WebSphere Application Server and IBM HTTP Server Security Bulletin List

Question & Answer

Question

Is there a list that contains the security bulletins that apply to WebSphere Application Server and IBM HTTP Server?

Answer

The following table is provided to help you locate WebSphere Application Server and IBM HTTP Server security bulletins. These are listed numerically by CVE number not by the last one published.

Note the IBM Java runtime included with WebSphere Application Server provides an execution environment for non-IBM code. While the below table includes all IBM Java vulnerabilities related to the WebSphere Application Server product, there might be additional IBM Java vulnerabilities which impact non-IBM code running in your WebSphere Application Server environment. For a listing of all IBM Java security bulletins, refer to IBM Java Security Alerts. To determine the Java SDK version used with WebSphere Application Server, refer to the Verify Java SDK version shipped with WebSphere Application Server.

To avoid preventable security issues, it is recommended that you stay up-to-date on the most current maintenance options for your products. You can also subscribe to the security bulletins for each of your products as provided in this link, IBM Security Bulletins.

When significant updates have been made to security bulletins, it will be noted with the date of the last update in the bulletin columns.

2019 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2019-10098	3.7	Not affected	Phishing attack	9.0, 8.5, 8.0, 7.0
	CVE-2019-10092	4.7	Not affected	Cross-site scripting	9.0, 8.5, 8.0, 7.0
	CVE-2019-9518	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-9517	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-9515	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-9514	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-9513	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-9512	7.5	Denial of Service	Not affected	Liberty
	CVE-2019-4505	3.7	Information Disclosure	Not affected	9.0, 8.5, 7.0Virtual Enterprise
	CVE-2019-4477	5.3	Information Disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2019-4442	4.3	Path Traversal	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2019-4441	5.3	Information disclosure	Not affected	9.0, 8.5, 8.0, 7.0 Liberty
	CVE-2019-4305	5.3	Information disclosure	Not affected	Liberty
	CVE-2019-4304	6.3	Bypass security	Not affected	Liberty
	CVE-2019-4285	5.4	Clickjacking vulnerability	Not affected	Liberty
	CVE-2019-4279	9.0	Remote Code Execution	Not affected	9.0, 8.5, 7.0Virtual Enterprise
	CVE-2019-4271	3.5	HTTP Parameter Pollution	Not affected	9.0, 8.5, 7.0Virtual Enterprise
	CVE-2019-4270	5.4	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2019-4269	5.3	Information Disclosure	Not affected	9.0
	CVE-2019-4268	5.3	Path Traversal	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2019-4080	6.5	Denial of Service	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2019-4046	5.9	Denial of Service	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2019-4030	5.4	Cross-site scripting	Not affected	9.0, 8.5, 8.0VE, 7.0VE
	CVE-2019-2426	3.7	IBM Java SDK for January 2019 CPU	Not affected	9.0, 8.5, Liberty
	CVE-2019-0220	5.3	Not affected	Weaker Security	9.0, 8.5, 8.0, 7.0
	CVE-2019-0211	8.2	Not affected	Privilege Escalation	9.0

