Operating System:

[WIN][z/OS][LINUX][IBM i][HP-UX][Solaris][AIX]

Published:

20 May 2014

Protect yourself against future threats.

//Service

Member Security Incident Notifications

Be proactive with your security and receive our daily Member Security Incident Notifications (MSINs) custom to your network.

Read more
Resources > Security Bulletins > ESB-2014.0757 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0757
              Security Bulletin: Fixes available for Security
          Vulnerabilities in IBM WebSphere Portal (Multiple CVEs)
                                20 May 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM WebSphere Portal
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   IBM i
                   Linux variants
                   Solaris
                   Windows
                   i5/OS
                   z/OS
Impact/Access:     Denial of Service              -- Remote/Unauthenticated      
                   Cross-site Scripting           -- Remote with User Interaction
                   Access Confidential Data       -- Remote/Unauthenticated      
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0959 CVE-2014-0958 CVE-2014-0956
                   CVE-2014-0955 CVE-2014-0954 CVE-2014-0952
                   CVE-2014-0951 CVE-2014-0949 

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21672572

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Fixes available for Security Vulnerabilities in IBM
WebSphere Portal (Multiple CVEs)

Security Bulletin

Document information

More support for:
WebSphere Portal

Software version:
6.1, 7.0, 8.0

Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS, z/OS

Reference #:
1672572

Modified date:
2014-05-13

Summary

Fixes are available for security vulnerabilities in IBM WebSphere Portal.

Vulnerability Details

Fixes are available for the following security vulnerabilities in IBM
WebSphere Portal:
CVEID: CVE-2014-0951
DESCRIPTION:
IBM WebSphere Portal is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the FilterForm.jsp script. A
remote attacker could exploit this vulnerability using a specially-crafted
URL to execute script in a victim's Web browser within the security context
of the hosting Web site, once the URL is clicked. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92624 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7

REMEDIATION:
The recommended solution is to apply PI15690 as soon as practical.
Fix: Apply a Cumulative Fix containing PI15690.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28)
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)

Workaround: None.
Mitigation: None.

CVEID: CVE-2014-0949
DESCRIPTION:
IBM Websphere Portal contains a vulnerability that would allow a remote
attacker to consume all available resources and crash the system through
a malicous web request.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92622 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)


AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI15692 as soon as practical.
Fix: Apply Interim Fix PI15692 or a Cumulative Fix containing PI15692.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28) and then apply
Interim Fix PI15692
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)

For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15692
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15692
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)


Workaround: None.
Mitigation: None.
CVEID: CVE-2014-0954
DESCRIPTION:
IBM WebSphere Portal contains a vulnerability that would allow a remote
attacker to send a specially-crafted URL request which could allow the
attacker to obtain sensitive information, consume all available memory
resources or control the request dispatcher on the vulnerable Web server
due to unvalidated JSP includes.

CVSS:
CVSS Base Score: 6.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92627 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI15723 as soon as practical.
Fix: Apply Interim Fix PI15723 or a Cumulative Fix containing PI15723.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28) and then apply
Interim Fix PI15723
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)


For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15723
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15723
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)


Workaround/Mitigation: If the Web Content Viewer (JSR 286) portlet is not
used: Stop or uninstall the Web Content Viewer (JSR 286) portlet.
CVEID: CVE-2014-0955
DESCRIPTION:
IBM WebSphere Portal, if using IBM Connections integration using the
Social Rendering feature, is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input. A remote attacker could exploit
this vulnerability using a specially-crafted URL to execute script in a
victim's Web browser within the security context of the hosting Web site,
once the URL is clicked. An attacker could use this vulnerability to steal
the victim's cookie-based authentication credentials.

CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92628 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8 (Fix Pack level 8.0.0.1)

REMEDIATION:
The recommended solution is to apply PI15583 as soon as practical.
Fix: Apply a Cumulative Fix containing PI15583.

For 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

Workaround: None.
Mitigation: None.
CVEID: CVE-2014-0959
DESCRIPTION:
IBM WebSphere Portal is vulnerable to a denial of service, caused by
redirecting a successful login back to itself resulting in an infinite
loop. An authenticated remote attacker could exploit this vulnerability
to cause a denial of service.

