IBM Support

Security Bulletin: IBM i Integrated Web Application Server version 8.5 is affected by multiple vulnerabilities.

Created by Natalie Campbell on
Published URL:
https://www.ibm.com/support/pages/node/667557
667557

Security Bulletin


Summary

IBM i Integrated Web Application Server version 8.5 is affected by multiple security vulnerabilities.

Vulnerability Details

CVEID: CVE-2016-0385
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by a buffer overflow. This could allow the attacker to view unauthorized data.
CVSS Base Score: 3.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/112359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-2960
DESCRIPTION: IBM WebSphere Application Server could be vulnerable to a denial of service when using SIP services. A remote attacker could cause a denial of service with specially-crafted SIP messages.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113805 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-5986
DESCRIPTION: IBM WebSphere Application Server and IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116556 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2016-3092
DESCRIPTION: Apache Tomcat is vulnerable to a denial of service, caused by an error in the Apache Commons FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114336 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID: CVE-2016-1546
DESCRIPTION: Apache HTTP Server is vulnerable to a denial of service, caused by the failure to limit the number of simultaneous stream workers for a single HTTP/2 connection when mod_http2 is enabled. A remote attacker could exploit this vulnerability using modified flow-control windows, to cause a denial of service.
CVSS Base Score: 3.7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114793 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L)




CVEID: CVE-2016-4979
DESCRIPTION: Apache HTTPD could allow a remote attacker to bypass security restrictions, caused by the improper validation of X509 client certificate when experimental module for the HTTP/2 protocol is used to access a resource. An attacker could exploit this vulnerability to allow a third party to access resources on the web server without providing proper credentials and obtain sensitive information.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114720 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)




CVEID: CVE-2016-5983
DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code with a serialized object from untrusted sources.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/116468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

Release 6.1, 7.1, 7.2 and 7.3 of IBM i are affected.

Remediation/Fixes

The issue can be fixed by applying a PTF to IBM i.

Releases 6.1, 7.1, 7.2 and 7.3 of IBM i are supported and will be fixed.

Release 6.1 – SI62166
Release 7.1 – SI62167 & SI62590
Release 7.2 – SI62168
Release 7.3 – SI62169

Important note: IBM recommends that all users running unsupported versions of affected products upgrade to supported and fixed version of affected products.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Complete CVSS v3 Guide
On-line Calculator v3

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Type":"MASTER","Line of Business":{"code":"LOB57","label":"Power"},"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SWG60","label":"IBM i"},"Platform":[{"code":"PF012","label":"IBM i"}],"Version":"7.1.0"}]

Document Information

Modified date:
18 December 2019

UID

nas8N1021649

Page Feedback