IBM Support

Security Bulletin: Multiple vulnerabilities in WebSphere application server affect IBM Workload Scheduler

Created by Paolo Salerno on
Published URL:
https://www.ibm.com/support/pages/node/734305
734305

Security Bulletin


Summary

There are multiple vulnerabilities in IBM WebSphere application server that may potentially affect IBM Workload Scheduler.

Vulnerability Details

CVEID: CVE-2018-1621
DESCRIPTION: IBM WebSphere Application Server could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties.
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144346 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)

CVEID: CVE-2018-1614
DESCRIPTION: IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information.
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/144270 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N)

CVEID: CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/79984 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-0899
DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

These vulnerabilities in IBM WebSphere application server may potentially affect IBM Workload Scheduler 9,1, 9.2, 9.3 or 9.4. 

Remediation/Fixes

IBM WebSphere has published the following security bulletins to addresses the mentioned vulnerabilities.

For CVE-2015-0899 refer to http://www-01.ibm.com/support/docview.wss?uid=swg22015348 .

For CVE-2012-5783 refer to http://www-01.ibm.com/support/docview.wss?uid=swg22016216 .

For CVE-2018-1614 refer to http://www-01.ibm.com/support/docview.wss?uid=swg22016887 .

For CVE-2018-1621 refer to http://www-01.ibm.com/support/docview.wss?uid=swg22016821 .

Workarounds and Mitigations

N/A

Get Notified about Future Security Bulletins

References

Off

Change History

October 8th first version published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SS8GJD","label":"IBM Workload Automation"},"Component":"WebSphere","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.1;9.2;9.3;9.4","Edition":"all editions","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
19 June 2020

UID

ibm10734305