IBM Support

Security Bulletin: Multiple vulnerabilities in Open Source Apache WSS4J affect IBM InfoSphere DataStage Web services pack (CVE-2015-0226 CVE-2015-0227)

Created by Clyde Mendonca on
Published URL:
https://www.ibm.com/support/pages/node/258115
258115

Security Bulletin


Summary

There are multiple vulnerabilities in Open Source Apache WSS4J that is used by IBM InfoSphere DataStage Web services pack.

Vulnerability Details

CVE-ID: CVE-2015-0226
DESCRIPTION: Apache WSS4J could allow a remote attacker to obtain sensitive information, caused by Bleichenbacher's attack on XML Encryption. By sending a specially-crafted message, an attacker could exploit this vulnerability to decrypt the key and obtain sensitive information.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100836 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-0227
DESCRIPTION: Apache WSS4J could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce the requireSignedEncryptedDataElements property. An attacker could exploit this vulnerability using various types of wrapping attacks to bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100837 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

The following product, running on all supported platforms, are affected:
IBM InfoSphere DataStage Web services Pack: versions 9.1 and 11.3

Remediation/Fixes

Product

VRMFAPARRemediation/First Fix
InfoSphere DataStage Web services Pack11.3JR52755--Apply IBM InfoSphere DataStage Web services Pack Security Patch
InfoSphere DataStage Web services Pack9.1JR52755--Apply IBM InfoSphere DataStage Web services Pack Security Patch


Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

14 April 2015: Original Version Published
20 July 2015: Updated to indicate HP Itanium platform also needs a fix for version 9.1

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PSIRT 49854

[{"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.1;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SSVSEF","label":"IBM InfoSphere DataStage"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.1;11.3","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21699491

Page Feedback