## Summary
Cross reference list for security vulnerabilites fixed in IBM WebSphere Application Server 8.5.5.3, IBM WebSphere Application Server Hypervisor 8.5.5.3 and IBM HTTP Server 8.5.5.3.
## Vulnerability Details
**CVE ID: **[**_CVE-2014-3022_**]() **(APAR PI09594)
DESCRIPTION: **WebSphere Application Server allows for an information disclosure when an error page is displayed using a specially crafted URL. **
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/93060_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5
* Version 8
* Version 7
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical **_
Fix:_**
Apply a [_Fix Pack or PTF_]() containing this APAR PI09594, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.2:**
* Apply Fix Pack 3 (8.5.5.3), or later.[]()
**
For V8.0.0.0 through 8.0.0.8:**
* Apply Fix Pack 9 (8.0.0.9), or later.
**
For V7.0.0.0 through 7.0.0.31:**
* Apply Fix Pack 33 (7.0.0.33), or later.
**_
Workaround(s):_** None known**_
Mitigation(s):_** None known
**
CVE ID: **[**_CVE-2014-0965_**]() **(APAR PI11434)** **
DESCRIPTION: **WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper handling of SOAP responses. **
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/92878_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:P/I:N/A:N)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5
* Version 8
* Version 7
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical **_
Fix:_**
Apply a [_Fix Pack or PTF_]() containing this APAR PI11434, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.2:**
* Apply Fix Pack 3 (8.5.5.3), or later. []()
**
For V8.0.0.0 through 8.0.0.8:**
* Apply Fix Pack 9 (8.0.0.9), or later.
**
For V7.0.0.0 through 7.0.0.31:**
* Apply Fix Pack 33 (7.0.0.33), or later.
**_
Workaround(s):_** None known **_
Mitigation(s):_** None known
**
****
CVE ID: **[**_CVE-2014-0098_**]() **(APAR PI13028)
DESCRIPTION: **IBM HTTP Server may be vulnerable to a denial of service, caused by certain cookies being logged in the access log. A remote attacker could exploit this vulnerability to cause the server process to hang or crash. This only affects users that have modified their configuration to add cookie logging.
**CVSS:** _
CVSS Base Score: 5.0
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/91879_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:N/A:P)_
**Affected Versions/Remediation/Fixes/Workaround/Mitigation**
Please refer to [_WebSphere Application Server Security bulletin for CVE-2014-0098_]() for remediation information.
**CVE ID: **[**_CVE-2014-3070_**]() **(APAR PI16765)
DESCRIPTION: **WebSphere Application Server could allow a remote attacker to bypass security restrictions caused by improper account creation with the Virtual Member Manager SPI Admin Task addFileRegistryAccount.
**CVSS:** _
CVSS Base Score: 5.0
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/93777_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:N/I:P/A:N)_
**Affected Versions/Remediation/Fixes/Workaround/Mitigation**
Please refer to [_WebSphere Application Server Security bulletin for CVE-2014-3070_]() for remediation information.
**
CVE ID: **[**_CVE-2014-0963_**]()** (APAR PI17025)
DESCRIPTION: **IBM HTTP Server is affected by a problem with the handling of certain SSL messages. The TLS implementation can, under very specific conditions, cause CPU utilization to rapidly increase. The situation occurs only in a certain error case that causes a single thread to begin looping. If this happens multiple times, more threads will begin to loop and an increase in CPU utilization will be seen. This increase could ultimately result in CPU exhaustion and unresponsiveness of the IBM HTTP Server and other software running on the affected system.
This issue can affect the availability of the system, but does not impact system confidentiality or integrity. This vulnerability can be remotely exploited, authentication is not required and the exploit is moderately complex.
To determine if your systems are being affected by this issue, you can monitor the CPU utilization for IBM HTTP Server instances, or monitor the mod_mpmstats output written to the ErrorLog.
**CVSS:** _
CVSS Base Score: 7.1
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/92844_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)_
**Affected Versions/Remediation/Fixes/Workaround/Mitigation**
Please refer to [_WebSphere Application Server Security bulletin for CVE-2014-0963_]() for remediation information.
**CVE ID: **[**_CVE-2014-3083_**]() **(APAR PI17768)** **
DESCRIPTION: **WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information. **
CVSS:** _
CVSS Base Score: 5.0
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/93954_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:L/Au:N/C:P/I:N/A:N)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5
* Version 8.5 Liberty Profile if you have installed the Portlet Container feature from the WASdev Liberty Repository.
* Version 8
* Version 7
**
Remediation/Fixes: **Remediation is needed for WebSphere Application Server as well as there may be a need for your own portlets to be updated to avoid this issue. The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical **_
Fix:_**
Apply an [Interim Fix](), [_Fix Pack or PTF_]() containing this APAR PI17768, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.2 (Full Profile):**
* Apply Fix Pack 3 (8.5.5.3), or later. []()
— Or —
* Apply Interim Fix [PI17768 ]()**
**
**For V8.5.0.0. through 8.5.5.2 (Liberty Profile):**
** If you have the installed the Portlet Container Feature from WASdev Liberty Repository:**
* Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:
`usrextensiondevapispeccom.ibm.websphere.appserver.api.portlet_2.0.0.jar`
`usrextensiondevapispeccom.ibm.ws.javaee.ccpp_1.0.0.jar`
`usrextensiondevapispeccom.ibm.ws.javaee.portlet_2.0.0.jar`
`usrextensionlibcom.ibm.ws.portletcontainer_2.0.0.jar`
`usrextensionlibfeaturescom.ibm.websphere.appserver.portlet-2.0.mf`
`usrextensionlibfeaturesl10ncom.ibm.websphere.appserver.portlet-2.0.properties`
`usrextensionlafilescom.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories`
Then install the most current version of the Portlet Container from the WASdev Liberty Repository.
