IBM Support

Security Bulletin: Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 8.5.5.3

Security Bulletin


Summary

Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.3, IBM WebSphere Application Server Hypervisor 8.5.5.3 and IBM HTTP Server 8.5.5.3.

Vulnerability Details

CVE ID: CVE-2014-3022 (APAR PI09594)

DESCRIPTION:
WebSphere Application Server allows for an information disclosure when an error page is displayed using a specially crafted URL.

CVSS:

CVSS Base Score: 4.3
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/93060 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


AFFECTED VERSIONS
: The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8
  • Version 7

    Remediation/Fixes:
    The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
    Fix:

    Apply a Fix Pack or PTF containing this APAR PI09594, as noted below:

    For IBM WebSphere Application Server

    For V8.5.0.0 through 8.5.5.2:
  • Apply Fix Pack 3 (8.5.5.3), or later.

    For V8.0.0.0 through 8.0.0.8:
  • Apply Fix Pack 9 (8.0.0.9), or later.

    For V7.0.0.0 through 7.0.0.31:
  • Apply Fix Pack 33 (7.0.0.33), or later.

    Workaround(s):
    None known
    Mitigation(s):
    None known


    CVE ID:
    CVE-2014-0965 (APAR PI11434)

    DESCRIPTION:
    WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper handling of SOAP responses.

    CVSS:

    CVSS Base Score: 4.3
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/92878 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)


    AFFECTED VERSIONS
    : The following IBM WebSphere Application Server Versions are affected:
  • Version 8.5
  • Version 8
  • Version 7

    Remediation/Fixes:
    The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
    Fix:

    Apply a Fix Pack or PTF containing this APAR PI11434, as noted below:

    For IBM WebSphere Application Server

    For V8.5.0.0 through 8.5.5.2:
  • Apply Fix Pack 3 (8.5.5.3), or later.

    For V8.0.0.0 through 8.0.0.8:
  • Apply Fix Pack 9 (8.0.0.9), or later.

    For V7.0.0.0 through 7.0.0.31:
  • Apply Fix Pack 33 (7.0.0.33), or later.

    Workaround(s):
    None known
    Mitigation(s):
    None known


    CVE ID:
    CVE-2014-0098 (APAR PI13028)

    DESCRIPTION:
    IBM HTTP Server may be vulnerable to a denial of service, caused by certain cookies being logged in the access log. A remote attacker could exploit this vulnerability to cause the server process to hang or crash. This only affects users that have modified their configuration to add cookie logging.

    CVSS:
    CVSS Base Score: 5.0
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/91879 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

    Affected Versions/Remediation/Fixes/Workaround/Mitigation
    Please refer to WebSphere Application Server Security bulletin for CVE-2014-0098 for remediation information.

    CVE ID: CVE-2014-3070 (APAR PI16765)

    DESCRIPTION:
    WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by improper account creation with the Virtual Member Manager SPI Admin Task addFileRegistryAccount.

    CVSS:
    CVSS Base Score: 5.0
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/93777 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

    Affected Versions/Remediation/Fixes/Workaround/Mitigation
    Please refer to WebSphere Application Server Security bulletin for CVE-2014-3070 for remediation information.


    CVE ID:
    CVE-2014-0963 (APAR PI17025)

    DESCRIPTION:
    IBM HTTP Server is affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the IBM HTTP Server and other software running on the affected system.

    This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.

    To determine if your systems are being affected by this issue, you can monitor the CPU utilization for IBM HTTP Server instances, or monitor the mod_mpmstats output written to the ErrorLog.

    CVSS:
    CVSS Base Score: 7.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/92844 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

    Affected Versions/Remediation/Fixes/Workaround/Mitigation
    Please refer to WebSphere Application Server Security bulletin for CVE-2014-0963 for remediation information.


    CVE ID: CVE-2014-3083 (APAR PI17768)

    DESCRIPTION:
    WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.

    CVSS:

    CVSS Base Score: 5.0
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/93954 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)


    AFFECTED VERSIONS
    : The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8.5 Liberty Profile if you have installed the Portlet Container feature from the WASdev Liberty Repository.
  • Version 8
  • Version 7

    Remediation/Fixes:
    Remediation is needed for WebSphere Application Server as well as there may be a need for your own portlets to be updated to avoid this issue. The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
    Fix:

    Apply an Interim Fix, Fix Pack or PTF containing this APAR PI17768, as noted below:

    For IBM WebSphere Application Server

    For V8.5.0.0 through 8.5.5.2 (Full Profile):
  • Apply Fix Pack 3 (8.5.5.3), or later.
    -- Or --
  • Apply Interim Fix PI17768

    For V8.5.0.0. through 8.5.5.2 (Liberty Profile):
    If you have the installed the Portlet Container Feature from WASdev Liberty Repository:
  • Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:
    usr\extension\dev\api\spec\com.ibm.websphere.appserver.api.portlet_2.0.0.jar
    usr\extension\dev\api\spec\com.ibm.ws.javaee.ccpp_1.0.0.jar
    usr\extension\dev\api\spec\com.ibm.ws.javaee.portlet_2.0.0.jar
    usr\extension\lib\com.ibm.ws.portletcontainer_2.0.0.jar
    usr\extension\lib\features\com.ibm.websphere.appserver.portlet-2.0.mf
    usr\extension\lib\features\l10n\com.ibm.websphere.appserver.portlet-2.0.properties
    usr\extension\lafiles\com.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories

    Then install the most current version of the Portlet Container from the WASdev Liberty Repository.

