IBM Support

Security Bulletin: A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM License Metric Tool v9 and IBM BigFix Inventory v9 (CVE-2015-2017)

Created by Oktawian Powązka on

Security Bulletin


Summary

WebSphere Liberty Profile is shipped as a component of IBM License Metric Tool v9 and IBM BigFix Inventory v9. Information about a security vulnerability affecting WebSphere Liberty Profile has been published in a security bulletin.

Vulnerability Details

CVEID: CVE-2015-2017
DESCRIPTION:
The IBM WebSphere Portal is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103991 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N).

Affected Products and Versions

Principal Product and Version(s)

Affected Supporting Product and Version
IBM License Metric Tool 9
IBM BigFix Inventory 9
WebSphere Liberty Profile 8.5.5

Remediation/Fixes

Upgrade to version 9.2.3.0 or later:

  • In IBM Endpoint Manager console, expand IBM License Reporting or IBM BigFix Inventory node under Sites node in the tree panel.
  • Click Fixlets and Tasks node. Fixlets and Tasks panel will be displayed on the right.
  • In the Fixlets and Tasks panel locate Upgrade to the newest version of License Metric Tool 9.x or Upgrade to the newest version of IBM BigFix Inventory 9.x fixlet and run it against the computer that hosts your IBM License Metric Tool or IBM BigFix Inventory server.

Note: In an airgapped environment, you have to run BESAirgapTool and BESDownloadCacher first in order to update your site.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

Reformatted bulletin to standard format.

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS8JFY","label":"IBM License Metric Tool"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"9.0;9.0.1;9.1;9.2","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
19 August 2022

UID

swg21980271