IBM Support

Security Bulletin: Vulnerabilities in Apache Struts affect IBM WebSphere Portal (CVE-2015-0899, CVE-2016-1181, CVE-2016-1182)

Security Bulletin


Summary

Fixes are available for vulnerabilities in Apache Struts affecting IBM WebSphere Portal (CVE-2015-0899, CVE-2016-1181, CVE-2016-1182).

Vulnerability Details

CVEID: CVE-2016-1181
DESCRIPTION:
Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by the failure to protect against unintended remote operations against components on server memory by the ActionForm instance. An attacker could exploit this vulnerability to execute arbitrary code on the system.
CVSS Base Score: 8.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113852 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

CVEID: CVE-2016-1182
DESCRIPTION:
Apache Struts could allow a remote attacker to bypass security restrictions, caused by the improper validation of input by the Validator. An attacker could exploit this vulnerability to modify validation rules and error messages.
CVSS Base Score: 4.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/113853 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L)

CVEID: CVE-2015-0899
DESCRIPTION:
Apache Struts could allow a remote attacker to bypass security restrictions, caused by an error in the MultiPageValidator implementation. An attacker could exploit this vulnerability using a modified page parameter to bypass restrictions and launch further attacks on the system. This vulnerability also affects other products.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101770 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM WebSphere Portal 8.5
IBM WebSphere Portal 8.0
IBM WebSphere Portal 7
IBM WebSphere Portal 6.1
For unsupported versions IBM recommends upgrading to a fixed, supported version of the product.

Remediation/Fixes

These issues have been addressed by IBM WebSphere Portal Server and through IBM WebSphere Application Server which is shipped with IBM WebSphere Portal Server. Remediation/Fixes for both products have to be applied.


Fix delivery details for IBM WebSphere Portal Server


Product VRMF APARs Fix
IBM WebSphere Portal 8.5.0 PI66606
PI66636
PI66638
PI66641
PI66642
--or--
  • Upgrade to Cumulative Fix 12 (CF12)
(Combined Cumulative Fixes for WebSphere Portal 8.5.0.0)
IBM WebSphere Portal 8.0.0 through 8.0.0.1 PI66606
PI66636
PI66638
PI66641
PI66642
PI66643
--or--
  • Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 22 (CF22), targeted for 1Q 2017.
(Combined Cumulative Fixes for WebSphere Portal 8.0.0.1)
IBM WebSphere Portal 7.0.0 through 7.0.0.2 PI66606
PI66636
PI66638
PI66640
PI66641
PI66642
PI66645
(Combined Cumulative fixes for WebSphere Portal 7.0.0.2)
IBM WebSphere Portal 6.1.5.0 through 6.1.5.3 PI66606
PI66636
PI66638
PI66640
PI66641
PI66642
PI66644
PI66645
(Cumulative fixes for WebSphere Portal 6.1.5.3)
IBM WebSphere Portal 6.1.0.0 through 6.1.0.6 PI66606
PI66636
PI66638
PI66640
PI66641
PI66642
PI66644
PI66645
(Cumulative fixes for WebSphere Portal 6.1.0.6)

Refer to the following security bulletin for vulnerability details and information about fixes addressed by IBM WebSphere Application Server which is shipped with IBM WebSphere Portal.

Principal Product and Version(s) Affected Supporting Product and Version Affected Supporting Product Security Bulletin
IBM WebSphere Portal version 6.1, 7.0, 8.0, and 8.5 IBM WebSphere Application Server version 6.1, 7.0, 8.0, 8.5 Security Bulletin: Vulnerabilities in Apache Struts affect IBM WebSphere Application Server (CVE-2016-1181 and CVE-2016-1182)

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Related information

Change History

25 October 2016: Original version published
3 November 2016: Added link to Interim Fixes for IBM WebSphere Portal 8.5

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: WebSphere Portal

Software version: 6.1, 7.0, 8.0, 8.5

Operating system(s): AIX, HP-UX, IBM i, Linux, Solaris, Windows, z/OS

Reference #: 1988770

Modified date: 03 November 2016