IBM Support

Security Bulletin: IBM Jazz for Service Management Recommends to Install IBM Websphere Application Server Fixes to fix Multiple Security Vulnerabilities

Created by Pradeep Sudarshan on
Published URL:
https://www.ibm.com/support/pages/node/533629
533629

Security Bulletin


Summary

IBM Jazz for Service Management bundles IBM Websphere Application Server (WAS) v8.5 and below. These lower level of WAS profile releases are prone to various security vulnerability issues and is being fixed thru multiple interim fixes.
We recommend to install these WAS interim fixes to fix the vulnerabilities

Vulnerability Details


CVEID: CVE-2015-1885 (APAR PI33202 and PI36211)

DESCRIPTION: WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system when OAuth grant type of password is used.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101255 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)


CVEID: CVE-2015-0250
DESCRIPTION: Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101614 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


CVEID: CVE-2015-1927
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system, caused by an application not having the correct serveServletsbyClassname setting. By a developer not setting the correct property, an attacker could exploit this vulnerability to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102872 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)


CVEID: CVE-2015-1936
DESCRIPTION: IBM WebSphere Application Server Administrative console could allow a remote authenticated attacker to hijack a user's session when Security is not enabled. An attacker could exploit this vulnerability using the JSESSIONID parameter to gain access to another user's session.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103108 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)


CVEID: CVE-2015-1946
DESCRIPTION: IBM WebSphere Application Server 8.5 and IBM WebSphere Virtual Enterprise 7.0 could allow a local attacker to gain elevated privileges on the system cause by the user roles not being handled properly.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103201 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

The Vulnerabilities affects the below versions of Jazz for Service Management:

Jazz for Service Management 1.1 and fix packs

Jazz for Service Management 1.1.1

Jazz for Service Management 1.1.2

Remediation/Fixes

Please refer to the WAS security bulletin to remediate the vulnerabilities related to WAS full Profile (v8.5 and below) - http://www-01.ibm.com/support/docview.wss?uid=swg21959083

Workarounds and Mitigations

None; Please apply the corresponding interim fixes

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

28-Jul-2015: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSRLR8","label":"Tivoli Components"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Jazz for Service Management","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"1.1;1.1.0.1;1.1.0.2;1.1.0.3;1.1.1;1.1.2","Edition":"","Line of Business":{"code":"","label":""}}]

Document Information

Modified date:
17 June 2018

UID

swg21963201

Page Feedback