## Summary
Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server, IBM WebSphere Application Server Hypervisor, WebSphere Application Server Liberty Profile and IBM HTTP Server.
## Vulnerability Details
**CVE ID: **[**_CVE-2014-8890_**]() **
DESCRIPTION: **WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system if the deployment descriptor security constraints are combined with ServletSecurity annotations on a servlet. **
CVSS:** _
CVSS Base Score: 5.1_ _
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/99009_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:N/C:P/I:P/A:P)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile
* Version 8.0
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix, [_Fix Pack or PTF_]() containing this APAR PI31339, as noted below: **
For IBM WebSphere Application Server Full Profile and IBM WebSphere Application Server Hypervisor Edition:
For V8.5.0.0 through 8.5.5.4:**
* Apply Fix Pack 5 (8.5.5.5), or later.
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI31339_]()
**
For V8.0.0.0 through 8.0.0.10:**
* Apply Fix Pack 11 (8.0.0.11), or later.
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI31339_]() []()
**_
Workaround(s):_** If your servlet has constraints in both the annotation and the Deployment Descriptor, combine them to be in the web.xml **_
Mitigation(s):_** None known
**
CVE ID: **[**_CVE-2015-1885_**]() **
DESCRIPTION: **WebSphere Application Server Full Profile and Liberty Profile could allow a remote attacker to gain elevated privileges on the system when OAuth grant type of password is used. **
CVSS:** _
CVSS Base Score: 9.3
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/101255_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:C/I:C/A:C)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile and Liberty Profile
* Version 8.0
* Version 7.0
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix, [_Fix Pack or PTF_]() containing this APAR PI36211 for Full Profile and PI33202 for Liberty Profile, as noted below: **
For IBM WebSphere Application Server and IBM WebSphere Application Server Hypervisor Edition
For V8.5.0.0 through 8.5.5.5 Full Profile: **
* Upgrade to minimal fix pack levels required by interim fix and then apply Interim Fix [_PI36211_]()
— OR
* Apply Fix Pack 6 (8.5.5.6), or later.
* After the fix pack is installed, the fix will not be active until the installed OAuth ear, WebSphereOauth20SP.ear, is updated from the (WAS_HOME)/installableApps directory.
` ` **
For V8.5.0.0 through 8.5.5.4 Liberty Profile:**
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI33202_]()[_ _]()[]()
— OR
* Apply Fix Pack 5 (8.5.5.5), or later.
**
For V8.0.0.0 through 8.0.0.10:**
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI36211_]()
— OR
* Apply Fix Pack 11 (8.0.0.11), or later.
* After the fix pack is installed, the fix will not be active until the installed OAuth ear, WebSphereOauth20SP.ear, is updated from the (WAS_HOME)/installableApps directory.
**
For V7.0.0.0 through 7.0.0.37:**
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI36211_]()
— OR
* Apply Fix Pack 39 (7.0.0.39), or later.
* After the fix pack is installed, the fix will not be active until the installed OAuth ear, WebSphereOauth20SP.ear, is updated from the (WAS_HOME)/installableApps directory.
**_
Workaround(s):_** None known **_
Mitigation(s):_** None known
**
CVEID:** [_CVE-2015-0250_]() **
DESCRIPTION:** Apache Batik could allow a remote attacker to obtain sensitive information. By persuading a victim to open a specially-crafted SVG file, an attacker could exploit this vulnerability to reveal files and obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101614_]() for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
**
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile
* Version 8
* Version 7
* Version 6.1
**
Remediation/Fixes: **The recommended solution is to apply the Interim Fix, Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix [](), [_Fix Pack or PTF_]() containing this APAR PI39768 or PI49437, as noted below:
**
For IBM WebSphere Application Server Full profile and IBM WebSphere Application Server Hypervisor Edition
For V8.5.0.0 through 8.5.5.5:**
* Apply Fix Pack 6 (8.5.5.6), or later.
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI39768]()
**
For V8.0.0.0 through 8.0.0.10:**
* Apply Fix Pack 11 (8.0.0.11), or later. []()
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI39768]()
**
For V7.0.0.0 through 7.0.0.37:**
* Apply Fix Pack 39 (7.0.0.39), or later. []()
— OR
* Upgrade to minimal fix pack levels as required interim fix and then apply Interim Fix [PI49437]()[]()
**_
_****For V6.1.0.0 through 6.1.0.47:**
* Apply Fix Pack 47 (6.1.0.47), or later and then apply Interim Fix [PI49437]()
**_
Workaround(s):_** None known **_
Mitigation(s):_** None known
**
CVEID:** [_CVE-2015-1927_]() **
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to gain elevated privileges on the system, caused by an application not having the correct serveServletsbyClassname setting. By a developer not setting the correct property, an attacker could exploit this vulnerability to gain unauthorized access.
