IBM Support

PI23055;7.0.0.: Potential XSS and CSRF (CVE-2014-4770 and CVE-2014-4816)

Downloadable files


Abstract

There is a potential cross-site scripting (XSS) and a potential cross-site request forgery (CSRF) security vulnerability in WebSphere Application Server.

Download Description

PI23055 resolves the following problem:

ERROR DESCRIPTION:
Potential security exposure in WebSphere Application Server

LOCAL FIX:

PROBLEM SUMMARY:
IBM WebSphere Application Server may be vulnerable to cross-site scripting or cross-site request forgery in the Admin Console.

PROBLEM CONCLUSION:
The code has been updated to resolve this issue.

Prerequisites

Please download the UpdateInstaller below to install this fix.

URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000

Installation Instructions

Please review the readme.txt for detailed installation instructions.

URL LANGUAGE SIZE(Bytes)
Readme US English 5109

Download package

Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
What is Fix Central(FC)?
7.0.0.27-WS-WAS-IFPI23055 09-16-2014 US English 100585 HTTP
7.0.0.27-WS-WASEmbeded-IFPI23055 09-16-2014 US English 67998 HTTP

Technical support

Contact IBM Support using SR (http://www.ibm.com/software/support/probsub.html), visit the WebSphere Application Server support web site (http://www.ibm.com/software/webservers/appserv/was/support/), or contact 1-800-IBM-SERV (U.S. only).

Problems (APARS) fixed
PI13887, PI17532, PI23055, PM73048, PM76830, PM79992, PM83937

Document information

More support for: WebSphere Application Server
Administrative Console (all non-scripting)

Software version: 7.0.0.27, 7.0.0.29, 7.0.0.31, 7.0.0.33

Operating system(s): AIX, HP-UX, IBM i, Inspur K-UX, Linux, Solaris, Windows, iOS, z/OS

Software edition: Advanced, Base, Developer, Network Deployment, Single Server

Reference #: 4038407

Modified date: 18 September 2014