Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2015.2682
Multiple vulnerabilities have been identified in IBM WepShere Portal
23 October 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: IBM WebSphere Portal
Publisher: IBM
Operating System: AIX
HP-UX
IBM i
Linux variants
Solaris
Windows
z/OS
Impact/Access: Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-4997 CVE-2014-8912
Original Bulletin:
http://www-01.ibm.com/support/docview.wss?uid=swg21968474
http://www-01.ibm.com/support/docview.wss?uid=swg21963226
Comment: This bulletin contains two (2) IBM security advisories.
- --------------------------BEGIN INCLUDED TEXT--------------------
Security Bulletin: Fix Available for Security Vulnerability in IBM WebSphere
Portal (CVE-2015-4997)
Document information
More support for:
WebSphere Portal
Software version:
8.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Reference #:
1968474
Modified date:
2015-10-22
Security Bulletin
Summary
A fix is available for a security vulnerability in IBM WebSphere Portal
(CVE-2015-4997).
Vulnerability Details
CVEID: CVE-2015-4997
DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to
bypass security restrictions, caused by improper validation of access
control. By sending specially crafted requests, an attacker could exploit
this vulnerability to bypass security and gain unauthorized access to the
vulnerable system or other systems.
CVSS Base Score: 6.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/106126 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
Affected Products and Versions
IBM WebSphere Portal 8.5
Remediation/Fixes
The recommended solution is to apply a fix as soon as practical.
Fix: Apply a Cumulative Fix containing PI47694.
For 8.5.0
Upgrade to Cumulative Fix 08 (CF08).
(Combined Cumulative Fixes for WebSphere Portal 8.5.0.0:
http://www-01.ibm.com/support/docview.wss?uid=swg24037786)
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS v3 Guide
On-line Calculator v3
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
22 October 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- -------------------------------------------------------------------------------
Security Bulletin: Fix Available for Security Vulnerability in IBM WebSphere
Portal (CVE-2014-8912)
Security Bulletin
Document information
More support for:
WebSphere Portal
Software version:
6.1, 7.0, 8.0, 8.5
Operating system(s):
AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS
Reference #:
1963226
Modified date:
2015-10-22
Summary
A fix is available for a security vulnerability in IBM WebSphere Portal
(CVE-2014-8912).
Vulnerability Details
CVEID: CVE-2014-8912
DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to obtain
sensitive information, caused by the failure to restrict access to resources
located within web applications. An attacker could exploit this vulnerability
to obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99253 for the
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Affected Products and Versions
IBM WebSphere Portal 8.5
IBM WebSphere Portal 8.0
IBM WebSphere Portal 7.0
IBM WebSphere Portal 6.1
Remediation/Fixes
Remediate the issue by executing the following three steps. They include the
installation of PI47714, which introduces a framework to control resource
serving via the RES data source based on black/white lists.
Step 1:
Apply an Interim Fix or a Cumulative Fix containing PI47714.
For 8.5.0
Upgrade to Cumulative Fix 08 (CF08).
(Combined Cumulative Fixes for WebSphere Portal 8.5.0.0:
http://www-01.ibm.com/support/docview.wss?uid=swg24037786)
For 8.0.0 through 8.0.0.1
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 18 (CF18) and then
apply the Interim Fix PI47714.
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1:
http://www-01.ibm.com/support/docview.wss?uid=swg24034497)
For 7.0.0 through 7.0.0.2
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 29 (CF29) and then
apply the Interim Fix PI47714.
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2:
http://www.ibm.com/support/docview.wss?uid=swg24029452)
For 6.1.5.0 through 6.1.5.3
Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then
apply the Interim Fix PI47714.
(Cumulative fixes for WebSphere Portal 6.1.5.3:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)
For 6.1.0.0 through 6.1.0.6
Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then
apply the Interim Fix PI47714.
(Cumulative fixes for WebSphere Portal 6.1.0.6:
http://www-01.ibm.com/support/docview.wss?uid=swg24023835)
Step 2
Identify the actual resource serving that happens during regular usage
and adjust black/white list settings.
After installation of PI47714, log messages like this indicate actual
resource serving of resources within web applications, as it occurs:
[10/5/15 8:00:00:000 EDT] 0000000a AbstractReque W
com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory
matchesWebAppDefault(aResource) Servlet context [/wps/PA_My_Web_App] does
not specify a blackwhite list when accessing resource [css/my.css], falling
back to the default [[(null), (WEB-INF/.*)]]. Applications can define a
custom list by adding the keys [com.ibm.portal.resource.whitelist] and
[com.ibm.portal.resource.blacklist] to their web.xml deployment descriptor.
For each you need to decide, whether this is intended access. For the
resources within a web application you can define the access based on
black/white lists in two ways:
via a context parameter in the web.xml of the web application,
via Resource Environment Provider settings.
Option A) is recommended, option B) can be used as fallback, in case
updates of the web applications are not possible.
Details on option A):
A context parameter defines which files from your web module is served
via the RES data source.