2018 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	N/A	8.1	Remote code execution in JSF	Not affected	8.5, 8.0, 7.0
	CVE-2018-20843	3.3	Not affected	Denial of service	9.0, 8.5, 8.0, 9.0
	CVE-2018-17199	5.3	Not affected	Bypass security	9.0
	CVE-2018-12547	9.8	IBM Java SDK for January 2019 CPU	Not affected	9.0, 8.5, Liberty
	CVE-2018-12539	8.4	IBM Java SDK for July 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-10237	7.5	Denial of service	Not affected	9.0, 8.5, Liberty
	CVE-2018-8039	7.5	Man-in-the-Middle	Not affected	9.0 Liberty
	CVE-2018-3180	5.6	IBM Java SDK for October 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-3139	3.1	IBM Java SDK for October 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2800	4.2	IBM Java SDK for April 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2783	7.4	IBM Java SDK for April 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2637	7.4	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2634	6.8	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2633	8.3	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2603	5.3	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2602	4.5	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-2579	3.7	IBM Java SDK for January 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-1996	5.3	Weaker Security	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1957	4.0	Information Disclosure	Not affected	9.0
	CVE-2018-1926	4.3	Cross-site Request Forgery	Not affected	9.0, 8.5
	CVE-2018-1905	7.1	XXE vulnerability	Not affected	9.0
	CVE-2018-1904	8.1	Remote Code execution	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1902	3.1	Spoofing Vulnerability	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-1901	5.0	Privilege Escalation	Not affected	9.0, 8.5, Liberty
	CVE-2018-1890	5.6	IBM Java SDK for January 2019 CPU	Not affected	9.0, 8.5, Library
	CVE-2018-1851	7.3	Code execution	Not affected	Liberty
	CVE-2018-1840	6.0	Privilege escalation	Not affected	9.0, 8.5
	CVE-2018-1798	6.1	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1797	6.3	Directory traversal	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1794	6.1	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1793	6.1	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1777	5.4	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1770	6.5	Directory traversal	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1767	6.1	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-1755	5.9	Information Disclosure	Not affected	Liberty
	CVE-2018-1719	5.9	Weaker security	Not affected	9.0, 8.5
	CVE-2018-1695	7.3	Spoofing vulnerability	Not affected	8.5, 8.0, 7.0
	CVE-2018-1683	5.9	Information disclosure	Not affected	Liberty
	CVE-2018-1656	7.4	IBM Java SDK for July 2018 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2018-1643	6.1	Cross-site Scripting	Not affected	9.0, 8.5, 8.0
	CVE-2018-1626	4.3	Cross-site Request Forgery	Not affected	9.0, 8.5
	CVE-2018-1621	4.4	Information disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1614	5.8	Information disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1567	9.8	Code execution	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2018-1553	5.3	Information disclosure	Not affected	Liberty
	CVE-2018-1447	5.1	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
	CVE-2018-1427	6.2	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
	CVE-2018-1426	7.4	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
ROBOT	CVE-2018-1388	9.1	Not affected	Information Disclosure	7.0
	CVE-2018-1301	5.3	Not affected	Denial of service	9.0, 8.5, 8.0, 7.0

2017 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2017-15715	3.7	Not affected	Weaker security	9.0, 8.5, 8.0, 7.0
	CVE-2017-15710	5.3	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2017-12624	5.3	Denial of Service	Not affected	9.0, Liberty
	CVE-2017-12618	5.5	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2017-12613	9.1	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2017-10388	7.5	IBM Java SDK for October 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-10356	6.2	IBM Java SDK for October 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-10116	8.3	IBM Java SDK for July 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-10115	7.5	IBM Java SDK for July 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-10102	9.0	IBM Java SDK for July 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-9798	7.5	Not affected	Information Disclosure	9.0, 8.5, 8.0, 7.0
	CVE-2017-7679	5.3	Not affected	Information Disclosure	9.0, 8.5, 8.0, 7.0
	CVE-2017-7668	5.3	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2017-5638	7.3	Not affected bulletin	Not affected bulletin
	CVE-2017-3736	5.9	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
	CVE-2017-3732	5.3	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
	CVE-2017-3511	7.7	IBM Java SDK for April 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-3167	5.3	Not affected	Bypass security	9.0, 8.5, 8.0, 7.0
	CVE-2017-1788	5.3	Spoofing	Not affected	9.0, Liberty
	CVE-2017-1743	4.3	Information Disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1741	4.3	Information Disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1731	8.8	Privilege escalation	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1681	4.0	Information Disclosure	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-1583	5.3	Information Disclosure	Not affected	8.5, 8.0, Liberty
	CVE-2017-1504	5.3	Weaker security	Not affected	9.0
	CVE-2017-1503	6.1	HTTP response splitting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1501	5.9	Weaker security	Not affected	9.0, 8.5, 8.0
	CVE-2017-1382	5.1	Insecure file permissions	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1381	2.9	Information disclosure	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1380	5.4	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2017-1194	4.3	Cross-site request forgery	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2017-1151	8.1	Privilege escalation	Not affected	9.0, 8.5, 8.0
	CVE-2017-1137	5.9	Weaker security	Not affected	8.5, 8.0
	CVE-2017-1121	5.4	Cross-site scripting vulnerability	Not affected	9.0, 8.5, 8.0, 7.0

