WebSphere Application Server may have insecure file permissions after custom startup scripts are run. The custom startup script will not pull the umask from the server.xml. This may cause some log files to have different permissions then expected. There is an information disclosure in the WebSphere Application Server Proxy Server or On-Demand-Router (ODR). This only occurs when the system clock is changed. If the system clock is changed it could cause stale data to be cached and served. There is a potential cross-site scripting vulnerability in the Admin Console for WebSphere Application Server. There are multiple vulnerabilities in the IBM HTTP Server used by WebSphere Application Server. There is a potential security vulnerability in the WebSphere Application Server Admin Console if you have updated the web services security bindings settings. If you changed the cipher suites in the web services security bindings settings they may not have been saved properly and thus be weaker security then you expected. Verify that your settings are what you expect. WebSphere Application Server traditional 9.0.0.4 added a new feature using the PasswordUtil command to enable AES password encryption. If you used this feature, then you have a potential for weaker than expected security since some passwords did not get encrypted as you might have expected. If you didn’t use this new feature, then you are not affected by this vulnerability. This does not affect passwords with the default XOR encoding, or passwords with custom encryption. There are two potential infomation disclosure vulnerabilities that affects the Java Server Faces (JSF) component used by WebSphere Application Server.
CVE(s): CVE-2017-1382, CVE-2017-1381, CVE-2017-1380, CVE-2017-1501, CVE-2017-1504, CVE-2011-4343, CVE-2017-1583
Affected product(s) and affected version(s):
These vulnerabilities affects the following versions and releases of IBM WebSphere Application Server:
- Liberty
- Version 8.5
- Version 9.0
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2gUnm96
X-Force Database: http://ift.tt/2uQ5lBY
X-Force Database: http://ift.tt/2uCLXY9
X-Force Database: http://ift.tt/2uPZxIE
X-Force Database: http://ift.tt/2wPBA21
X-Force Database: http://ift.tt/2f8z9mx
X-Force Database: http://ift.tt/2ioSn9c
X-Force Database: http://ift.tt/2gVtBtY
The post IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix appeared first on IBM PSIRT Blog.
from IBM Product Security Incident Response Team http://ift.tt/2gUpvl4
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.