Security Bulletin
Summary
There are multiple security vulnerabilities that affect the IBM WebSphere Application Server in the IBM Cloud.
There is a timing window where there could be a privilege escalation vulnerability in WebSphere Application Server. There is a potential remote code execution vulnerability in WebSphere Application Server. There is a potential cross-site request forgery in WebSphere Application Server Admin Console. There is a potential XXE injection vulnerability in the Knowledge Center used by WebSphere Application Server. There is a potential information disclosure in WebSphere Application Server. There is a potential for weaker than expected security in WebSphere Application Server with SP800-131 transition mode and SSL_TLSv2. There is a potential denial of service with the Google Guava library that is used in WebSphere Application Server.
Vulnerability Details
CVEID: CVE-2018-1901
DESCRIPTION: IBM WebSphere Application Server could allow a remote attacker to temporarily gain elevated privileges on the system, caused by incorrect cached value being used.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152530 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2018-1904
DESCRIPTION: IBM WebSphere Application Server could allow remote attackers to execute arbitrary Java code through an administrative client class with a serialized object from untrusted sources.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152533 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2018-1905
DESCRIPTION: IBM WebSphere Application Server is vulnerable to a XML External Entity Injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152534 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L)
CVEID: CVE-2018-1926
DESCRIPTION: IBM WebSphere Application Server Admin Console is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading a user to visit a malicious URL, a remote attacker could send a specially-crafted request. An attacker could exploit this vulnerability to perform CSRF attack and update available applications.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/152992 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVEID: CVE-2018-1957
DESCRIPTION: IBM WebSphere Application Server could allow sensitive information to be available caused by mishandling of data by the application based on an incorrect return by the httpServletRequest#authenticate() API when an unprotected URI is accessed.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/153629 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID: CVE-2018-1996
DESCRIPTION: IBM WebSphere Application Server could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/154650
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/142508 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Affected Products and Versions
This vulnerability affects the following versions and releases of IBM WebSphere Application Server in IBM Cloud:
- Liberty
- Version 9.0
- Version 8.5
Remediation/Fixes
To patch an existing service instance, refer to the IBM WebSphere Application Server bulletins listed below
- Potential Privilege Escalation Vulnerability in WebSphere Application Server (CVE-2018-1901)
- Potential Remote code execution vulnerability in WebSphere Application Server (CVE-2018-1904)
- Potential XML External Entity (XXE) Injection Vulnerability in WebSphere Application Server (CVE-2018-1905)
- Potential cross-site request forgery in WebSphere Application Server Admin Console (CVE-2018-1926)
- Potential information disclosure in WebSphere Application Server (CVE-2018-1957)
- Weaker than expected security in WebSphere Application Server with SP800-131 transition mode (CVE-2018-1996)
- Potential denial of service in WebSphere Application Server (CVE-2018-10237)
Please see Updating your environment in the KnowlegeCenter for information on applying service.
Alternatively, delete the vulnerable service instance and create a new instance.
Workarounds and Mitigations
None.
Monitor IBM Cloud Status for Future Security Bulletins
Monitor the security notifications on the IBM Cloud Status page to be advised of future security bulletins.
References
Acknowledgement
The CVE-2018-1904 vulnerability was reported to IBM by noxxx of Chaitin Tech
The CVE-2018-1905 vulnerability was reported to IBM by Benoit Côté-Jodoin from GoSecure
Change History
05 March 2019: original document published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
05 March 2019
UID
ibm10793597