2016 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2016-1000031	9.8	Execute Code	Not affected	9.0, 8.5, 8.0, Liberty
	CVE-2016-9736	3.7	Information Disclosure	Not affected	9.0, 8.5, 8.0
	CVE-2016-8934	5.4	Cross-site scripting vulnerability	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2016-8919	5.9	Denial of service	Not affected	9.0,8.5, 8.0, 7.0
	CVE-2016-8743	6.1	Not affected	Response splitting attack	9.0,8.5, 8.0, 7.0
	CVE-2016-7056	4.0	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0, 7.0
	CVE-2016-5986	3.7	Information Disclosure	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5983	7.5	Gain Privileges	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5597	5.9	IBM Java SDK for October 2016 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5573	8.3	IBM Java SDK for October 2016 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5549	6.5	IBM Java SDK for January 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5548	6.5	IBM Java SDK for January 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5547	5.3	IBM Java SDK for January 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-5546	7.5	IBM Java SDK for January 2017 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
HTTPOXY	CVE-2016-5387	8.1	Not affected	Redirect HTTP traffic	9.0, 8.5, 8.0, 7.0
	CVE-2016-4975	6.1	Not affected	Superseded by CVE-2016-8743	9.0, 8.5, 8.0, 7.0
	CVE-2016-4472	5.3	Not affected	Denial of Service with Expat	9.0, 8.5, 8.0, 7.0
	CVE-2016-3485	2.9	IBM Java SDK for July 2016 CPU	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-3427	10	IBM Java SDK for April 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-3426	4.3	IBM Java SDK for April 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-3092	5.3	Apache Commons FileUpload Vulnerability	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-3042	5.4	Cross-site scripting vulnerability	Not affected	Liberty
	CVE-2016-3040	6.3	Open Redirect Vulnerability	Not affected	Liberty
	CVE-2016-2960	3.7	Denial of Service with SIP Services	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-2945	5.0	Weaker security in Liberty API discovery feature	Not affected	Liberty
	CVE-2016-2923	5.3	Information Disclosure vulnerability	Not affected	Liberty
SWEET32	CVE-2016-2183	3.7	IBM Java SDK for January 2017 CPU	IBM HTTP Server and Sweet32 (21 Dec 2017)	9.0 8.5, 8.0, 7.0, Liberty
	CVE-2016-1182 CVE-2016-1182	4.8 4.8	Bypass Security Restrictions Bypass Security Restrictions UDDI (21 June 2018)	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2016-1181 CVE-2016-1181	8.1 8.1	Execute Code Execute Code UDDI (21 June 2018)	Not affected Not affected	9.0, 8.5, 8.0, 7.0 9.0, 8.5. 8.0, 7.0
DROWN	CVE-2016-0800		Not affected bulletin	Not affected bulletin
	CVE-2016-0718	9.8	Not affected	Denial of Service with Expat (13 Sept 2016)	9.0, 8.5, 8.0, 7.0
	CVE-2016-0702	2.9	Not affected	Vulnerability in GSKit Component	9.0, 8.5, 8.0
	CVE-2016-0488	4.0	IBM Java SDK for January 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-0475	5.8	IBM Java SDK for January 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-0466	5.0	IBM Java SDK for January 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-0389	5.3	Information Disclosure Vulnerability	Not affected	Liberty
	CVE-2016-0385	3.1	Bypass security restrictions	Not affected	9.0, 8.5, 8.0, 7.0, Liberty
	CVE-2016-0378	3.7	Information Disclosure Vulnerability	Not affected	Liberty
	CVE-2016-0377	4.3	Information Disclosure vulnerability	Not affected	8.5, 8.0, 7.0
	CVE-2016-0360	8.1	Deserialize objects with MQ Resource adapter 14.03.2017	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2016-0359	6.1	HTTP Response Splitting	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2016-0306	3.7	Security vulnerability if FIPS 140-2 is enabled	Not affected	8.5, 8.0,7.0, Liberty
	CVE-2016-0283	6.1	Cross-site scripting vulnerability	Not affected	Liberty
	CVE-2016-0201	5.9	Not affected	Vulnerability in GSKit component	8.5, 8.0, 7.0

