Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)
PI78804 resolves the following problem:
ERROR DESCRIPTION:
IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. (CVE-2018-1614)
PROBLEM SUMMARY:
IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information.
PROBLEM CONCLUSION:
Confidential for Security Integrity ifix.
THE FOLLOWING FIXES ARE PROVIDED:
8.0.0.4-WS-WASProd-IFPI78804.zip applies to fixpacks 8.0.0.4 through 8.0.0.15.
8.5.5.0-WS-WASProd-IFPI78804.zip applies to fixpacks 8.5.5.0 through 8.5.5.13.
9.0.0.0-WS-WASProd-IFPI78804.zip applies to fixpacks 9.0.0.0 through 9.0.0.7
Note: There is no fix for WebSphere v7 because no fixpack for WebSphere v7 contains the vulnerability that is fixed with APAR PI78804.
The fix for this APAR is currently targeted for inclusion in WebSphere traditional fix packs 8.5.5.14 and 9.0.0.9. Please refer to the Recommended Updates page for delivery information:
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980
Please download the UpdateInstaller below to install this fix.
[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]
Please review the readme.txt for detailed installation instructions.
[{"INLabel":"V80 Readme","INLang":"US English","INSize":"2586","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/8.0.0.15/readme.txt"},{"INLabel":"V85 Readme","INLang":"US English","INSize":"2627","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/8.5.5.13/readme.txt"},{"INLabel":"V90 Readme","INLang":"US English","INSize":"2319","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/9.0.0.8/readme.txt"}]
On
[{"DNLabel":"8.0.0.4-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"286986","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=8.0.0.4-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null},{"DNLabel":"8.5.5.0-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"297413","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=8.5.5.0-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null},{"DNLabel":"9.0.0.0-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"283235","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=9.0.0.0-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null}]
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.6;9.0.0.5;9.0.0.4;9.0.0.3;9.0.0.2;9.0.0.1;9.0.0.0;8.5.5.9;8.5.5.8;8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.5.5.2;8.5.5.12;8.5.5.11;8.5.5.10;8.5.5.1;8.5.5;8.0.0.9;8.0.0.8;8.0.0.7;8.0.0.6;8.0.0.5;8.0.0.4;8.0.0.14;8.0.0.13;8.0.0.12;8.0.0.11;8.0.0.10;8.5.5.13;9.0.0.7;8.0.0.15","Edition":"Base;Network Deployment;Single Server","Line of Business":{"code":"LOB45","label":"Automation"}}]