IBM Support

Security Bulletin: Vulnerabilities exist in Watson Explorer Analytical Components, Watson Explorer Annotation Administration Console, Watson Content Analytics, IBM Content Analytics, and OmniFind Enterprise Edition

Security Bulletin


Summary

Security vulnerabilities have been identified in IBM Watson Explorer Analytical Components, Watson Explorer Foundational Components Annotation Administration Console, IBM Watson Content Analytics, IBM Content Analytics, and OmniFind Enterprise Edition. Not all vulnerabilites affect all products and versions.

Vulnerability Details

CVEID: CVE-2016-0359
DESCRIPTION:
IBM WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.
CVSS Base Score: 6.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/111929 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

CVEID: CVE-2016-3092
DESCRIPTION:
Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)



CVEID: CVE-2016-3485
DESCRIPTION:
An unspecified vulnerability in Oracle Java SE and Java SE Embedded related to the Networking component has no confidentiality impact, low integrity impact, and no availability impact.
CVSS Base Score: 2.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/115273 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

To see which vulnerabilities apply to your product and version, see the applicable row in the following table.

Affected Product

Affected VersionsApplicable Vulnerabilities
Watson Explorer Analytical Components11.0.0.0 - 11.0.0.3, 11.0.1.0CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Watson Explorer Analytical Components10.0.0.0 - 10.0.0.2CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Watson Explorer Foundational Components Annotation Administration Console11.0.0.0 - 11.0.0.3, 11.0.1.0 CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Watson Explorer Foundational Components Annotation Administration Console10.0.0.0 - 10.0.0.2CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Watson Content Analytics3.5.0.0 - 3.5.0.3CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
IBM Content Analytics3.0.0.0 - 3.0.0.6CVE-2016-3092
CVE-2016-3485
IBM OmniFind Enterprise Edition9.1.0.0 - 9.1.0.5CVE-2016-3092
IBM Content Analytics2.2.0.0 - 2.2.0.3CVE-2016-3092

Remediation/Fixes

For information about fixes, see the applicable row in the following table. The table reflects product names at the time the specified versions were released. To use the links to Fix Central in this table, you must first log in to the IBM Support: Fix Central site at http://www.ibm.com/support/fixcentral/.

