IBM Support

PI78804:Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)

Download


Abstract

Information disclosure in WebSphere Application Server with SAML (CVE-2018-1614)

Download Description

PI78804 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information. (CVE-2018-1614)

PROBLEM SUMMARY:
IBM WebSphere Application Server using malformed SAML responses from the SAML identity provider could allow a remote attacker to obtain sensitive information.

PROBLEM CONCLUSION:
Confidential for Security Integrity ifix.

THE FOLLOWING FIXES ARE PROVIDED:
8.0.0.4-WS-WASProd-IFPI78804.zip applies to fixpacks 8.0.0.4 through 8.0.0.15.
8.5.5.0-WS-WASProd-IFPI78804.zip applies to fixpacks 8.5.5.0 through 8.5.5.13.
9.0.0.0-WS-WASProd-IFPI78804.zip applies to fixpacks 9.0.0.0 through 9.0.0.7

Note: There is no fix for WebSphere v7 because no fixpack for WebSphere v7 contains the vulnerability that is fixed with APAR PI78804.

The fix for this APAR is currently targeted for inclusion in WebSphere traditional fix packs 8.5.5.14 and 9.0.0.9.  Please refer to the Recommended Updates page for delivery information: 
http://www.ibm.com/support/docview.wss?rs=180&uid=swg27004980

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"V80 Readme","INLang":"US English","INSize":"2586","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/8.0.0.15/readme.txt"},{"INLabel":"V85 Readme","INLang":"US English","INSize":"2627","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/8.5.5.13/readme.txt"},{"INLabel":"V90 Readme","INLang":"US English","INSize":"2319","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI78804/9.0.0.8/readme.txt"}]
On
[{"DNLabel":"8.0.0.4-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"286986","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=8.0.0.4-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null},{"DNLabel":"8.5.5.0-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"297413","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=8.5.5.0-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null},{"DNLabel":"9.0.0.0-WS-WASProd-IFPI78804","DNDate":"06-15-2018","DNLang":"US English","DNSize":"283235","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm/WebSphere&product=ibm/WebSphere/WebSphere Application Server&release=All&platform=All&function=fixId&fixids=9.0.0.0-WS-WASProd-IFPI78804&includeSupersedes=0","DNURL_FTP":"","DDURL":null}]

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF013","label":"Inspur K-UX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z/OS"}],"Version":"9.0.0.6;9.0.0.5;9.0.0.4;9.0.0.3;9.0.0.2;9.0.0.1;9.0.0.0;8.5.5.9;8.5.5.8;8.5.5.7;8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.5.5.2;8.5.5.12;8.5.5.11;8.5.5.10;8.5.5.1;8.5.5;8.0.0.9;8.0.0.8;8.0.0.7;8.0.0.6;8.0.0.5;8.0.0.4;8.0.0.14;8.0.0.13;8.0.0.12;8.0.0.11;8.0.0.10;8.5.5.13;9.0.0.7;8.0.0.15","Edition":"Base;Network Deployment;Single Server"}]

Document Information

Modified date:
11 April 2019

UID

swg24044985