IBM Support

Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server and bundling products shipped with IBM Cloud Orchestrator (CVE-2016-3426, CVE-2016-3427)

Created by Shyamala Rajagopalan on
Published URL:
https://www.ibm.com/support/pages/node/619333
619333

Security Bulletin


Summary

Information about a security vulnerability that affects IBM Java SDK, IBM WebSphere Application Server, and bundling products of IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition has been published in a security bulletin.

These issues were also addressed by IBM WebSphere Application Server, IBM Business Process Manager and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.

Vulnerability Details

IBM WebSphere Application Server, IBM Tivoli System Automation Application Manager, and IBM Business Process Manager are shipped as components of IBM Cloud Orchestrator and Cloud Orchestrator Enterprise Edition. Additionally, the IBM Tivoli Monitoring and SmartCloud Cost Management are also shipped with IBM Cloud Orchestrator Enterprise Edition.


CVEID: CVE-2016-3426
DESCRIPTION: An unspecified vulnerability related to the JCE component could allow a remote attacker to obtain sensitive information resulting in a partial confidentiality impact using unknown attack vectors.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112457 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)




CVEID: CVE-2016-3427
DESCRIPTION: An unspecified vulnerability related to the JMX component has complete confidentiality impact, complete integrity impact, and complete availability impact.
CVSS Base Score: 10
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112459 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)


Affected Products and Versions

Principal Product and Version(s)

Supporting Product and Version
IBM Cloud Orchestrator version 2.5, 2.5.0.1, V2.5.0.2IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
IBM Business Process Manager Standard V8.5.5 through 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM Cloud Orchestrator version 2.3, 2.3.0.1IBM WebSphere Application Server V8.0.1 through V8.0.0.11
IBM Business Process Manager V 8.5, 8.5.6
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.5
IBM Tivoli Monitoring 6.3.0.2
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3IBM Business Process Manager Standard 8.5.6
IBM Tivoli System Automation Application Manager 4.1
IBM SmartCloud Cost Management 2.1.0.4
IBM Tivoli Monitoring 6.3.0.2
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from
Interim Fix1 through Interim Fix 9
IBM Business Process Manager Standard 8.5
IBM SmartCloud Cost Management V2.1.0.3
IBM Tivoli Monitoring V6.3.0.1

Remediation/Fixes

These issues were addressed by IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise through the bundled products IBM WebSphere Application Server, IBM Business Process Manager, and IBM Tivoli System Automation Application Manager, which are shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise.
Additionally, these issues were also addressed by IBM Tivoli Monitoring and SmartCloud Cost Management, which are shipped with IBM Cloud Orchestrator Enterprise.

Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator:

Product and Version(s)Remediation/First Fix
IBM Cloud Orchestrator V2.5, 2.5.0.1, V2.5.0.2Upgrade to IBM Cloud Orchestrator Fix Pack 2 (2.5.0.2) for 2.5
http://www-01.ibm.com/support/docview.wss?uid=swg27045667

After upgrade to IBM Cloud Orchestrator 2.5.0.2 you need to install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223.
IBM Cloud Orchestrator V2.4, V2.4.0.1, V2.4.0.2 v2.4.0.3Contact IBM Support
For all releases of V2.4, fix will be made available in V2.4.0.4.

If you are running IBM Cloud Orchestrator Enterprise Edition V2.4 through 2.4.0,3, install the corresponding APAR from WebSphere Application Server. Follow the instructions on this link: http://www.ibm.com/support/docview.wss?uid=swg21982223
IBM SmartCloud Orchestrator version V2.3, V2.3.0.1Contact IBM Support

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, and Business Process Manager that are shipped with IBM Cloud Orchestrator.

Principal Product and Version(s)Affected Supporting Product and VersionRemediation/First Fix/ Affected Supporting Product Security Bulletin
IBM Cloud Orchestrator V2.5, v2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2 and 2.4.0.3IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7
Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Tivoli System Automation Application Manager 4.1Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427) .
IBM Business Process Manager V8.5.5 thorugh 8.5.6Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
IBM Cloud Orchestrator V2.3, V2.3.0.1IBM WebSphere Application Server V8.0.1 through V8.0.0.11


Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).

Refer to the following security bulletins for information about fixes for IBM Cloud Orchestrator Enterprise Edition:

Principal Product and VersionRemediation/First Fix
IBM Cloud Orchestrator Enterprise V2.5, V2.5.0.1, V2.5.0.2Apply IBM Cloud Orchestrator Enterprise Fix Pack 2 (2.5.0.2) for 2.5
http://www-01.ibm.com/support/docview.wss?uid=swg27045667
IBM Cloud Orchestrator Enterprise V2.4, V2.4.0.1, V2.4.0.2, V2.4.0.3Contact IBM Support
For all releases of V2.4, fix will be made available in V2.4.0.4.
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9Contact IBM Support

Refer to the following security bulletins for vulnerability details and information about fixes addressed by IBM WebSphere Application Server, Tivoli System Automation Application Manager, Business Process Manager, SmartCloud Cost Management, and Tivoli Monitoring, which are shipped with IBM Cloud Orchestrator Enterprise Edition:

Principal Product and Version(s)Affected Supporting Product and VersionRemediation/First Fix/ Affected Supporting Product Security Bulletin
IBM Cloud Orchestrator Enterprise V2.5, v2.5.0.1, V2.5.0.2, V2.4, V2.4.0.1, V2.4.0.2 and V2.4.0.3IBM WebSphere Application Server Network Deployment V8.5.5 through 8.5.5.7 Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Tivoli System Automation Application Manager V4.1Security Bulletin: Multiple security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Tivoli System Automation Application Manager (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016)
SmartCloud Cost Management V2.1.0.4 and V2.1.0.5for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition
IBM Tivoli Monitoring V6.3.0.1 Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)
IBM SmartCloud Orchestrator Enterprise V2.3 and V2.3.0.1 from Interim fix1 through Interim Fix 9IBM WebSphere Application Server V8.0.1 through V8.0.0.11


Security Bulletin: Multiple vulnerabilities in IBM® Java SDK affect WebSphere Application Server April 2016 CPU (CVE-2016-3426, CVE-2016-3427)
IBM Business Process Manager V 8.5, 8.5.6Security Bulletin: Multiple vulnerabilities in WebSphere Application Server affect IBM Business Process Manager, WebSphere Process Server and WebSphere Lombardi Edition (Java CPU April 2016).
SmartCloud Cost Management V2.1.0.3for CVE-2015-7575 SmartCloud Cost Management is shipped as component of IBM Cloud Orchestrator Enterprise Edition
IBM Tivoli Monitoring V6.3.0.1 Security Bulletin: IBM Tivoli Monitoring embedded WebSphere Application Server (CVE-2016-3426, CVE-2016-3427, CVE-2016-0306, CVE-2015-0254)

Get Notified about Future Security Bulletins

References

Off

Change History

29 July 2016: Original version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

CVE-2016-3426
CVE-2016-3427

[{"Product":{"code":"SS4KMC","label":"IBM SmartCloud Orchestrator"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.3;2.3.0.1;2.4;2.4.0.1;2.4.0.2;2.4.0.3;2.5;2.5.0.1;2.5.0.2","Edition":"All Editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg2C1000178