    For V8.0.0.0 through 8.0.0.9:
  • Apply Fix Pack 10 (8.0.0.10), or later.
    -- Or --
  • Apply Interim Fix PI17768


    For V7.0.0.0 through 7.0.0.33:
  • Apply Fix Pack 35 (7.0.0.35), or later.
    -- Or --
  • Apply Interim Fix PI17768

    Remediation for portlets:

    All JSR 286 compliant portlets that derive from class javax.portlet.GenericPortlet must override method serveResource.
    An overriding serveResource implementation must not call super.serveResource.
    If the portlet does not use resource serving, a empty implementation of serveResource should be used.


    Example: This empty implementation is correct for a portlet that does not use resource serving:
    @Override

    public
      void  serveResource(ResourceRequest request, ResourceResponse response) throws  PortletException, IOException {
       // Empty implementation on purpose

        if (logger.isLoggable(Level.WARNING) {

            // Unexpected call to serveResource, therefore log a warning.

            logger.log(Level.WARNING, "Unexpected call to serveResource.");

        }

    }


    Example of a WRONG fix:


    @Override

    public
      void  serveResource(ResourceRequest request, ResourceResponse response) throws  PortletException, IOException {
       //
    FIXME This is wrong: Calling super.serveResource does not fix the security issue !
       super
    .serveResource(request, response);
    }


    Workaround(s):
    None known
    Mitigation(s):
    None known

    CVE ID: CVE-2014-0076 (APAR PI19700)

    DESCRIPTION:
    The GSKit component in IBM HTTP Server could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm).

    CVSS:

    CVSS Base Score: 2.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/91990 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:L/AC:L/Au:N/C:P/I:N/A:N)


    AFFECTED VERSIONS
    : The following IBM WebSphere Application Server Versions are affected:

  • Version 8.5
  • Version 8

    Remediation/Fixes:
    No action is required unless all of these conditions are met:
  • SSL is enabled
  • IBM HTTP Server is Version 8 or later
  • SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
  • Configured certificate uses an ECC key rather than RSA
  • Configured certificate was created by a tool other than ikeyman or gskcapicmd

    Fix:

    If all of the above conditions are met, then apply the appropriate Fix Pack, PTF, or Interim Fix containing APAR PI19700, as noted below. If the SSLFIPSEnable directive is specified, the vulnerability remains after applying the fix. As a remediation, disable SSLFIPSEnable, or change any of the above conditions.

    For affected IBM HTTP Server:

    For V8.5.0.0 through 8.5.5.2:
  • Apply Fix Pack 3 (8.5.5.3), or later.
    -- Or --
  • Apply Interim Fix PI19700

    For V8.0.0.0 through 8.0.0.8:
  • Apply Fix Pack 9 (8.0.0.9), or later.
    -- Or --
  • Apply Interim Fix PI19700

    Workaround(s):
    None known
    Mitigation(s):
    None known


    CVE ID: CVE-2014-4764 (APAR PI21189)

    DESCRIPTION:
    WebSphere Application Server on Windows using Load Balancer for IPv4 Dispatcher component may be vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the Load Balancer to crash.

    CVSS:

    CVSS Base Score: 7.1
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/94723 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)


    AFFECTED VERSIONS
    : The following IBM WebSphere Application Server Versions are affected:
  • Version 8.5
  • Version 8

    Remediation/Fixes:
    The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
    Fix:

    Apply a Fix Pack or PTF containing this APAR PI21189, as noted below:

    For IBM WebSphere Application Server

    For V8.5.0.0 through 8.5.5.2:
  • Apply Fix Pack 3 (8.5.5.3), or later.


    For V8.0.0.0 through 8.0.0.9:
  • Apply Fix Pack 10 (8.0.0.10), or later.

    Workaround(s):
    None known
    Mitigation(s):
    None known


    CVE ID: CVE-2014-4767 (APAR PI21284)

    DESCRIPTION:
    WebSphere Application Server Liberty Profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability to cause the installation of malicious code.

    CVSS:

    CVSS Base Score: 4.3
    CVSS Temporal Score: See
    https://exchange.xforce.ibmcloud.com/vulnerabilities/94832 for the current score
    CVSS Environmental Score*: Undefined
    CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


    AFFECTED VERSIONS
    : The following IBM WebSphere Application Server Versions are affected:
  • Version 8.5 Liberty Profile

    Remediation/Fixes:
    The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical
    Fix:

    Apply an Interim Fix, Fix Pack or PTF containing this APAR PI21284, as noted below:

    For IBM WebSphere Application Server

    For V8.5.0.0 through 8.5.5.2:
  • Apply Fix Pack 3 (8.5.5.3), or later.
    -- Or --
  • Apply Interim Fix PI21284

  • Workaround(s): None known
    Mitigation(s):
    None known


    IBM SDK: Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 8.5.5.3
    http://www-01.ibm.com/support/docview.wss?uid=swg21680418
  • Get Notified about Future Security Bulletins

    Important note

    IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

    References

    Complete CVSS v2 Guide
    On-line Calculator v2

    Related information

    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog

    Change History

    18 August 2014: original document published
    04 September 2014: added links to interim fixes

    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

    Disclaimer

    According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    Cross reference information
    Segment Product Component Platform Version Edition
    Application Servers IBM HTTP Server
    Application Servers WebSphere Application Server Hypervisor Edition

    Document information

    More support for: WebSphere Application Server
    General

    Software version: 7.0, 8.0, 8.5, 8.5.5

    Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

    Software edition: Base, Developer, Enterprise, Liberty, Network Deployment

    Reference #: 1681249

    Modified date: 13 October 2014