2015 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
SLOTH	CVE-2015-7575	7.1	IBM Java SDK for January 2016 CPU	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2015-7450	9.8	Vulnerability in Apache Commons affects IBM WebSphere Application Server (21 Dec 2017)	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2015-7420	3.7	Not affected	Vulnerability in GSKit component	8.5, 8.0, 7.0
	CVE-2015-7417	5.4	Cross-site scripting with OAuth	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2015-5006	4.6	IBM Java SDK for October 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-4947	7.5	Not affected	Stack buffer overflow	8.5, 8.0, 7.0, 6.1
	CVE-2015-4938	3.5	Spoof servlet vulnerabilities		8.5, 8.0, 7.0, Liberty
	CVE-2015-4872	5.0	IBM Java SDK for October 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-4749	4.3	IBM Java SDK for July 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-4734	5.0	IBM Java SDK for October 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
Log Jam	CVE-2015-4000	4.3	Logjam with Diffie-Hellman ciphers	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-3183	6.1	Not affected	HTTP Request smuggling	8.5, 8.0, 7.0, 6.1
Bar Mitzvah	CVE-2015-2808	5.0	Vulnerability in RC4 stream cipher affects WebSphere Application Server	Vulnerability in RC4 stream cipher affects IBM HTTP Server and Caching Proxy	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-2625	2.6	IBM Java SDK for July 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-2613	5.0	IBM Java SDK for July 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-2601	5.0	IBM Java SDK for July 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-2017	5.0	HTTP response splitting attack	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2015-1946	4.1	Gain elevated privileges	Not affected	8.5, 8.0, 7.0
	CVE-2015-1936	4	Hijack users session vulnerability	Not affected	8.5, 8.0
	CVE-2015-1932	5	Information Disclosure vulnerability	Not affected	8.5, 8.0, 7.0
	CVE-2015-1931	2.1	IBM Java SDK for July 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-1927	6.8	Gain elevated privileges vulnerability	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2015-1920	9.3	Security vulnerability with management port in WebSphere Application Server	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2015-1916	5.0	IBM Java SDK for April 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-1885	9.3	Gain elevated privileges with OAuth grant password	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2015-1882	8.5	Gain elevated privileges with EJB	Not affected	Liberty
	CVE-2015-1829	5.0	Not affected	Denial of Service on Windows with IBM HTTP Server	8.5, 8.0, 7.0, 6.1
	CVE-2015-1788	5.0	Not affected	Denial of Service in GSKIT with IBM HTTP Server	8.5, 8.0
	CVE-2015-1283	6.8	Not affected	Denial of Service with IBM HTTP Server	8.5, 8.0, 7.0, 6.1
	CVE-2015-0899	4.3	Bypass security	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2015-0488	5.0	IBM Java SDK for April 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-0478	4.3	IBM Java SDK for April 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-0410	5.0	IBM Java SDK for January 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2015-0400	5.0	IBM Java SDK for January 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2015-0254	7.5	Security vulnerability in Apache Standard Taglibs	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-0250	4.3	Security vulnerability in Apache Batik	Not affected	8.5, 8.0, 7.0, 6.1
Ghost	CVE-2015-0235		Not affected	Not affected
	CVE-2015-0226	5.0	Security vulnerability in Apache WSS4J	Not affected	8.5
	CVE-2015-0204	4.3	IBM Java SDK for April 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2015-0174	3.5	Information disclosure with SNMP	Not affected	8.5
	CVE-2015-0175	4.0	Gain elevated privileges with authData elements	Not affected	Liberty
FREAK	CVE-2015-0138	4.3	Vulnerability with RSA export Keys affects WebSphere Application Server	Vulnerability with RSA export keys affects IBM HTTP Server	8.5, 8.0, 7.0, 6.1, Liberty

