-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1525
        DoS vulnerability in bundled WebSphere Liberty Profile used
                         by Web Experience Factory
                             8 September 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Web Experience Factory
Publisher:         IBM
Operating System:  Linux variants
                   OS X
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0050  

Reference:         ASB-2014.0077
                   ESB-2014.1313
                   ESB-2014.1264
                   ESB-2014.1257
                   ESB-2014.1135

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21682055

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: DoS vulnerability in bundled WebSphere Liberty Profile used
by Web Experience Factory


Document information

More support for:
IBM Web Experience Factory

Software version:
8.5

Operating system(s):
Linux, Mac OS X, Windows

Software edition:
Designer

Reference #:
1682055

Modified date:
2014-09-05

Security Bulletin

Summary

The WebSphere Liberty Profile application server bundled with Web Experience 
Factory 8.5 may be vulnerable to DoS attacks.

Vulnerability Details

A DoS vulnerability has been disclosed in the version of Apache Commons 
FileUpload included in the WebSphere Liberty Profile application server 
bundled with Web Experience Factory (WEF) 8.5. Liberty is an optional 
component that, if installed, is used by WEF as a development-time application
server.

Liberty's security bulletin (Security Bulletin: Potential Denial of Service in
IBM WebSphere Application Server CVE-2014-0050) provides a description of the
potential vulnerabilities and available fixes. If you have installed WEF's 
bundled copy of Liberty then you should apply interim fix 
8551-wlp-archive-IFPI12926. Applying any other fix may render Liberty unusable
for WEF model development.

CVE ID: CVE-2014-0050

Apache Commons FileUpload and Tomcat are vulnerable to a denial of service.

CVSS Base Score: 5.0

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90987 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Affected Products and Versions

Version 8.5 and 8.5.0.x of Web Experience Factory.

Remediation/Fixes

Apply interim fix 8551-wlp-archive-IFPI12926 available from Fix Central. 
Applying any other fix may render Liberty unusable for WEF model development.

Workarounds and Mitigations

Remove the copy of Liberty installed with WEF and use another application 
server supported for model development.

References

Complete CVSS Guide
On-line Calculator V2
Complete CVSS Guide (http://www.first.org/cvss/cvss-guide.html)
On-line Calculator V2 (http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2)
CVE-2014-0050 ( http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050)
Security Bulletin: Potential Denial of Service in IBM WebSphere Application 
Server CVE-2014-0050
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog


Change History

4 September 2014: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
References section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST),
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVA47aBLndAQH1ShLAQLrFRAAmSaXCktsZB+b9AlbjkQnWVgpFyxqMm93
g/pBPI6tTxlqG0hAjkH09Bvec3O0pKz4poRMI/JsxLstGYDrAzXsCb1TTwr9eH24
wa/v2MU+/xTm1VqFQUhuLgDXkCix956Pq9a7XaSqaL8gOC0ZmiwjCEcpPR9GY1rG
dyOnjy/JRz8oKiU2GpQLlzgfxkrWQE0uRQbPd1R+FcWoniR4arINWrZRQeu+d7tv
ifYr85wOZGHzZJ8pGJgG1/edXCjoEj6Jmr7DPHPWZsrNy6Mw47NhutpOWHyoxZDg
Kwbp2jxT5Iw+wbZzmvxMgIiupQKxyndFKZMUHYxc5qRhcXcidXQUzUeWibNoA9LF
VV0ZTLUEFB4SlYFxzPXtvfSLP93m7YqRXbYShzgyCJb6CpsJ/s9ecDLdglFcaDas
lspI3RFAAVVijoceMZnYQ7lwNKEvl5XHeJbAXJ/xwjtOocj74v2GfiAKqyZEpiVL
axBPgR6O00xGlfuxDK3WjLFsEiHMptQEa9GmhRYS5tdZ6MUn+9efQDSTi4/lSuiF
ChE4mKD5s93qt0GxoIubW6ex9oahFm/glzX3LMpKxprplFVS5YmxtPEGiKQ4KWr4
T92rqDz+9Hpk7kBnQDgP40EX+rg5kGduKFhqXepcvENWNtNPkWWCExEWfUXDl5Ko
MrXIyiL+HuE=
=5k3t
-----END PGP SIGNATURE-----