17 March 2015
Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.0637 Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server Version 18.104.22.168 17 March 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Application Server Publisher: IBM Operating System: AIX HP-UX IBM i Linux variants Windows Impact/Access: Access Privileged Data -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2014-8730 CVE-2014-6174 CVE-2014-6167 CVE-2014-3566 Reference: ASB-2015.0009 ESB-2015.0618 ESB-2015.0609 ESB-2015.0385 ESB-2015.0165 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21697369 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server Version 22.214.171.124 Document information More support for: WebSphere Application Server General Software version: 6.1, 7.0, 8.0, 8.5, 8.5.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Windows Software edition: Base, Developer, Enterprise, Liberty, Network Deployment Reference #: 1697369 Modified date: 2015-03-16 Security Bulletin Summary Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 126.96.36.199, IBM WebSphere Application Server Hypervisor 188.8.131.52 and IBM HTTP Server 184.108.40.206 Vulnerability Details CVE ID: CVE-2014-6167 (APAR PI23819) DESCRIPTION: IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of session input using URL rewriting. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97748 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected: Version 8.5 Full Profile and Liberty Profile Version 8 Version 7 Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. Fix: Apply an Interim Fix, Fix Pack or PTF containing this APAR PI23819, as noted below: For IBM WebSphere Application Server For V220.127.116.11 through 18.104.22.168: Apply Fix Pack 4 (22.214.171.124), or later. For V126.96.36.199 through 188.8.131.52: Apply Fix Pack 10 (184.108.40.206), or later. For V220.127.116.11 through 18.104.22.168: Apply Fix Pack 37 (22.214.171.124), or later. Workaround(s): None known Mitigation(s): None known CVE ID: CVE-2014-6174 (APAR PI27152) DESCRIPTION: IBM WebSphere Application Server Administrative Console could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks. CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98486 for the current score CVSS Environmental Score*: Undefined CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N) AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected: Version 8.5 Full Profile Version 8 Version 7 Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. Fix: Apply an Interim Fix, Fix Pack or PTF containing this APAR PI27152, as noted below: For IBM WebSphere Application Server For V126.96.36.199 through 188.8.131.52: Apply Interim Fix PI27152 - -- OR Apply Fix Pack 4 (184.108.40.206), or later. For V220.127.116.11 through 18.104.22.168: Apply Interim Fix PI27152 - -- OR Apply Fix Pack 10 (22.214.171.124), or later. For V126.96.36.199 through 188.8.131.52: Apply Interim Fix PI27152 - -- OR Apply Fix Pack 37 (184.108.40.206), or later. Workaround(s): None known Mitigation(s): None known CVE IDs: CVE-2014-3566 (APAR PI27904) DESCRIPTION: SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server. Affected Versions/Remediation/Fixes/Workaround/Mitigation Please refer to Vulnerability in SSLv3 affects IBM HTTP Server for remediation information. CVE IDs: CVE-2014-8730 (APAR PI31516) DESCRIPTION: Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server. Affected Versions/Remediation/Fixes/Workaround/Mitigation Please refer to TLS padding vulnerability affects IBM HTTP Server for remediation information. If you are using an earlier unsupported release, IBM strongly recommends that you upgrade. Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 13 March 2015: original document published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Cross reference information Segment Product Component Platform Version Edition Application Servers IBM HTTP Server Application Servers WebSphere Application Server Hypervisor Edition - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to email@example.com and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: firstname.lastname@example.org Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVQeESRLndAQH1ShLAQLAdRAArGcKmTetb0GRxC0fe1KFcWVyWlQQdWzB yt5FKriGRWsxNIDJz1p6gMXViCIMcPKDG1zsR7QM65eXxdVhBTIxUZTWDapOQ5bP vuZyhuGYY3Tej54fOZCnKopTro4CK57IcJHox55BOvlNE4vOG6P38k26Llu+b5Yv T/NbPNUb2nPwgo81TkXXklhU/SgLtHIk12aN7keWJxYnO762jEJvrO6I6+eByflY u1/yyriYeAqK/UUan2nibHSq0IoYoe7hC1geEriTQyQFVG3Nd6yUe0aBCqVJc9N0 YqYyAt4vkCSq0NgqULgFEFYHuYkrK0ciayaDKTRTqBFFhg6FH9/iwLB1d7GUJf17 bPQZuNjIvAFow0YUKBgDZpLeKlEwnJdMtqDUexcYMvbjzLViZprq+ZcMD6ckCepe hycPzS7OS309kDwovkdWWYgq/vNQqeqVJmUhGusVm0aMEPBoVp+oUp3j9gPdRyKV WvmoNdGnLt9naOxHinU15tmpLZEnnB4DQy069+hpSRyXfuM2HMOmBZmsdPvk5pw/ 1fEEZMT7BRecwHWDUVldzjoKqdDIGEDIC4aZdNUgsDK9rSwtXyhHmrnWsr03YaGr kMbPBytiz3sDQi5ufsCDveQZ9JNGuJCs5NjdaNfAG/10UCa6TWDzpVLmsNErUFKd Lml6R59OWKg= =pO4U -----END PGP SIGNATURE-----