2014 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2014-8917	4.3	Cross-site Scripting in Dojo Toolkit	Not affected	8.5, 8.0
	CVE-2014-8890	5.1	Elevated Privileges in Liberty	Not affected	Liberty
TLS Padding	CVE-2014-8730	4.3	Not affected bulletin	TLS Padding in IBM HTTP Server	8.5, 8.0, 7.0, 6.1
	CVE-2014-7810	5.0	Bypass security	Bypass security	9.0, 8.5, 8.0, 7.0, Liberty
Shell shock	CVE-2014-7189 CVE-2014-7186 CVE-2014-7169 CVE-2014-6278 CVE-2014-6277 CVE-2014-6271		Bash Vulnerabilities Not affected but applications could be	Bash Vulnerabilities Not affected but applications could be	Customer application might be vulnerable
	CVE-2014-6593	4.0	IBM Java SDK for January 2015 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-6558	2.6	IBM Java SDK for October 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-6512	4.3	IBM Java SDK for October 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-6457	4.0	IBM Java SDK for October 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-6174	4.3	Click jacking vulnerability	Not affected	8.5, 8.0, 7.0
	CVE-2014-6167		Cross-site scripting	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2014-6166	5.0	Obtain sensitive information	Not affected	8.5, 8.0
	CVE-2014-6164	4.3	Spoofing vulnerability	Not affected	8.5
	CVE-2014-4816	3.5	Not affected	Cross-site scripting vulnerability	8.5, 8.0, 7.0, 6.1, 6.0
	CVE-2014-4770	3.5	Not affected	Cross-site request forgery	8.5, 8.0, 7.0, 6.1, 6.0
	CVE-2014-4767	4.3	Weaker than expected security	Not affected	Liberty
	CVE-2014-4764	7.1	Denial of service	Not affected	8.5, 8.0
	CVE-2014-4263	4.0	IBM Java SDK for July 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-4244	4.0	IBM Java SDK for July 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
POODLE	CVE-2014-3566	4.3	IBM Java SDK for October 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-3083	5.0	Obtain sensitive information	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2014-3070	5.0	Obtain sensitive information	Not affected	8.5, 8.0
	CVE-2014-3068	2.4	IBM Java SDK for July 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-3022	5.0	Bypass security	Not affected	8.5, 8.0
	CVE-2014-3021	5.0	Obtain sensitive information	Not affected	8.5, 8.0, 7.0
	CVE-2014-0965	4.3	Obtain sensitive information	Not affected	8.5, 8.0, 7.0
	CVE-2014-0964	7.1	Denial of service	Not affected	6.1
	CVE-2014-0963	7.1	Not affected	CPU exhaustion	8.5, 8.0, 7.0, 6.1, 6.0
	CVE-2014-0896	4.3	Obtain sensitive information	Not affected	Liberty
	CVE-2014-0891	5.0	Obtain sensitive information	Not affected	8.5, 8.0, 7.0
	CVE-2014-0878	5.8	IBM Java SDK for April 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-0859	5.0	Denial of service	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2014-0857	4.0	Obtain Information	Not affected	8.5, 8.0
	CVE-2014-0823	4.3	View Files	Not affected	8.5, 8.0, Liberty
	CVE-2014-0460	5.8	IBM Java SDK for April 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-0453	4.0	IBM Java SDK for April 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-0411	4.0	IBM Java SDK for January 2014 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2014-0231	5.0	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1, 6.0
	CVE-2014-0226	7.5	Not affected	Heap buffer overflow	8.5, 8.0, 7.0, 6.1, 6.0
Heartbleed	CVE-2014-0160		Not affected Bulletin	Not affected Bulletin
	CVE-2014-0118	5.0	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1, 6.0
	CVE-2014-0114 CVE-2014-0114	7.5 7.5	Execute code Execute code UDDI (21 June 2018)	Not affected	7.0, 6.1 9.0, 8.5, 8.0, 7.0
	CVE-2014-0098	5.0	Not affected	Denial of service	8.5, 8.0, 7.0, 6.1
	CVE-2014-0076	2.1	Not affected	Information Disclosure	8.5, 8.0
	CVE-2014-0050	5.0	Denial of service	Not affected	8.5, 8.0, 7.0, 6.1

