IBM Support

Security Bulletin: Vulnerability with Java Portlet Specification JSR 286 may affect WebSphere Application Server (CVE-2015-1926)

Created by Brenda Fanning on
Published URL:
https://www.ibm.com/support/pages/node/532177
532177

Security Bulletin


Summary

There has been a change to the Java Portlet Specification 2.0 (JSR 286) that may affect some configurations of WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2015-1926
DESCRIPTION: The Java Portlet Specification JSR 286 API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102780 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


Affected Products and Versions

AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5 Full Profile
  • Version 8.5 Portlet Container feature for WebSphere Application Server Liberty
  • Version 8
  • Version 7

There has been a change to the Java Portlet Specification 2.0 JSR 286. CVE-2014-3083 already remediates this issue in WebSphere Application Server.

NOTE: If you have already applied interim fixes for APARs PI17768 and PI30579 and updated your custom portlets as described in the security bulletins linked below then you do not need to take any action.

Remediation/Fixes

Custom Portlets:
Your custom portlets may need to be updated as described in the security bulletins below.

For IBM WebSphere Application Server
APAR PI45900 contains the update to the Java Portlet Specification JSR 286 API jar file code and will be included in fix packs 8.5.5.8, 8.0.0.12 and 7.0.0.39. Installing those fix packs when they become available or installing the interim fixes as noted below will remedy the problem.

For V8.5.0.0. through 8.5.5.6 (Full Profile):

  • Apply Fix Pack 8 (8.5.5.8), or later.
-- Or --
For V8.5.0.0. through 8.5.5.6 (Liberty Profile):
If you have the installed the Portlet Container Feature from WASdev Liberty Repository:
  • Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:
usr\extension\dev\api\spec\com.ibm.websphere.appserver.api.portlet_2.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.ccpp_1.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.portlet_2.0.0.jar
usr\extension\lib\com.ibm.ws.portletcontainer_2.0.0.jar
usr\extension\lib\features\com.ibm.websphere.appserver.portlet-2.0.mf
usr\extension\lib\features\l10n\com.ibm.websphere.appserver.portlet-2.0.properties
usr\extension\lafiles\com.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories
  • Then install the September 2015 release or a newer version of the Portlet Container from the WASdev Liberty Repository.

-- Or -- For V8.0.0.0 through 8.0.0.11:
  • Apply Fix Pack 12 (8.0.0.12), or later.
-- Or --
For V7.0.0.0 through 7.0.0.37:
  • Apply Fix Pack 39 (7.0.0.39), or later.
-- Or --

Workarounds and Mitigations

To mitigate around this issue until the fix pack is available that includes the update to the Java Portlet Specification: You should refer to the security bulletins listed above and apply the APAR interim fixes for PI17768 and PI30579 and update your Portlet as described in the bulletin.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

24 August 2015: original document published
3 September 2015: clarified that portlet application may need updating

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5;8.5;8.0;7.0","Edition":"Base;Developer;Enterprise;Liberty;Network Deployment","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
15 June 2018

UID

swg21962107

Page Feedback