Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2015.2682 Multiple vulnerabilities have been identified in IBM WepShere Portal 23 October 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Portal Publisher: IBM Operating System: AIX HP-UX IBM i Linux variants Solaris Windows z/OS Impact/Access: Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-4997 CVE-2014-8912 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21968474 http://www-01.ibm.com/support/docview.wss?uid=swg21963226 Comment: This bulletin contains two (2) IBM security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Fix Available for Security Vulnerability in IBM WebSphere Portal (CVE-2015-4997) Document information More support for: WebSphere Portal Software version: 8.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Reference #: 1968474 Modified date: 2015-10-22 Security Bulletin Summary A fix is available for a security vulnerability in IBM WebSphere Portal (CVE-2015-4997). Vulnerability Details CVEID: CVE-2015-4997 DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to bypass security restrictions, caused by improper validation of access control. By sending specially crafted requests, an attacker could exploit this vulnerability to bypass security and gain unauthorized access to the vulnerable system or other systems. CVSS Base Score: 6.5 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/106126 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L) Affected Products and Versions IBM WebSphere Portal 8.5 Remediation/Fixes The recommended solution is to apply a fix as soon as practical. Fix: Apply a Cumulative Fix containing PI47694. For 8.5.0 Upgrade to Cumulative Fix 08 (CF08). (Combined Cumulative Fixes for WebSphere Portal 8.5.0.0: http://www-01.ibm.com/support/docview.wss?uid=swg24037786) Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 22 October 2015: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - ------------------------------------------------------------------------------- Security Bulletin: Fix Available for Security Vulnerability in IBM WebSphere Portal (CVE-2014-8912) Security Bulletin Document information More support for: WebSphere Portal Software version: 6.1, 7.0, 8.0, 8.5 Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS Reference #: 1963226 Modified date: 2015-10-22 Summary A fix is available for a security vulnerability in IBM WebSphere Portal (CVE-2014-8912). Vulnerability Details CVEID: CVE-2014-8912 DESCRIPTION: IBM WebSphere Portal could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within web applications. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/99253 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N) Affected Products and Versions IBM WebSphere Portal 8.5 IBM WebSphere Portal 8.0 IBM WebSphere Portal 7.0 IBM WebSphere Portal 6.1 Remediation/Fixes Remediate the issue by executing the following three steps. They include the installation of PI47714, which introduces a framework to control resource serving via the RES data source based on black/white lists. Step 1: Apply an Interim Fix or a Cumulative Fix containing PI47714. For 8.5.0 Upgrade to Cumulative Fix 08 (CF08). (Combined Cumulative Fixes for WebSphere Portal 8.5.0.0: http://www-01.ibm.com/support/docview.wss?uid=swg24037786) For 8.0.0 through 8.0.0.1 Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 18 (CF18) and then apply the Interim Fix PI47714. (Combined Cumulative Fixes for WebSphere Portal 8.0.0.1: http://www-01.ibm.com/support/docview.wss?uid=swg24034497) For 7.0.0 through 7.0.0.2 Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 29 (CF29) and then apply the Interim Fix PI47714. (Combined Cumulative fixes for WebSphere Portal 7.0.0.2: http://www.ibm.com/support/docview.wss?uid=swg24029452) For 6.1.5.0 through 6.1.5.3 Upgrade to Fix Pack 6.1.5.3 with Cumulative Fix 27 (CF27) and then apply the Interim Fix PI47714. (Cumulative fixes for WebSphere Portal 6.1.5.3: http://www-01.ibm.com/support/docview.wss?uid=swg24023835) For 6.1.0.0 through 6.1.0.6 Upgrade to Fix Pack 6.1.0.6 with Cumulative Fix 27 (CF27) and then apply the Interim Fix PI47714. (Cumulative fixes for WebSphere Portal 6.1.0.6: http://www-01.ibm.com/support/docview.wss?uid=swg24023835) Step 2 Identify the actual resource serving that happens during regular usage and adjust black/white list settings. After installation of PI47714, log messages like this indicate actual resource serving of resources within web applications, as it occurs: [10/5/15 8:00:00:000 EDT] 0000000a AbstractReque W com.ibm.wps.resolver.resource.AbstractRequestDispatcherFactory matchesWebAppDefault(aResource) Servlet context [/wps/PA_My_Web_App] does not specify a blackwhite list when accessing resource [css/my.css], falling back to the default [[(null), (WEB-INF/.