CVSS Base Score: 6.8
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102872_]() for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)
**
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile and Liberty Profile
* Version 8
* Version 7
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix [](), [_Fix Pack or PTF_]() containing this APAR PI31622, as noted below:
**_
Please Note:_**This APAR has changed the default value of the WebContainer custom property _com.ibm.ws.webcontainer.disallowServeServletsByClassname_ from false to true so that no security threat could occur. Prior to this change, it was up to the developer to remember to change the custom property to true before deploying into production.
**
Property Name: **_com.ibm.ws.webcontainer.disallowServeServletsByClassname _**
Description: **If set to true, disallows the use of serveServletsByClassnameEnabled at the application server level, overriding any setting of serveServletsByClassnameEnabled at the application level. This property affects all applications. **
Values: **true(default)/false
If you need to change the value please refer to the the following technote for instructions on enabling WebContainer custom properties:
Full Profile: [_https://www-01.ibm.com/support/docview.wss?uid=swg21284395_]()
Liberty Profile: [_https://www-01.ibm.com/support/docview.wss?uid=swg21597753_]() **
For IBM WebSphere Application Server Full profile, IBM WebSphere Application Server Liberty Profile and IBM WebSphere Application Server Hypervisor Edition
For V8.5.0.0 through 8.5.5.5:**
* Apply Fix Pack 6 (8.5.5.6), or later.
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI31622_]()
**
For V8.0.0.0 through 8.0.0.10:**
* Apply Fix Pack 11 (8.0.0.11), or later. []()
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI31622_]()
**
For V7.0.0.0 through 7.0.0.37:**
* Apply Fix Pack 39 (7.0.0.39), or later. []()
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [_PI31622_]()
**_
_****For V6.1.0.0 through 6.1.0.47:**
* Upgrade to Fix Pack 47 (6.1.0.47) and apply Interim Fix [_PI31622_]()
**_Workaround(s):_** Set the custom property _com.ibm.ws.webcontainer.disallowServeServletsByClassName_ to true **_
Mitigation(s):_** None known
**
**
**CVEID:** [_CVE-2015-1932_]()**
DESCRIPTION:** IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise could allow a remote attacker to obtain information that identifies the proxy server software being used.
CVSS Base Score: 5
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/102970_]() for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
**AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile
* Version 8
* Version 7
* Version 7 IBM WebSphere Virtual Enterprise on WebSphere Application Server Version 7 and Version 8
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix [](), [_Fix Pack or PTF_]() containing this APAR PI38403, as noted below:
**_Note: _**
By default, the ODR and proxy server will ignore the _http.compliance.via custom_ property and not set the HTTP Via header. A new custom property is being introduced that if set to false will allow the http.compliance.via setting to be honored. The custom property, _http.ignore.compliance.via_ can be set on an ODR or Proxy server.
In the Administrative console, expand Servers>Server Types > On Demand Routers > _server_name_ to open the configuration tab for the server.
Expand On Demand Router settings, click On Demand Router Properties
Under Additional properties, click Custom properties > new.
**_
_****For IBM WebSphere Application Server Full profile, IBM WebSphere Application Server Hypervisor Edition and IBM WebSphere Virtual Enterprise
For V8.5.0.0 through 8.5.5.6:**
* Apply Fix Pack 7 (8.5.5.7) or later.
— OR
* Apply the mitigation below[]()
**
For V8.0.0.0 through 8.0.0.10:**
* Apply Fix Pack 11 (8.0.0.11), or later. []()
— OR
* Apply the mitigation below[]()
**
For V7.0.0.0 through 7.0.0.37:**
* Apply Fix Pack 39 (7.0.0.39), or later. []()
— OR
* Apply the mitigation below[]()
**For IBM WebSphere Virtual Enterprise using WebSphere Application Server V7.0 and V8.0:**
* Apply WebSphere Virtual Enterprise Fix Pack 7 (7.0.0.7) or later (targeted to be available 1Q 2016).
— OR
* Apply the mitigation below
**_
Workaround(s):_** None known
**_
Mitigation(s):_** Remove the custom property _http.compliance.via _or set it to false.
To remove the custom property _http.compliance.via: _
In the Administrative console, expand Servers>Server Types > On Demand Routers > _server_name_ to open the configuration tab for the server.
