IBM Support

Security Bulletin: Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server

Created by David Hoffman on
Published URL:
https://www.ibm.com/support/pages/node/796180
796180

Security Bulletin


Summary

The following security issues have been identified in the WebSphere Application Server included as part of IBM Tivoli Monitoring (ITM) portal server.

Vulnerability Details

CVEID:  CVE-2015-0899
DESCRIPTION: Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/101770
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:  CVE-2012-5783
DESCRIPTION: Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base Score: 4.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/79984
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID:  CVE-2018-1643
DESCRIPTION: The Installation Verification Tool of IBM WebSphere Application Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base Score: 6.1
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/144588  for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:  CVE-2018-1567
DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code through the SOAP connector with a serialized object from untrusted sources.
CVSS Base Score: 9.8
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/143024
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID:  CVE-2018-1621
DESCRIPTION: IBM WebSphere Application Server could allow a local attacker to obtain clear text password in a trace file caused by improper handling of some datasource custom properties.
CVSS Base Score: 4.4
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/144346
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N)
CVEID:  CVE-2018-1695
DESCRIPTION: IBM WebSphere Application Server installations using Form Login could allow a remote attacker to conducts spoofing attacks.
CVSS Base Score: 7.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/145769
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
CVEID:  CVE-2018-1770
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing "dot dot" sequences (/../) to view arbitrary files on the system.
CVSS Base Score: 6.5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/148686
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVEID:  CVE-2018-1797
DESCRIPTION: IBM WebSphere Application Server using Enterprise bundle Archives (EBA) could allow a local attacker to traverse directories on the system. By persuading a victim to extract a specially-crafted ZIP archive containing "dot dot slash" sequences (../), an attacker could exploit this vulnerability to write to arbitrary files on the system. Note: This vulnerability is known as "Zip-Slip".
CVSS Base Score: 6.3
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/149427
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:  CVE-2014-7810
DESCRIPTION: Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by the use of expression language. An attacker could exploit this vulnerability to bypass the protections of a Security Manager.
CVSS Base Score: 5
CVSS Temporal Score: See  https://exchange.xforce.ibmcloud.com/vulnerabilities/103155
 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/

Affected Products and Versions

IBM Tivoli Monitoring versions 6.3.0 through 6.3.0 FP7 - Tivoli Enterprise Portal Server (TEPS) all CVEs above.

IBM Tivoli Monitoring versions 6.2.3 through 6.2.3 FP5 - Tivoli Enterprise Portal Server (TEPS) all CVE's except for CVE-2018-1643 and CVE-2018-1797

Remediation/Fixes

Fix

VMRF Remediation/First Fix
6.X.X-TIV-ITM_TEPS_EWAS_8.0.15.02 6.3.0.x https://www.ibm.com/support/docview.wss?uid=ibm10869914
Technote 6.2.3.x http://www.ibm.com/support/docview.wss?uid=swg21633720

Contains information and script which the details for downloading and installing the embedded WebSphere Application Server (eWAS) patches for IBM Tivoli Monitoring 6.23. The scripts provided are for supported unix, linux and windows platforms.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

The vulnerability CVE-2018-1643 was reported to IBM by Mingxuan Song
The vulnerability CVE-2018-1770 was reported to IBM by Jacob Baines

Change History

2019/01/29 Document created
2019/02/07 Initial Publication

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

Advisories(PRID):  11552(117346), 11709(117784), 11792(127042), 11846(121150), 12204(118580), 12541(120994), 12851(126801), 13140(126801), 13142(123371)

Document Location

Worldwide

[{"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"ITM Tivoli Enterprise Portal Server V6","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"6.3.0.7;6.3.0.6;6.3.0.5;6.3.0.4;6.3.0.3;6.3.0.2;6.2.3.5;6.2.3.4;6.2.3.3;6.2.3.2;6.2.3.1;6.2.3","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
07 February 2019

UID

ibm10796180