IBM Support

Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments

Security Bulletin


Summary

Security vulnerabilities in WebSphere Application Server Liberty, such as spoofing, obtaining sensitive information, and bypassing security restrictions, affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments.

Vulnerability Details

CVEID:   CVE-2019-4305
DESCRIPTION:   IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160951 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:   CVE-2014-3603
DESCRIPTION:   Shibboleth Identity Provider (IdP) and OpenSAML Java could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A man-in-the-middle attacker could exploit this vulnerability using an arbitrary valid certificate.to spoof SSL servers.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)

CVEID:   CVE-2019-4304
DESCRIPTION:   IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160950 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID:   CVE-2019-4441
DESCRIPTION:   IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163177 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

Affected Product(s)Version(s)
IBM Spectrum Protect Backup-Archive Client web user interface8.1.7.0-8.1.9.0 (Linux/Windows)
8.1.9 (AIX)
IBM Spectrum Protect for Space Management8.1.9.0
IBM Spectrum Protect for Virtual Environments: Data Protection for VMware8.1.0.0-8.1.9.0
7.1.0.0-7.1.8.7
IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V8.1.4.0-8.1.9.0

Remediation/Fixes

Spectrum Protect Backup-Archive Client web user interface ReleaseFirst Fixing
VRM Level		PlatformLink to Fix
              8.18.1.9.1AIX
Linux
Windows		https://www.ibm.com/support/pages/node/589103

 

Spectrum Protect for Space Management ReleaseFirst Fixing
VRM Level		PlatformLink to Fix
              8.18.1.9.1AIX
Linux		https://www.ibm.com/support/pages/node/316077

 

Spectrum Protect for Virtual Environments: Data Protection for VMware ReleaseFirst Fixing
VRM Level		PlatformLink to Fix
              8.18.1.9.1Linux
Windows		https://www.ibm.com/support/pages/node/5736999
              7.17.1.8.8Linux
Windows		https://www.ibm.com/support/pages/node/316625
 
Spectrum Protect for Virtual Environments: Data Protection for Hyper-V ReleaseFirst Fixing
VRM Level		PlatformLink to Fix
              8.18.1.9.1Linuxhttps://www.ibm.com/support/pages/node/5737497

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

Change History

18 March 2020: Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Document Location

Worldwide

[{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSERBH","label":"IBM Spectrum Protect for Space Management"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"}],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSERB6","label":"IBM Spectrum Protect for Virtual Environments"},"Component":"Data Protection for VMware, Data Protection for Hyper-V","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1, 7.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}},{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SSEQVQ","label":"IBM Spectrum Protect"},"Component":"Backup-Archive Client web user interface","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"8.1","Edition":"","Line of Business":{"code":"LOB26","label":"Storage"}}]

Document Information

Modified date:
18 March 2020

UID

ibm15695611

Page Feedback