CVSS:
CVSS Base Score: 4.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92741 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI16462 as soon as practical.
Fix: Apply Interim Fix PI16462 or a Cumulative Fix containing PI16462.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28) and then apply
Interim Fix PI16462
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)

For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI16462
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI16462
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

Workaround: None.
Mitigation: None.
CVEID: CVE-2014-0956
DESCRIPTION:
IBM WebSphere Portal is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by a .jsp script. A remote
attacker could exploit this vulnerability using a specially-crafted URL
to execute script in a victim's Web browser within the security context of
the hosting Web site, once the URL is clicked. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92629 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI16040 as soon as practical.
Fix: Apply Interim Fix PI16040 or a Cumulative Fix containing PI16040.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 27 (CF28) and then apply
Interim Fix PI16040
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)

For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI16040
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI16040
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)


Workaround: None.
Mitigation: None.
CVEID: CVE-2014-0952
DESCRIPTION:
IBM WebSphere Portal is vulnerable to cross-site scripting, caused by
improper validation of user-supplied input by the boot_config.jsp script. A
remote attacker could exploit this vulnerability using a specially-crafted
URL to execute script in a victim's Web browser within the security context
of the hosting Web site, once the URL is clicked. An attacker could use this
vulnerability to steal the victim's cookie-based authentication credentials.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92625 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI16041 as soon as practical.
Fix: Apply Interim Fix PI16041 or a Cumulative Fix containing PI16041.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28) and then apply
Interim Fix PI16041
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)


For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 28 (CF28) and then apply
Interim Fix PI16041
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI16041
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

Workaround: None.
Mitigation: None.
CVEID: CVE-2014-0958
DESCRIPTION:
IBM WebSphere Portal could allow a remote attacker to conduct phishing
attacks, caused by an open redirect vulnerability. An attacker could
exploit this vulnerability using a specially-crafted URL to redirect a
victim to arbitrary Web sites.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/92739 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
WebSphere Portal 8
WebSphere Portal 7
WebSphere Portal 6.1.x

REMEDIATION:
The recommended solution is to apply PI15689 as soon as practical.
Fix: Apply Interim Fix PI15689 or a Cumulative Fix containing PI15689.

For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)

For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 28 (CF28)
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)


For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15689
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply
Interim Fix PI15689
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)

Workaround: None.
Mitigation: None.
Important note

IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.

References
Complete CVSS Guide
On-line Calculator V2

Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

13th May 2014: Original Copy Published

*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU3qcRhLndAQH1ShLAQK56A/+JtXuKxYMXqi+WMfTvgsQccc7VC2Mmr5P
d0SG6NFoUTTQ6wjqmtgi+Y3MZOxCVJeJOXQV2vX7nefoOwLvLybo3/EuGlKi3x+I
5NqkhCy2LDmFUWancljinSrE7ObYr+kf4hTInSxbn2rTgBIzk4VqaMdAJ9ffKvma
fcsFv//d6sfiFSvD1La7Q99rT9f7bU+iSUyJHkTbi32dvn8Mh+fQhOB2STSpbMWg
O0hwvweqqLb2tTg5jzXSH64WfLat3R25Q+fbMQwONwqDZMm+nkU3TvloCU5pmFEe
NTTdWsVRhgZLXD++j63C3947Rngj7AmHFB2XTnUIZ7SO1QBu3PHePvtzsw1+n1bC
H/2SuGcPFpcLIhzBQfSSVd16/RUrtJ9GJ55yAk94oz5U/uXqR98KyapACsIBCJ39
ouRJh81HhsXqndpFFqjqOh8xRU2ETQfs3DmcXhpbqvUnEHbEUIM74K3VcyUgx/T1
d6jIWh59VurhxWIgijK6gzyxNU7jZ9zKkFrov+bALrAP02/ZTfoKmjnPRMVRXAfM
MwA4dlg+rvDNQ0xduuM1IwITT3C5taC10QXY5s5MZqsTzci4ohRCRLB8zTj04V7S
+aUQHPjXyadt+ObeoN3SFcfTxqOVlYzzToyGHD0UmwkYwyuPa9tmDckr4RvLUaU0
fTLco3me28Q=
=4EPs
-----END PGP SIGNATURE-----