Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0069 Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1000031) 5 January 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM WebSphere Service Registry and Repository Publisher: IBM Operating System: AIX HP-UX Linux variants Solaris Windows z/OS Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-1000031 Reference: ESB-2018.0043 Original Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22012320 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Vulnerability in Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1000031) Document information More support for: WebSphere Service Registry and Repository Security Software version: 8.0, 8.0.0.1, 8.0.0.2, 8.0.0.3, 8.5, 8.5.0.1, 8.5.5.0, 8.5.6.0, 8.5.6.1 Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS Software edition: All Editions Reference #: 2010680 Modified date: 04 January 2018 Security Bulletin Summary Vulnerability in Apache Commons FileUpload affects IBM WebSphere Service Registry and Repository (CVE-2016-1000031) Vulnerability Details CVEID: CVE-2016-1000031 DESCRIPTION: Apache Commons FileUpload, as used in certain products, could allow a remote attacker to execute arbitrary code on the system, caused by deserialization of untrusted data in DiskFileItem class of the FileUpload library. A remote attacker could exploit this vulnerability to execute arbitrary code under the context of the current process. CVSS Base Score: 9.8 CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/ 117957 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) Affected Products and Versions WebSphere Service Registry and Repository V8.5 WebSphere Service Registry and Repository V8.0 For unsupported versions IBM recommends upgrading to a fixed, supported version of the product Remediation/Fixes To remediate CVE-2016-1000031 you need to apply fixes for both IBM WebSphere Application Server and IBM WebSphere Service Registry and Repository. For WebSphere Application Server updates refer to this bulletin: Security Bulletin: Security vulnerability in Apache Commons FileUpload used by WebSphere Application Server (CVE-2016-1000031) For WebSphere Service Registry and Repository, this vulnerability has been fixed under APAR IJ01131. Fixes containing IJ01131 have been published and are available from Fix Central. For WSRR V8.5 o Apply V8.5.6.1_IJ01131 For WSRR V8.0 o Apply V8.0.0.3_IV65487_IV79085_IV87422_IV87429_IV89477_IJ01131 Get Notified about Future Security Bulletins Subscribe to My Notifications to be notified of important product support alerts like this. References Complete CVSS v3 Guide On-line Calculator v3 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Change History 04 January 2018: Original version published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWk7y0Ix+lLeg9Ub1AQhDUQ/9Hu+N2SmOVB8EqGdbRdwyIELSRl7b4sHT Z7FEtqGli1ZQ3+u9TYP8IDp9t6gO3KZR610EvYxLwJbnPKF10WB6nbxu291Ogay6 E90pd4DhKOV0QH+HU4yU7UC0MVTvnhdAfEm5jLk9xRKaA6OeD5pvVDoA9ab+1CRS KD7SfTXihDU8Ne1kP1K0rdE9FFU88JRjaY0oc2iTrxD0qDc/wbl6/CHxKi83qm6H RSjS75pnsgUXc4pMbfZXGWjyFBVoT+gUbcga61pBt9qg1hYqFbIV85i4HCwT8ZWj dsIV8DXv7jrpAAEa7EiyMKmwCptawd2b6bzthgxGjKQHx1TINuDeqSq+sRDMEIMo CBqOGoK1TDl5fk35RI/ysNn4ld+G9xIZtb9NV4Ik7ZUrq111R+90FAdqVSIFKgWT g4i1bIBYHY0dSIrWdF9XA5XDf83+fcuJEpXt/ktqelFAZpmohrBcRefTMsDyQfqf PGvT+6khkXQCfCRoukBj9DWCqiEbD8kVkRDefrK8eiabhxtol2Juw+FEseeYiojc iJGtmu4PgiOjXK6fmiF/eq63mkQB3uoA++gyMtklUPL3n1bQzaJIHAbMr2XrldRV luFpNJzefFb/ATnAjRGptrc2NB4jXIvEcj1AxzxepzAHn9fBmZS1PK9xu2Sn0NMT wRGuqH+wgO4= =Tk0D -----END PGP SIGNATURE-----