Medium Severity

IBM Security Bulletin: A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996)

Share this post:

WebSphere Application Server is shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise. Information about a security vulnerability affecting WebSphere Application Server has been published in a security bulletin.

CVE(s): CVE-2018-1996

Affected product(s) and affected version(s):

Affected Product Name Affected Versions
IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition V2.5, V2.5.0.1, V2.5.02. V2.5.0.3, V2.5.0.4, V2.5.0.5, V2.5.0.6, V2.5.0.7, V2.5.0.8, V2.5.0.9, V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3, V2.4.0.4, V2.4.0.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: https://www.ibm.com/support/pages/node/960284
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/154650

More stories

Security Bulletin: IBM NeXtScale Fan Power Controller (FPC) is affected by vulnerability in OpenSSL (CVE-2019-1559)

Nov 12, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-1559 DESCRIPTION:   If an application encounters a fatal protocol error and then calls SSL_shutdown() twice (once to send a close_notify, and once to receive one) then OpenSSL can respond differently to the calling application if a 0 byte record is received with invalid padding compared to if a 0 byte record is received with an invalid MAC. If the application then behaves differently based on that in a way that is detectable to the remote peer, then this amounts to a padding oracle that could be used to decrypt data. In order for this to be exploitable "non-stitched" ciphersuites must be in use. Stitched ciphersuites are optimised implementations of certain commonly used ciphersuites. Also the application must call SSL_shutdown() twice even if a protocol error has occurred (applications should not do this but some do anyway). Fixed in OpenSSL 1.0.2r (Affected 1.0.2-1.0.2q).CVSS Base score: 5.8CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/157514 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N) ...read more


Security Bulletin: IBM Tivoli Netcool Impact is affected by an Apache ActiveMQ vulnerability (CVE-2018-11775)

Nov 11, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2018-11775 DESCRIPTION:   TLS hostname verification when using the Apache ActiveMQ Client before 5.15.6 was missing which could make the client vulnerable to a MITM attack between a Java application using the ActiveMQ client and the ActiveMQ server. This is now enabled by default.CVSS Base score: 5.9CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/149705 for the current score.CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) ...read more


Security Bulletin: Incorrect permissions on restored files and directories on Windows using IBM Spectrum Protect Plus (CVE-2019-4652)

Nov 11, 2019 7:00 pm EST | Medium Severity

CVEID:   CVE-2019-4652 DESCRIPTION:   CVSS Base score: 5.1CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170963 for the current score.CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N) ...read more