2013 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2013-6747	7.1	Not affected	Denial of Service	8.5, 8.0, 7.0
	CVE-2013-6738	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2013-6725	3.5	Cross-site scripting	Not affected	8.5, 8.0, 7.0
	CVE-2013-6440	4.3	XML External Entity	Not affected	Liberty
	CVE-2013-6438	4.3	Not affected	Buffer overflow	8.5, 8.0, 7.0
	CVE-2013-6330	2.1	Obtain sensitive information	Not affected	7.0
	CVE-2013-6329	7.8	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1
	CVE-2013-6325	4.3	Denial of Service	Not affected	8.5, 8.0, 7.0
	CVE-2013-6323	3.5	Cross-site scripting	Not affected	8.5, 8.0, 7.0
	CVE-2013-5802	2.6	IBM Java SDK for Oct 2013 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-5780	4.3	IBM Java SDK for Oct 2013 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-5704	5	Not affected	Bypass security	8.5, 8.0, 7.0, 6.1
	CVE-2013-5425	3.5	Cross-site scripting	Not affected	8.5
	CVE-2013-5418	3.5	Cross-site scripting	Not affected	8.5, 8.0, 7.0
	CVE-2013-5417	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0 Liberty
	CVE-2013-5414	3.5	Privilege escalation	Not affected	8.5, 8.0, 7.0
	CVE-2013-5372	4.3	IBM Java SDK for Oct 2013 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-4053	6.8	Privilege escalation	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-4052	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-4039	4	Obtain sensitive information	Not affected	8.5
	CVE-2013-4006	3.5	Obtain sensitive information	Not affected	Liberty
	CVE-2013-4005	3.5	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-4004	3.5	Cross-site scripting	Not affected	8.5, 8.0
	CVE-2013-3029	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-3024	6.9	Execute code	Not affected	8.5
	CVE-2013-2976	1.9	Obtain sensitive information	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-2967	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-1896	4.3	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1
	CVE-2013-1862	5.1	Not affected	Command execution	8.5, 8.0, 7.0, 6.1
	CVE-2013-1768	10	Deserialization	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2013-1571	4.3	Clickjacking	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0599	5	Obtain sensitive information	Not affected	8.5
	CVE-2013-0597	3.5	Cross-site scripting	Not affected	8.5, 8.0, 7.0, Liberty
	CVE-2013-0596	4.3	Cross-site scripting	Not affected	6.1
	CVE-2013-0565	4.3	Cross-site scripting	Not affected	8.5
	CVE-2013-0544	3.5	File directory traversal	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0543	6.8	Bypass security	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0542	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0541	1.9	Buffer overflow	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0540	4.9	Bypass security	Not affected	Liberty
	CVE-2013-0482	2.6	Spoofing	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0467	4	Obtain sensitive information	Not affected	8.5
	CVE-2013-0464	4.3	Execute code	Not affected	8.5, 8.0,
	CVE-2013-0462	6.5	Bypass security	Not affected	8.5, 8.0, 7.0, 6.1, Liberty
	CVE-2013-0461	1.2	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0460	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0459	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0458	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0443	4	IBM Java SDK for Feb 2013 CPU	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2013-0440	5	IBM Java SDK for Feb 2013 CPU	Not affected	8.5, 8.0, 7.0, 6.1
Lucky Thirteen	CVE-2013-0169	4.3	IBM Java SDK for Feb 2013 CPU	Side Channel Attack	8.5, 8.0, 7.0, 6.1

