IBM Support

PI44105: The WebSphere eXtreme Scale 7.1.0 monitoring console lacks protection for various vulnerabilities.

Subscribe to this APAR

By subscribing, you receive periodic emails alerting you to the status of the APAR, along with a link to the fix after it becomes available. You can track this item individually or track all items by product.

Notify me when this APAR changes.

Notify me when an APAR for this component changes.

 

APAR status

  • Closed as program error.

Error description

  • These vulnerabilities in the WebSphere eXtreme Scale 7.1.0
    monitoring console may allow an attacker to gain access to
    the monitoring console, getting access to statistics data on
    grid usage or to potentially sensitive information in the grid.
    

Local fix

Problem summary

  • ****************************************************************
    * USERS AFFECTED:  All users of WebSphere eXtreme Scale        *
    *                  versions 7.1.0.                             *
    ****************************************************************
    * PROBLEM DESCRIPTION: The WebSphere eXtreme Scale 7.1.0       *
    *                      monitoring console lacks protection     *
    *                      for various vulnerabilities.            *
    ****************************************************************
    * RECOMMENDATION:                                              *
    ****************************************************************
    CVEID: CVE-2015-2025
    DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote
    attacker to obtain sensitive information, caused by the
    failure to set the secure flag for the session cookie in SSL
    mode. By intercepting its transmission within an HTTP session,
    an attacker could exploit this vulnerability to capture the
    cookie and obtain sensitive information.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104053 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
    CVEID:CVE-2015-2026
    DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to
    cross-site request forgery, caused by improper validation of
    user-supplied input. By persuading an authenticated user to
    visit a malicious Web site, a remote attacker could send a
    malformed HTTP. An attacker could exploit this vulnerability
    to perform cross-site scripting attacks, Web cache poisoning,
    and other malicious activities.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104054 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVEID: CVE-2015-2027
    DESCRIPTION: IBM WebSphere Extreme Scale could allow a local
    user to bypass security on another user's session due to it
    improperly logging out the previous user.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104056 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVEID: CVE-2015-2028
    DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to a
    HTTP response splitting attack. A remote unauthenticated
    attacker could specify a specially crafted URL to inject a
    malicious response to future requests.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104057 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVEID: CVE-2015-2029
    DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote
    attacker to hijack a user's session, caused by the failure to
    invalidate an existing session identifier. An attacker could
    exploit this vulnerability to gain access to another user's
    session.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104058 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    CVEID: CVE-2015-2030
    DESCRIPTION: IBM WebSphere Extreme Scale uses an inadequate
    account lockout setting that could allow a remote attacker to
    brute force account credentials.
    CVSS Base Score: 5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104070 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
    CVEID: CVE-2015-2031
    DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to
    cross-site scripting, caused by improper validation of
    user-supplied input. A remote attacker could exploit this
    vulnerability using a specially crafted URL to execute script
    in a victim's Web browser within the security context of the
    hosting Web site, once the URL is clicked. An attacker could
    use this vulnerability to steal the victim's cookie-based
    authentication credentials.
    CVSS Base Score: 3.5
    CVSS Temporal Score: See
    http://xforce.iss.net/xforce/xfdb/104071 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    

Problem conclusion

Temporary fix

Comments

APAR Information

  • APAR number

    PI44105

  • Reported component name

    XD EXTREME SCAL

  • Reported component ID

    5724J3402

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2015-07-01

  • Closed date

    2015-09-28

  • Last modified date

    2015-09-28

  • APAR is sysrouted FROM one or more of the following:

    PI44098

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    XD EXTREME SCAL

  • Fixed component ID

    5724J3402

Applicable component levels

  • R710 PSY

       UP

[{"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSTVLU","label":"WebSphere eXtreme Scale"},"Component":"","ARM Category":[],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
23 September 2020