content-Type HTTP header for multi-part requests. By sending
a specially-crafted request, an attacker could exploit this vulnerability
to cause the application to enter into an infinite loop.

Although the file in error is present in several components, some instances
of having this file is not as severe as others.

If you have an application which uses MultipartConfig for File upload
supported by Java Servlet Specification 3.0 and above with version 8.0 or
version 8.5 for both Full profile and Liberty, it is extremely important
that you install the Web Container Interim Fix PI12926 since you are at
risk for this vulnerability. WebSphere Application Server Versions 7.0
and earlier are not affected by the fileupload vulnerability for the Web
Container component.

If you are using the Administrative Console or if you are administering
batch jobs in Compute Grid we recommend you apply the interim fix, however
there is not a way for an attacker to force the vulnerability to occur.

FileUpload is also present if you are using Struts version 1.x from the
optional libraries that are shipped with WebSphere Application Server,
you also may be vulnerable. If your application is using the FileUpload
in Struts as part of the MultipartStream constructor, you will need to
upgrade. WebSphere Application Server Version 7.0 deprecated the inclusion
of version 1.x of Struts in 2008. We recommend that you upgrade to include a
version of Struts in your code that is still supported by Apache or upgrade
your commons-fileupload.jar and prerequisites. Your application should
be thoroughly tested to verify that it does not have any issues. Please
refer to the Apache site for information and download: Apache Struts
Web site. (struts.apache.org) If this mitigation will not work for you,
please contact IBM Support. Please note: IBM does not plan on shipping any
fix for Struts 1.x as the fix is only available at the current levels of
Apache Struts which can only be obtained from the Apache Struts website.

Important! IBM is planning on removing and no longer shipping all 4 versions
of Struts Version 1.x from the optional Libraries starting in WebSphere
Application Server,, and If you have copied the
optional Struts packages to your shared library for your applications to use,
you will need to take the following actions prior to moving to,, or

- - Upgrade your applications to use a current level of Struts
- - Include a copy of the Struts 1.x package as part of your ear file

FIXES: The recommended solution is to apply the Fix Pack or PTF for each
named product as soon as practical. There are 3 separate interim fixes
that may need to be applied, links are provided below:

APARs PI12648 for the Administrative Console - not vulnerable in Liberty
PI12926 for the Web Container - Not vulnerable prior to versions 8
PI13162 for Administering batch jobs in Compute Grid

Fix:Apply a Fix Pack or PTF containing the above APARs, as noted below:

For affected IBM WebSphere Application Server:

For V8.5.0.0 through Full Profile:

    Apply Interim Fixes PI12648 and PI12926

- --OR--

    Apply Fix Pack or later (targeted to be available 28 April 2014).

For V8.5.0.0 through Liberty Profile:

    Apply Interim Fixes PI12926

- --OR--

    Apply Fix Pack or later (targeted to be available 28 April 2014).

For V8.5.0.0 through using Compute Grid:

    Apply Interim Fixes PI13162

- --OR--

    Apply Fix Pack or later (targeted to be available 28 April 2014).

For V8.0 through

    Apply Interim Fixes PI12648 and PI12926

- --OR--

    Apply Fix Pack or later (targeted to be available 23 June 2014).

For V7.0.0.0 through

    Apply Interim Fix PI12648

- --OR--

    Apply Fix Pack or later (targeted to be available 23 June 2014).

For V6.1.0.0 through

    Apply Interim Fix PI12648

For affected IBM WebSphere Application Server Extended Deployment Compute

For Compute Grid V8.0.0.0 through on WebSphere Application Server
Version 8 or WebSphere Application Server Version 7

    Apply Interim Fixes PI13162

- --OR--

    Apply Compute Grid Fix Pack or later (targeted to be available
    23 June 2014).

For Compute Grid V6.1 on WebSphere Application Server V7.0:

    Apply Interim Fixes PI13162

For Compute Grid V6.1 on WebSphere Application Server V6.1:

    Not affected - no updates needed

Important note

IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.


Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

15 April 2014: Original Document Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT

Cross reference information

Segment			Product						
Application Servers	WebSphere Application Server Liberty Core
Application Servers	WebSphere Extended Deployment Compute Grid

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967