Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.0761 Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 20 May 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: AIX HP-UX IBM i Linux variants OS X Solaris Windows z/OS Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0114 Reference: ESB-2014.0744 ESB-2014.0739 ESB-2014.0738 ESB-2014.0737 ESB-2014.0684 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg24037506 - --------------------------BEGIN INCLUDED TEXT-------------------- PI17190: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 Downloadable files Document information More support for: WebSphere Application Server General Software version: 6.1.0.31, 6.1.0.33, 6.1.0.35, 6.1.0.37, 6.1.0.39, 6.1.0.41, 6.1.0.43, 6.1.0.45, 6.1.0.47, 7.0.0.13, 7.0.0.15, 7.0.0.17, 7.0.0.19, 7.0.0.21, 7.0.0.23, 7.0.0.25, 7.0.0.27, 7.0.0.29, 7.0.0.31 Operating system(s): AIX, HP-UX, IBM i, Linux, Mac OS, Solaris, Windows, z/OS Software edition: Advanced, Base, Developer, Enterprise, Express, Network Deployment, Single Server Reference #: 4037506 Modified date: 2014-05-15 Abstract Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 Download Description PI17190 resolves the following problem: ERROR DESCRIPTION: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 LOCAL FIX: This is a WAS Administrative console issue. Clients are safe if they protect their admin console accesses with global security to limit access to trusted administrators. In addition, the admin console is safe if it's behind a firewall and the admin users don't attack it. PROBLEM SUMMARY: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 PROBLEM CONCLUSION: Classloader Manipulation Vulnerability in IBM WebSphere Application Server CVE-2014-0114 Download package Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options What is Fix Central (FC)? What is DD? Fix for 7.0.0.13 to 7.0.0.31 9 May 2014 English 70826 FC DD Fix for 6.1.0.31 to 6.1.0.47 9 May 2014 English 70722 FC DD - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU3rPdBLndAQH1ShLAQKvbg//fQ1XOy0vv3flBh7ZysWtMGdlbts6fxfH AVJsFvanZqiI/16f0notu80JrXnjFxVLFXVdY0NY19xm6OD3pDnkXCT0gh0sQEWt YZC06CME/tokBarpY5IC2BvS4bzWd2wFLle5vbjxcwgViYGV5tocrhdDNOgXPYGG U6CTSBUbZsEpfXVSrMicajhRkvOY7rQTHqSd0OO2OqXxNeRoOWHcbaDSjNNiHAAx PKfO2svz7+/HQkJbzAh+rQ0vzD6lpAi4VF2pU3bSKPjNebRbZi6bTBc6pgIBAFbi +FOSfm5Nvq/EPeItLTbWtgULNj9gkF0EDjyy4Rc7SDwkUHGX8g81IXRhvqVaH8w1 RwATqsJDpKQQcFWuwbb3UFdygwIeDICQbLHwqoVi9Oa5J+r24uPnR2WrwF1/QK5d 3ijM7STDISYcpI5xZvgkDjvD2xeLVTCbmuZNMTwaRciXDsTb7bfv+AdeUCKzCasl g4VKFgPzeI9rLUyNBswA+sUezM0vqQ7vza0VhH501LyXKhqn0TR+IDaOHVQcZfgc ZGEB52Gcmkswj9dT5/grIQy5nNYBedy59fZOvOlKdJdc4kEu6Rtn7d2LlRHmfyx3 eVQmFuWCQzYmn+8LpXrfDues0Mbxxcd17WBzV3LunjJntmr00dZ0WkKjnRy13lWK ealcPVBw5Lc= =REMh -----END PGP SIGNATURE-----