2012 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2012-5783	4.3	Spoofing attacks	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2012-4853	4.3	Cross-site request Forgery	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-4851	4.3	Cross-site scripting	Not affected	Liberty
	CVE-2012-4850	7.5	Privilege escalation	Not affected	Liberty
	CVE-2012-3330	5	Denial of Service	Not affected	8.5, 8.0, 7.0
	CVE-2012-3325	6	Bypass security	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-3311	3	Bypass security	Not affected	8.5, 8.0, 7.0
	CVE-2012-3306	4.3	Weaker security	Not affected	8.5, 8.0, 7.0
	CVE-2012-3305	5.8	File directory traversal	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-3304	6.8	Hijack session	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-3293	4.3	Cross-site scripting	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-2191	5	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1
	CVE-2012-2190	5	Not affected	Denial of Service	8.5, 8.0, 7.0, 6.1
	CVE-2012-2170	4.3	Obtain sensitive information	Not affected	8.0, 7.0, 6.1
	CVE-2012-2159	4.3	Cross-site scripting	Not affected	8.5, 8.0
	CVE-2012-2098	5	Denial of Service	Not affected	8.5, 8.0, 7.0, 6.1
	CVE-2012-1148	5	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2012-1007	4.3	Cross-site scripting	Not affected	9.0, 8.5, 8.0, 7.0
	CVE-2012-0876	5	Not affected	Denial of Service	9.0, 8.5, 8.0, 7.0
	CVE-2012-0720	4.3	Cross-site scripting	Not affected	8.0, 7.0, 6.1
	CVE-2012-0717	2.6	Bypass security	Not affected	7.0, 6.1
	CVE-2012-0716	4.3	Cross-site scripting	Not affected	8.0, 7.0, 6.1
	CVE-2012-0193	5	Denial of Service	Not affected	8.0, 7.0, 6.1

2011 CVEs

Name	CVE	CVSS Score	WebSphere Application Server Bulletin or Assessment	IBM HTTP Server Bulletin or Assessment	Versions Affected
	CVE-2011-4889	5	Weaker security	Not affected	8.0, 7.0, 6.1
	CVE-2011-4343	5	Obtain sensitive information	Not affected	8.5, 8.0, Liberty
	CVE-2011-1377	2.1	Weaker security	Not affected	8.0, 7.0, 6.1
	CVE-2011-1376	4.4	Insecure permissions	Not affected	8.0, 7.0, 6.1

For Security vulnerabilities in guest operating systems of IBM WebSphere Application Server Hypervisor Edition, refer to this bulletin - IBM WebSphere Hypervisor Edition Vulnerabilities in Operating System.

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":"Security","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"9.0.0.0;8.5.5;8.5;8.0;7.0;6.1","Edition":"Advanced;Base;Developer;Express;Liberty;Network Deployment"},{"Product":{"code":"SSEQTJ","label":"IBM HTTP Server"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSCKBL","label":"WebSphere Application Server Hypervisor Edition"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""},{"Product":{"code":"SSD28V","label":"WebSphere Application Server Liberty Core"},"Business Unit":{"code":"BU004","label":"Hybrid Cloud"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":""}]

Document Information

Modified date:
14 October 2019

UID

swg21984533

Add Content

IBM Support

Tips