Technical Blog Post
Abstract
ITM Agent Insights: Security Vulnerabilities in JazzSM due to WAS
Body
Security Bulletin: Multiple security vulnerabilities has been identified in Websphere Application Server shipped with Jazz for Service Management (CVE-2016-3092, CVE-2016-0377, CVE-2016-0385, CVE-2016-5986)
Summary
WebSphere Application Server (WAS) Full profile is shipped as a component of Jazz for Service Management (JazzSM) and WAS is affected by multiple security vulnerabilities.
Vulnerability Details
CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2016-0377
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by the improper setting of a CSRFtoken cookie.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112238 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-0385
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2016-5986
DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
Other security vulnerabilities information can be find here: http://www-01.ibm.com/support/docview.wss?uid=swg21883331
Affected Products and Versions
Jazz for Service Management version 1.1.0 - 1.1.3
Remediation/Fixes
Principal Product and Version(s) | Affected Supporting Product and Version | Affected Supporting Product Security Bulletin |
Jazz for Service Management version 1.1.0 - 1.1.3 | WebSphere Application Server Full Profile 8.5.5 | PI65218:Denial of service in the Apache Commons FileUpload used by the Administrative Console
|
Workarounds and Mitigations
Get Notified about Future Security Bulletins: http://www.ibm.com/software/support/einfo.html
Subscribe and follow us for all the latest information directly on your social feeds:
|
|
|
Check our other posts and updates: | |
Academy Blog | ht |
A | ht |
A | ht |
A | ht |
UID
ibm11084623