Define a whitelist using a regular expression that matches the files
that you want to make available. In addition, with a blacklist you remove
certain entries from the set of files that are available in the whitelist. A
blacklist is helpful if you want to serve a folder but not a certain file
within that folder.
The expressions are case-sensitive, for example WEB-INF is different
from Web-Inf.
The parameters are set in the web.xml file of the web module.
Sample: Serve all files that are not part of the WEB-INF folder.
<web-app>
...
<context-param>
<description>A regular expression that defines which of the
resources in the war file can be served by the portal res
datasource.</description>
<param-name>com.ibm.portal.resource.whitelist</param-name>
<param-value>.*</param-value> </context-param>
<context-param>
<description>A regular expression that defines which of the
resources in the war file cannot be served by the portal res
datasource.</description>
<param-name>com.ibm.portal.resource.blacklist</param-name>
<param-value>WEB-INF/.*</param-value> </context-param>
...
</web-app>
Details on option B):
Resource Environment Provider custom properties define which files from
your web module is served via the RES data source.
For each web application define three custom properties in the Resource
Environment Provider 'WP ConfigService':
Name Value
com.ibm.portal.resource.<your_key_for_web_app>.contextroot The context root under which the war file is deployed. You can use the variable
'${URI_CONTEXT_PATH}' to avoid hard reference to the context root, which
can be changed with features like Search Engine Optimization or Renaming
of the context root. The variable '${URI_CONTEXT_PATH}' would resolve in
the out of the box setup to '/wps'.
com.ibm.portal.resource.<your_key_for_web_app>.whitelist A regular expression that defines which of the resources in the war file can be
served by the portal res datasource.
com.ibm.portal.resource.<your_key_for_web_app>.blacklist A regular expression that defines which of the resources in the war file cannot be
served by the portal res datasource.
Sample:
Name Value
com.ibm.portal.resource.my_web_app_1.contextroot ${URI_CONTEXT_PATH}/PA_My_Web_App
com.ibm.portal.resource.my_web_app_1.whitelist .*
com.ibm.portal.resource.my_web_app_1.blacklist WEB-INF/.*
Step 3
Set the fallback for web applications, that were not covered in step 2 and
do not specify a black white list, to block always. This step is important
to complete the remediation.
Define a custom property in the Resource Environment Provider 'WP
ConfigService':
Name Value
com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist .*
Note: It is possible to do step 3 before step 2. But depending on your
setup, this can lead to up to major functional regression.
Note: IBM intends to change the default value for
com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist to .*
in a future CF.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
Subscribe to My Notifications to be notified of important product support
alerts like this.
Important note
IBM strongly suggests that all System z customers be subscribed to the
System z Security Portal to receive the latest critical System z security
and integrity service. If you are not subscribed, see the instructions
on the System z Security web site. Security and integrity APARs and
associated fixes will be posted to this portal. IBM suggests reviewing
the CVSS scores and applying all security or integrity fixes as soon as
possible to minimize any potential risk.
References
Complete CVSS v2 Guide
On-line Calculator v2
Related information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
15 October 2015: Original Version Published
*The CVSS Environment Score is customer environment specific and will
ultimately impact the Overall CVSS Score. Customers can evaluate the impact
of this vulnerability in their environments by accessing the links in the
Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the
Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency
and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT
WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING
THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVimMvX6ZAP0PgtI9AQLkhA/9FdqENaCMT9YrUg76UNv5biJ12K2OBRW8
y8e73AjE3znH1DOz0/9q7+dJKLBUypEVjWQVE17baro93A7VBW4kIQN+GuftpVKX
sFEI6OtmGw63ju1RQhnSOW/nwLBekd4vYZGWeuEIDKZ6lj+SSqagEmO57D6GgvYO
p8ElEB4YdpXB9cdTrYhkILAUbp5ijSUj4BRUxiUIYlFQHMLtKgIPXbyZkZfW4HIX
54GHcK8v3JNmmpXBxHGZe0JUiwh52FpczxAQ8AmdH5Z4lm5L0s+iMuSkecWXu3eb
iTEZt+5AbaiqkacEzSUIIgkyYFYJ90kIg9QU+m9J2sHyKiiuITo9BOTVFgytE4v8
Ac8W3dAi+D6xz8w4S+nDygf3hJJz4pTX4lect3nvyWpGwhQ12uELsRlVL6jPz5pl
jbKK/CQ+eADLmn+o6ZVXu65mgmJBu0ZLxqd9MbamIF3sgkxa8fP1b8ejRW6+vg2I
qzSL/JJhzq8HeGAai201HfvOz37Zt+qt8XaNx+gL1oxCWq3CzK8H6tuRHYE28cqP
UQXyhve6TWrO2Cnh5lrC4m90csoBcjGLkNaI/ovKx0YHAatO0QINJn006rSkFr+L
uFUllihOA3WBONY3VFbAB94Jvu3I7Kj8IpIeUFC5j1vwNqw6UDAuISl4rz9Jk08U
h8RKcltBI78=
=xX4T
-----END PGP SIGNATURE-----