Expand On Demand Router Properties, click On Demand Router Settings
Under Additional properties, click Custom properties, select the check box next to _http.compliance.via_ property and press the Delete button.
Alternatively, to set the property to false, click on _http.compliance.via_ and change the value of the property to false and press the OK button.
**CVEID:** [_CVE-2015-4938_]()**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to spoof a servlet. An attacker could exploit this vulnerability to persuade the user into entering sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See [_https://exchange.xforce.ibmcloud.com/vulnerabilities/104415_]() for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
**AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Full Profile and Liberty Profile
* Version 8
* Version 7
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical. **_
Fix:_**
Apply an Interim Fix [](), [_Fix Pack or PTF_]() containing this APAR PI37396, as noted below:
**_
_****For IBM WebSphere Application Server Full profile, IBM WebSphere Application Server Liberty Profile and IBM WebSphere Application Server Hypervisor Edition
For V8.5.0.0 through 8.5.5.6:**
* Apply Fix Pack 7 (8.5.5.7), or later.
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI37396]()[]()
**
For V8.0.0.0 through 8.0.0.10:**
* Apply Fix Pack 11 (8.0.0.11), or later. []()
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI37396]()[]()
**
For V7.0.0.0 through 7.0.0.37:**
* Apply Fix Pack 39 (7.0.0.39), or later. []()
— OR
* Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix [PI37396]()[]()
**_
Workaround(s):_** None known **_
Mitigation(s):_** None known
Other APARs shipped with 8.0.0.11 are included in the security bulletins below:
PI39833 [Security bulletin for IBM HTTP Server Windows Denial of Service]()
PI33012 [_Security Bulletin for Dojo Toolkit Vulnerability_]()
PI36563 [_Security Bulletin for RSA Export Keys for WebSphere Application Server_]()
PI36563 [_Security Bulletin for RC4 Stream Cipher for WebSphere Application Server _]()
PI38302 [_Security Bulletin for Management Port for WebSphere Application Server _]()
PI36417 [_Security Bulletin for RSA Export Keys for IBM HTTP Server_]()
PI34229 [_Security Bulletin for RC4 Stream Cipher for IBM HTTP Server_]()
PI31516 [Security Bulletin for TLS padding vulnerability for IBM HTTP Server]()
## Get Notified about Future Security Bulletins
Subscribe to [My Notifications]() to be notified of important product support alerts like this.
## Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
### References
[Complete CVSS v2 Guide]( “Link resides outside of ibm.com” )
[On-line Calculator v2]( “Link resides outside of ibm.com” )
Off
## Related Information
[IBM Secure Engineering Web Portal]()
[IBM Product Security Incident Response Blog]()
## Change History
17 August 2015: original document published
2 September 2015: remove targeted fix pack level for 80011
13 November 2015: updated interim fix PI39768 with PI49437
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
## Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “”AS IS”” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. “Affected Products and Versions” referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
[{“Product”:{“code”:”SSEQTP”,”label”:”WebSphere Application Server”},”Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Component”:”General”,”Platform”:[{“code”:”PF002″,”label”:”AIX”},{“code”:”PF010″,”label”:”HP-UX”},{“code”:”PF012″,”label”:”IBM i”},{“code”:”PF016″,”label”:”Linux”},{“code”:”PF027″,”label”:”Solaris”},{“code”:”PF033″,”label”:”Windows”},{“code”:”PF035″,”label”:”z/OS”}],”Version”:”8.5.5;8.5;8.0;7.0;6.1″,”Edition”:”Base;Developer;Enterprise;Express;Liberty;Network Deployment”,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}},{“Product”:{“code”:”SSEQTJ”,”label”:”IBM HTTP Server”},”Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Component”:” “,”Platform”:[{“code”:””,”label”:””}],”Version”:””,”Edition”:””,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}},{“Product”:{“code”:”SSCKBL”,”label”:”WebSphere Application Server Hypervisor Edition”},”Business Unit”:{“code”:”BU053″,”label”:”Cloud u0026 Data Platform”},”Component”:” “,”Platform”:[{“code”:””,”label”:””}],”Version”:””,”Edition”:””,”Line of Business”:{“code”:”LOB36″,”label”:”IBM Automation”}},{“Product”:{“code”:”SSD28V”,”label”:”WebSphere Application Server Liberty Core”},”Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Component”:” “,”Platform”:[{“code”:””,”label”:””}],”Version”:””,”Edition”:””,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}}]Read More