Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server Version 7.0.0.37

Vulnerability Details

CVE ID: CVE-2014-6167 (APAR PI23819)

DESCRIPTION: IBM WebSphere Application Server may be vulnerable to cross-site scripting, caused by improper validation of session input using URL rewriting. A remote attacker could exploit this vulnerability in a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97748 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:

Version 8.5 Full Profile and Liberty Profile

Version 8

Version 7

Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical.

Fix:
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI23819, as noted below:

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.3:

Apply Fix Pack 4 (8.5.5.4), or later.

For V8.0.0.0 through 8.0.0.9:

Apply Fix Pack 10 (8.0.0.10), or later.

For V7.0.0.0 through 7.0.0.35:

Apply Fix Pack 37 (7.0.0.37), or later.

Workaround(s): None known
Mitigation(s): None known


CVE ID: CVE-2014-6174 (APAR PI27152)

DESCRIPTION: IBM WebSphere Application Server Administrative Console could allow a remote attacker to hijack the clicking action of the victim. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/98486 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:

Version 8.5 Full Profile

Version 8

Version 7

Remediation/Fixes: The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical.

Fix:
Apply an Interim Fix, Fix Pack or PTF containing this APAR PI27152, as noted below:

For IBM WebSphere Application Server

For V8.5.0.0 through 8.5.5.3:

Apply Interim Fix PI27152

-- OR

Apply Fix Pack 4 (8.5.5.4), or later.

For V8.0.0.0 through 8.0.0.9:

Apply Interim Fix PI27152

-- OR

Apply Fix Pack 10 (8.0.0.10), or later.

For V7.0.0.0 through 7.0.0.35:

Apply Interim Fix PI27152

-- OR

Apply Fix Pack 37 (7.0.0.37), or later.

Workaround(s): None known
Mitigation(s): None known

CVE IDs: CVE-2014-3566 (APAR PI27904)

DESCRIPTION: SSLv3 contains a vulnerability that has been referred to as the Padding Oracle On Downgraded Legacy Encryption (POODLE) attack. SSLv3 is enabled by default in the Apache based IBM HTTP Server.

Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to Vulnerability in SSLv3 affects IBM HTTP Server for remediation information.

CVE IDs: CVE-2014-8730 (APAR PI31516)

DESCRIPTION: Transport Layer Security (TLS) padding vulnerability via a POODLE (Padding Oracle On Downgraded Legacy Encryption) like attack affects IBM HTTP Server.

Affected Versions/Remediation/Fixes/Workaround/Mitigation
Please refer to TLS padding vulnerability affects IBM HTTP Server for remediation information.

If you are using an earlier unsupported release, IBM strongly recommends that you upgrade.