Affected ProductAffected VersionsVulnerabilityFix
Watson Explorer Analytical Components11.0.0.0 - 11.0.0.3, 11.0.1CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Upgrade to Watson Explorer Analytical Components Version 11.0.2. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
IBM Watson Explorer Foundational Components Annotation Administration Console11.0.0.0 - 11.0.0.3, 11.0.1 CVE-2016-3092
CVE-2016-0359
CVE-2016-3485
Upgrade to Watson Explorer Foundational Components Annotation Administration Console Version 11.0.2. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
Watson Explorer Analytical Components10.0.0.0 - 10.0.0.2CVE-2016-3092
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002 or later.
  3. To install the fix, see http://www.ibm.com/support/docview.wss?uid=swg21996334.
Watson Explorer Analytical Components10.0.0.0 - 10.0.0.2CVE-2016-3485
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
    If you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.
  2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 7 package for your edition (Enterprise or Advanced) and operating system from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<Edition>Analytical-<OS>[32|31]-7SR9FP60 or later. For example, 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEAnalytical-Linux32-7SR9FP60.
  3. To apply the fix, follow the steps in Updating IBM Java Runtime.
  4. Rename $ES_INSTALL_ROOT/lib/activation.jar
    to activation.jar.orig
Watson Explorer Analytical Components10.0.0.0 - 10.0.0.2CVE-2016-0359 Important: Perform these steps as a Watson Explorer Analytical Components administrative user, typically esadmin.
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-AEAnalytical-IF002 or later and extract the contents of the fix into a temporary directory.
  3. Stop Watson Explorer Analytical Components.
  4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.
  5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.
  6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT
  7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp
    • Note: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.
  8. Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be:
    classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
    • The new classpath replaces:
      classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
  9. After saving the changes, restart Watson Explorer Analytical Components.
IBM Watson Explorer Foundational Components Annotation Administration Console10.0 - 10.0.0.2CVE-2016-3092
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<edition>FoundationalAAC-IF002 or later.
  3. To install the fix, see http://www.ibm.com/support/docview.wss?uid=swg21996334.
IBM Watson Explorer Foundational Components Annotation Administration Console10.0 - 10.0.0.2CVE-2016-3485
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
    If you upgrade to Version 10.0.0.2 after you update IBM Java Runtime, your changes are lost and you must repeat the steps.
  2. Download the 32-bit and 64-bit packages of IBM Java Runtime, Version 7 for your edition (Enterprise or Advanced) and your operating system from Fix Central: 10.0.0.2-WS-WatsonExplorer-AEFoundationallAAC-<OS>[32]-7SR9FP60 or later. For example, 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux-7SR9FP60 and 10.0.0.2-WS-WatsonExplorer-AEFoundationalAAC-Linux32-7SR9FP60.
  3. To apply the fix, follow the steps in Updating IBM Java Runtime.
  4. Rename $ES_INSTALL_ROOT/lib/activation.jar
    to activation.jar.orig
IBM Watson Explorer Foundational Components Annotation Administration Console10.0 - 10.0.0.2CVE-2016-0359
Important: Perform these steps as a Watson Explorer Annotation Administration Console administrative user, typically esadmin.
  1. If not already installed, install V10.0 Fix Pack 2 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 10.0.0.2-WS-WatsonExplorer-<edition>FoundationalAAC-IF002 or later and extract the contents of the fix into a temporary directory.
  3. Stop Watson Explorer Annotation Administration Console.
  4. Overwrite the old version of esctrl.jar with the fixed version in the $ES_INSTALL_ROOT/lib directory.
  5. Remove or rename the $ES_INSTALL_ROOT/wlp directory.
  6. Extract wlp-core-embeddable-16.0.0.3.zip in the $ES_INSTALL_ROOT directory. The wlp directory is created. For example, $ unzip wlp-core-embeddable-16.0.0.3.zip -d $ES_INSTALL_ROOT
  7. Run the fix for WebSphere Application Server Liberty profile, 16003-wlp-archive-IFPI62375.jar. For example, $ java -jar 16003-wlp-archive-IFPI62375.jar --installLocation $ES_INSTALL_ROOT/wlp
    • Note: When you run the fix, use the JVM for which the major version is same as the version that is used by Watson Explorer, and the minor version is the latest minor version. For example, Java 7.0.9.60 for Watson Explorer V10.
  8. Using a text editor, set the $ES_INSTALL_ROOT/configurations/interfaces/indexservice__interface.ini classpath to be:
    classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.14.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
    • The new classpath replaces:
      classpath=es.indexservice.jar,antlr-2.7.2.jar,cloudscape/lib/derbyclient.jar,cloudscape/lib/derby.jar,an_icm.jar,es.dock.jar,oze_search.jar,wlp/dev/api/spec/com.ibm.ws.javaee.servlet.3.0_1.0.1.jar,es.rdf.jar,bcprov-jdk15-1.44.jar,fontbox-1.8.8.jar,jempbox-1.8.8.jar,pdfbox-1.8.8.jar
  9. After saving the changes, restart Annotation Administration Console.
Watson Content Analytics3.5.0.0 - 3.5.0.3CVE-2016-3092
CVE-2016-3485
CVE-2016-0359
Upgrade to Watson Content Analytics Version 3.5.0.4. For information about this version, and links to the software and release notes, see the download document. For information about upgrading, see the upgrade procedures.
IBM Content Analytics3.0.0.0 - 3.0.0.6CVE-2016-3092
  1. If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack download document).
  2. Download the package from Fix Central: interim fix 3.0.0.6-WT-ICA-IF002.
  3. To install the fix, see http://www.ibm.com/support/docview.wss?uid=swg21996334.
IBM Content Analytics3.0.0.0 - 3.0.0.6CVE-2016-3485
  1. If not already installed, install V3.0 Fix Pack 6 (see the Fix Pack download document).
    If you upgrade to Version 3.0.0.6 after you configure IBM Java Runtime, your changes are lost and you must repeat the steps.
  2. Download the 32-bit (or 31-bit, if you use Linux on System z) and 64-bit packages of IBM Java Runtime, Version 6 for your operating system from Fix Central: interim fix 3.0.0.6-WT-ICA-<OS>[32|31]-6SR16FP35 or later. For example, 3.0.0.6-WT-ICA-Linux-6SR16FP35 and 3.0.0.6-WT-ICA-Linux32-6SR16FP35.
  3. To apply the fix, follow the steps in Updating IBM Java Runtime.
  4. Rename $ES_INSTALL_ROOT/lib/activation.jar
    to activation.jar.orig
IBM OmniFind Enterprise Edition9.1 - 9.1.0.5CVE-2016-3092Contact IBM Support.
IBM Content Analytics2.2 - 2.2.0.3CVE-2016-3092Contact IBM Support.

Workarounds and Mitigations

None.

Get Notified about Future Security Bulletins

References

Off

Change History

20 December 2016: Fixes that address the applicable vulnerabilities are now available for Watson Explorer 11.0.0.0-11.0.0.3 and 11.0.1, Watson Explorer 10.0.0-10.0.0.2, Watson Content Analytics 3.5.0-3.5.0.4, and IBM Content Analytics 3.0.0-3.0.0.6.
5 October 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SS8NLW","label":"IBM Watson Explorer"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"10.0.0;10.0.0.1;10.0.0.2;10.0.0.3;11.0.0;11.0.0.1;11.0.0.2;11.0.0.3;11.0.1","Edition":"Advanced","Line of Business":{"code":"LOB10","label":"Data and AI"}},{"Product":{"code":"SS5RWK","label":"Content Analytics with Enterprise Search"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"3.5;3.0;2.2","Edition":"All Editions","Line of Business":{"code":"","label":""}},{"Product":{"code":"SS5SQ7","label":"OmniFind Enterprise Edition"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"9.1","Edition":"All Editions","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
17 June 2018

UID

swg21990062