APAR status
Closed as program error.
Error description
These vulnerabilities in the WebSphere eXtreme Scale 7.1.0 monitoring console may allow an attacker to gain access to the monitoring console, getting access to statistics data on grid usage or to potentially sensitive information in the grid.
Local fix
Problem summary
**************************************************************** * USERS AFFECTED: All users of WebSphere eXtreme Scale * * versions 7.1.0. * **************************************************************** * PROBLEM DESCRIPTION: The WebSphere eXtreme Scale 7.1.0 * * monitoring console lacks protection * * for various vulnerabilities. * **************************************************************** * RECOMMENDATION: * **************************************************************** CVEID: CVE-2015-2025 DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104053 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) CVEID:CVE-2015-2026 DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104054 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2015-2027 DESCRIPTION: IBM WebSphere Extreme Scale could allow a local user to bypass security on another user's session due to it improperly logging out the previous user. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104056 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2015-2028 DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to a HTTP response splitting attack. A remote unauthenticated attacker could specify a specially crafted URL to inject a malicious response to future requests. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104057 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2015-2029 DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote attacker to hijack a user's session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user's session. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104058 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVEID: CVE-2015-2030 DESCRIPTION: IBM WebSphere Extreme Scale uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials. CVSS Base Score: 5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104070 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N) CVEID: CVE-2015-2031 DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/104071 for the current score CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Problem conclusion
Obtain iFix from: http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent =ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&rel ease=7.1.0.3&platform=All&function=all For example: WXS-7.1.0.3-All-PI44105
Temporary fix
Comments
APAR Information
APAR number
PI44105
Reported component name
XD EXTREME SCAL
Reported component ID
5724J3402
Reported release
710
Status
CLOSED PER
PE
NoPE
HIPER
NoHIPER
Special Attention
NoSpecatt
Submitted date
2015-07-01
Closed date
2015-09-28
Last modified date
2015-09-28
APAR is sysrouted FROM one or more of the following:
PI44098
APAR is sysrouted TO one or more of the following:
Fix information
Fixed component name
XD EXTREME SCAL
Fixed component ID
5724J3402
Applicable component levels
R710 PSY
UP
[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]
Document Information
Modified date:
23 September 2020