PI37396: Potential spoofing vulnerability in WebSphere Application Server

Download

Abstract

Potential spoofing vulnerability in WebSphere Application Server CVE-2015-4938

Download Description

PI37396 resolves the following problem:

ERROR DESCRIPTION:
IBM WebSphere Application Server could allow a remote attacker to spoof a servlet. An attacker could exploit this vulnerability to persuade the user into entering sensitive information.

LOCAL FIX:
None

PROBLEM SUMMARY:
Potential spoofing vulnerability in WebSphere Application Server CVE-2015-4938

RECOMMENDATION: Apply this interim fix.

PROBLEM CONCLUSION:
Code corrected.

7.0.0.27-WS-WAS-IFPI37396.pak applies to fixpacks 7.0.0.27 through 7.0.0.37.
8.0.0.5-WS-WAS-IFPI37396.zip applies to fixpacks 8.0.0.5 through 8.0.0.10.
8.5.0.1-WS-WAS-IFPI37396.zip applies to the full profile, fixpack 8.5.0.1.
8.5.5.3-WS-WAS-IFPI37396.zip applies to the full profile, fixpacks 8.5.5.3 through 8.5.5.6.
8.5.5.5-WS-WLP-IFPI37396.zip applies to the Liberty profile, fixpack 8.5.5.5.
8.5.5.6-WS-WLP-IFPI37396.zip applies to the Liberty profile, fixpack 8.5.5.6.
8.5.0.2-WS-WASProd_WLPArchive-IFPI37396.jar is an archived fix that applies to the Liberty profile, fixpack 8.5.0.2.
8555-wlp-archive-IFPI37396.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.5.
8556-wlp-archive-IFPI37396.jar is an archive fix that applies to the Liberty profile, fixpack 8.5.5.6.

Prerequisites

Please download the UpdateInstaller below to install this fix.

[{"PRLabel":"UpdateInstaller","PRLang":"US English","PRSize":"7250000","PRPlat":{"label":"AIX","code":"PF002"},"PRURL":"http://www.ibm.com/support/docview.wss?rs=180&uid=swg21205991"}]

Installation Instructions

Please review the readme.txt for detailed installation instructions.

[{"INLabel":"WebSphere 7.0 readme (full profile)","INLang":"US English","INSize":"5178","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI37396/7.0.0.37/readme.txt"},{"INLabel":"WebSphere 8.0 readme (full profile)","INLang":"US English","INSize":"2498","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI37396/8.0.0.10/readme.txt"},{"INLabel":"WebSphere 8.5 readme (full profile)","INLang":"US English","INSize":"2675","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PI37396/8.5.5.6/readme.txt"},{"INLabel":"WebSphere 8.5.0.2 readme (Liberty profile)","INLang":"US English","INSize":"2569","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI37396/8.5.0.2/readme.txt"},{"INLabel":"WebSphere 8.5.5.5 readme (Liberty profile)","INLang":"US English","INSize":"6385","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI37396/8.5.5.5/readme.txt"},{"INLabel":"WebSphere 8.5.5.6 readme (Liberty profile)","INLang":"US English","INSize":"1916","INURL":"ftp://public.dhe.ibm.com/software/websphere/appserv/wlparchive/support/fixes/PI37396/8.5.5.6/readme.txt"}]

          [{"DNLabel":"7.0.0.27-WS-WAS-IFPI37396","DNDate":"08-05-2015","DNLang":"US English","DNSize":"183773","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=7.0.0.27-WS-WAS-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.0.0.5-WS-WAS-IFPI37396","DNDate":"14 Aug 2015","DNLang":"US English","DNSize":"267340","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.0.0.5-WS-WAS-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.0.1-WS-WAS-IFPI37396","DNDate":"28 Aug 2015","DNLang":"US English","DNSize":"262398","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.1-WS-WAS-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.3-WS-WAS-IFPI37396","DNDate":"17 Aug 2015","DNLang":"US English","DNSize":"266364","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.3-WS-WAS-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.5-WS-WLP-IFPI37396","DNDate":"17 Aug 2015","DNLang":"US English","DNSize":"378887","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.5-WS-WLP-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.5.6-WS-WLP-IFPI37396","DNDate":"17 Aug 2015","DNLang":"US English","DNSize":"390906","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.5.6-WS-WLP-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8.5.0.2-WS-WASProd_WLPArchive-IFPI37396","DNDate":"18 Aug 2015","DNLang":"US English","DNSize":"2309470","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8.5.0.2-WS-WASProd_WLPArchive-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8555-wlp-archive-IFPI37396","DNDate":"18 Aug 2015","DNLang":"US English","DNSize":"1763984","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8555-wlp-archive-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null},{"DNLabel":"8556-wlp-archive-IFPI37396","DNDate":"18 Aug 2015","DNLang":"US English","DNSize":"1997895","DNPlat":{"label":"AIX","code":"PF002"},"DNURL":"http://www-933.ibm.com/eserver/support/fixes/fixcentral/swgquickorder?fixes=8556-wlp-archive-IFPI37396&productid=WebSphere Application Server&brandid=5","DNURL_FTP":" ","DDURL":null}]
          

Technical Support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

[{"Product":{"code":"SSEQTP","label":"WebSphere Application Server"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"General","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"8.5.5.6;8.5.5.5;8.5.5.4;8.5.5.3;8.5.0.2;8.5.0.1;8.0.0.9;8.0.0.8;8.0.0.7;8.0.0.6;8.0.0.5;8.0.0.10;7.0.0.37;7.0.0.35;7.0.0.33;7.0.0.31;7.0.0.29;7.0.0.27","Edition":"Base;Developer;Enterprise;Express;Liberty;Network Deployment;Single Server;WebSphere Business Integration Server Foundation","Line of Business":{"code":"LOB45","label":"Automation"}}]

Problems (APARS) fixed
PI37396

Was this topic helpful?

Document Information

Modified date:
15 June 2018

UID

swg24040530

Tips