Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.0637
Security Bulletin: Potential Security Vulnerabilities fixed
in IBM WebSphere Application Server Version 7.0.0.37
17 March 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Application Server
Publisher: IBM
Operating System: AIX
HP-UX
IBM i
Linux variants
Windows
Impact/Access: Access Privileged Data -- Remote with User Interaction
Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Remote with User Interaction
Resolution: Patch/Upgrade
CVE Names: CVE-2014-8730 CVE-2014-6174 CVE-2014-6167
CVE-2014-3566
Reference: ASB-2015.0009
ESB-2015.0618
ESB-2015.0609
ESB-2015.0385
ESB-2015.0165
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21697369
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere
Application Server Version 7.0.0.37
Document information
More support for:
WebSphere Application Server
General
Software version:
6.1, 7.0, 8.0, 8.5, 8.5.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Windows
Software edition:
Base, Developer, Enterprise, Liberty, Network Deployment
Reference #:
1697369
Modified date:
2015-03-16
Security Bulletin
Summary
Cross reference list for security vulnerabilites fixed in IBM WebSphere
Application Server 7.0.0.37, IBM WebSphere Application Server Hypervisor
7.0.0.37 and IBM HTTP Server 7.0.0.37
Vulnerability Details
CVE ID: CVE-2014-6167 (APAR PI23819)
DESCRIPTION: IBM WebSphere Application Server may be vulnerable to cross-site
scripting, caused by improper validation of session input using URL rewriting.
A remote attacker could exploit this vulnerability in a specially-crafted URL
to execute script in a victim's Web browser within the security context of the
hosting Web site, once the URL is clicked.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/97748 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are
affected:
Version 8.5 Full Profile and Liberty Profile
Version 8
Version 7
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF
for each named product as soon as practical.
Fix:
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI23819, as noted
below:
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.3:
Apply Fix Pack 4 (8.5.5.4), or later.
For V8.0.0.0 through 8.0.0.9:
Apply Fix Pack 10 (8.0.0.10), or later.
For V7.0.0.0 through 7.0.0.35:
Apply Fix Pack 37 (7.0.0.37), or later.
Workaround(s): None known
Mitigation(s): None known
CVE ID: CVE-2014-6174 (APAR PI27152)
DESCRIPTION: IBM WebSphere Application Server Administrative Console could
allow a remote attacker to hijack the clicking action of the victim. By
persuading a victim to visit a malicious Web site, a remote attacker could
send a specially-crafted HTTP request to hijack the victim's click actions or
launch other client-side browser attacks.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/98486 for the
current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are
affected:
Version 8.5 Full Profile
Version 8
Version 7
Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF
for each named product as soon as practical.
Fix:
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI27152, as noted
below:
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.3:
Apply Interim Fix PI27152
- -- OR
Apply Fix Pack 4 (8.5.5.4), or later.
For V8.0.0.0 through 8.0.0.9:
Apply Interim Fix PI27152
- -- OR
Apply Fix Pack 10 (8.0.0.10), or later.
For V7.0.0.0 through 7.0.0.35:
Apply Interim Fix PI27152
- -- OR
Apply Fix Pack 37 (7.0.0.37), or later.
Workaround(s): None known
Mitigation(s): None known
CVE IDs: CVE-2014-3566 (APAR PI27904)
DESCRIPTION: SSLv3 contains a vulnerability that has been referred to as the
Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is
enabled by default in the Apache based IBM HTTP Server.
Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to Vulnerability in SSLv3 affects IBM HTTP Server for remediation
information.
CVE IDs: CVE-2014-8730 (APAR PI31516)
DESCRIPTION: Transport Layer Security (TLS) padding vulnerability via a POODLE
(Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP
Server.
Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to TLS padding vulnerability affects IBM HTTP Server for
remediation information.
If you are using an earlier unsupported release, IBM strongly recommends that
you upgrade.
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the System
z Security Portal to receive the latest critical System z security and
integrity service. If you are not subscribed, see the instructions on the
System z Security web site. Security and integrity APARs and associated fixes
will be posted to this portal. IBM suggests reviewing the CVSS scores and
applying all security or integrity fixes as soon as possible to minimize any
potential risk.
References
Complete CVSS Guide
On-line Calculator V2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
13 March 2015: original document published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
Cross reference information
Segment Product Component Platform Version Edition
Application Servers IBM HTTP Server
Application Servers WebSphere Application Server Hypervisor Edition
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVQeESRLndAQH1ShLAQLAdRAArGcKmTetb0GRxC0fe1KFcWVyWlQQdWzB
yt5FKriGRWsxNIDJz1p6gMXViCIMcPKDG1zsR7QM65eXxdVhBTIxUZTWDapOQ5bP
vuZyhuGYY3Tej54fOZCnKopTro4CK57IcJHox55BOvlNE4vOG6P38k26Llu+b5Yv
T/NbPNUb2nPwgo81TkXXklhU/SgLtHIk12aN7keWJxYnO762jEJvrO6I6+eByflY
u1/yyriYeAqK/UUan2nibHSq0IoYoe7hC1geEriTQyQFVG3Nd6yUe0aBCqVJc9N0
YqYyAt4vkCSq0NgqULgFEFYHuYkrK0ciayaDKTRTqBFFhg6FH9/iwLB1d7GUJf17
bPQZuNjIvAFow0YUKBgDZpLeKlEwnJdMtqDUexcYMvbjzLViZprq+ZcMD6ckCepe
hycPzS7OS309kDwovkdWWYgq/vNQqeqVJmUhGusVm0aMEPBoVp+oUp3j9gPdRyKV
WvmoNdGnLt9naOxHinU15tmpLZEnnB4DQy069+hpSRyXfuM2HMOmBZmsdPvk5pw/
1fEEZMT7BRecwHWDUVldzjoKqdDIGEDIC4aZdNUgsDK9rSwtXyhHmrnWsr03YaGr
kMbPBytiz3sDQi5ufsCDveQZ9JNGuJCs5NjdaNfAG/10UCa6TWDzpVLmsNErUFKd
Lml6R59OWKg=
=pO4U
-----END PGP SIGNATURE-----