*)]]. Applications can define a custom list by adding the keys [com.ibm.portal.resource.whitelist] and [com.ibm.portal.resource.blacklist] to their web.xml deployment descriptor. For each you need to decide, whether this is intended access. For the resources within a web application you can define the access based on black/white lists in two ways: via a context parameter in the web.xml of the web application, via Resource Environment Provider settings. Option A) is recommended, option B) can be used as fallback, in case updates of the web applications are not possible. Details on option A): A context parameter defines which files from your web module is served via the RES data source. Define a whitelist using a regular expression that matches the files that you want to make available. In addition, with a blacklist you remove certain entries from the set of files that are available in the whitelist. A blacklist is helpful if you want to serve a folder but not a certain file within that folder. The expressions are case-sensitive, for example WEB-INF is different from Web-Inf. The parameters are set in the web.xml file of the web module. Sample: Serve all files that are not part of the WEB-INF folder. <web-app> ... <context-param> <description>A regular expression that defines which of the resources in the war file can be served by the portal res datasource.</description> <param-name>com.ibm.portal.resource.whitelist</param-name> <param-value>.*</param-value> </context-param> <context-param> <description>A regular expression that defines which of the resources in the war file cannot be served by the portal res datasource.</description> <param-name>com.ibm.portal.resource.blacklist</param-name> <param-value>WEB-INF/.*</param-value> </context-param> ... </web-app> Details on option B): Resource Environment Provider custom properties define which files from your web module is served via the RES data source. For each web application define three custom properties in the Resource Environment Provider 'WP ConfigService': Name Value com.ibm.portal.resource.<your_key_for_web_app>.contextroot The context root under which the war file is deployed. You can use the variable '${URI_CONTEXT_PATH}' to avoid hard reference to the context root, which can be changed with features like Search Engine Optimization or Renaming of the context root. The variable '${URI_CONTEXT_PATH}' would resolve in the out of the box setup to '/wps'. com.ibm.portal.resource.<your_key_for_web_app>.whitelist A regular expression that defines which of the resources in the war file can be served by the portal res datasource. com.ibm.portal.resource.<your_key_for_web_app>.blacklist A regular expression that defines which of the resources in the war file cannot be served by the portal res datasource. Sample: Name Value com.ibm.portal.resource.my_web_app_1.contextroot ${URI_CONTEXT_PATH}/PA_My_Web_App com.ibm.portal.resource.my_web_app_1.whitelist .* com.ibm.portal.resource.my_web_app_1.blacklist WEB-INF/.* Step 3 Set the fallback for web applications, that were not covered in step 2 and do not specify a black white list, to block always. This step is important to complete the remediation. Define a custom property in the Resource Environment Provider 'WP ConfigService': Name Value com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist .* Note: It is possible to do step 3 before step 2. But depending on your setup, this can lead to up to major functional regression. Note: IBM intends to change the default value for com.ibm.wps.resolver.resource.DefaultWebAppBlackWhiteList.blacklist to .* in a future CF. Workarounds and Mitigations None Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. Important note IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk. References Complete CVSS v2 Guide On-line Calculator v2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 15 October 2015: Original Version Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVimMvX6ZAP0PgtI9AQLkhA/9FdqENaCMT9YrUg76UNv5biJ12K2OBRW8 y8e73AjE3znH1DOz0/9q7+dJKLBUypEVjWQVE17baro93A7VBW4kIQN+GuftpVKX sFEI6OtmGw63ju1RQhnSOW/nwLBekd4vYZGWeuEIDKZ6lj+SSqagEmO57D6GgvYO p8ElEB4YdpXB9cdTrYhkILAUbp5ijSUj4BRUxiUIYlFQHMLtKgIPXbyZkZfW4HIX 54GHcK8v3JNmmpXBxHGZe0JUiwh52FpczxAQ8AmdH5Z4lm5L0s+iMuSkecWXu3eb iTEZt+5AbaiqkacEzSUIIgkyYFYJ90kIg9QU+m9J2sHyKiiuITo9BOTVFgytE4v8 Ac8W3dAi+D6xz8w4S+nDygf3hJJz4pTX4lect3nvyWpGwhQ12uELsRlVL6jPz5pl jbKK/CQ+eADLmn+o6ZVXu65mgmJBu0ZLxqd9MbamIF3sgkxa8fP1b8ejRW6+vg2I qzSL/JJhzq8HeGAai201HfvOz37Zt+qt8XaNx+gL1oxCWq3CzK8H6tuRHYE28cqP UQXyhve6TWrO2Cnh5lrC4m90csoBcjGLkNaI/ovKx0YHAatO0QINJn006rSkFr+L uFUllihOA3WBONY3VFbAB94Jvu3I7Kj8IpIeUFC5j1vwNqw6UDAuISl4rz9Jk08U h8RKcltBI78= =xX4T -----END PGP SIGNATURE-----