**For V8.0.0.0 through 8.0.0.9:**
* Apply Fix Pack 10 (8.0.0.10), or later.
— Or —
* Apply Interim Fix [PI17768]()**
**
**For V7.0.0.0 through 7.0.0.33:**
* Apply Fix Pack 35 (7.0.0.35), or later.
— Or —
* Apply Interim Fix [PI17768]()
**Remediation for portlets: **
All JSR 286 compliant portlets that derive from class javax.portlet.GenericPortlet must override method serveResource.
An overriding serveResource implementation must not call super.serveResource.
If the portlet does not use resource serving, a empty implementation of serveResource should be used.
`Example: This empty implementation is correct for a portlet that does not use resource serving:` `
@Override` `**
public**` ` ` `**void**` ` serveResource(ResourceRequest request, ResourceResponse response)` `**throws**` ` PortletException, IOException {` `
// Empty implementation on purpose` `
if (logger.isLoggable(Level.WARNING) {` `
// Unexpected call to serveResource, therefore log a warning.` `
logger.log(Level.WARNING, “Unexpected call to serveResource.”);` `
}` `
}`
`
Example of a WRONG fix:`
`
@Override` `**
public**` ` ` `**void**` ` serveResource(ResourceRequest request, ResourceResponse response)` `**throws**` ` PortletException, IOException {` `
// “**FIXME **“This is wrong: Calling super.serveResource does not fix the security issue !` `**
super**` `.serveResource(request, response);` `
}`
**_
Workaround(s):_** None known **_
Mitigation(s):_** None known
**CVE ID: **[**_CVE-2014-0076_**]() **(APAR PI19700)
DESCRIPTION: **The GSKit component in IBM HTTP Server could allow a local attacker to obtain sensitive information, caused by an implementation error in ECDSA (Elliptic curve Digital Signature Algorithm). **
CVSS:** _
CVSS Base Score: 2.1
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/91990_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:L/AC:L/Au:N/C:P/I:N/A:N)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5
* Version 8
**
Remediation/Fixes: **No action is required unless all of these conditions are met:
* SSL is enabled
* IBM HTTP Server is Version 8 or later
* SSLCipherSpec has enabled ECDHE_ECDSA* ciphers
* Configured certificate uses an ECC key rather than RSA
* Configured certificate was created by a tool other than ikeyman or gskcapicmd
**_
Fix:_**
If all of the above conditions are met, then apply the appropriate [_Fix Pack, PTF_](), or Interim Fix containing APAR PI19700, as noted below. If the SSLFIPSEnable directive is specified, the vulnerability remains after applying the fix. As a remediation, disable SSLFIPSEnable, or change any of the above conditions. **
For affected IBM HTTP Server:
For V8.5.0.0 through 8.5.5.2:**
* Apply Fix Pack 3 (8.5.5.3), or later.
— Or — []()
* Apply Interim Fix [_PI19700_]()
**
For V8.0.0.0 through 8.0.0.8:**
* Apply Fix Pack 9 (8.0.0.9), or later.
— Or —
* Apply Interim Fix [_PI19700_]()
**_
Workaround(s):_** None known**_
Mitigation(s):_** None known
**
**
**CVE ID: **[**_CVE-2014-4764_**]() **(APAR PI21189)** **
DESCRIPTION: **WebSphere Application Server on Windows using Load Balancer for IPv4 Dispatcher component may be vulnerable to a denial of service. A remote attacker could exploit this vulnerability to cause the Load Balancer to crash. **
CVSS:** _
CVSS Base Score: 7.1
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/94723_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:N/C:N/I:N/A:C)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5
* Version 8
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical **_
Fix:_**
Apply a [_Fix Pack or PTF_]() containing this APAR PI21189, as noted below: **
For IBM WebSphere Application Server
For V8.5.0.0 through 8.5.5.2:**
* Apply Fix Pack 3 (8.5.5.3), or later.
**
For V8.0.0.0 through 8.0.0.9:**
* Apply Fix Pack 10 (8.0.0.10), or later**_._**
**_
Workaround(s):_** None known**_
Mitigation(s):_** None known
**CVE ID: **[**_CVE-2014-4767_**]() **(APAR PI21284)** ** **
**
DESCRIPTION: **WebSphere Application Server Liberty Profile could provide weaker than expected security when installing features via the Liberty Repository. A remote attacker could exploit this vulnerability to cause the installation of malicious code.**
CVSS:** _
CVSS Base Score: 4.3
CVSS Temporal Score: See _[_https://exchange.xforce.ibmcloud.com/vulnerabilities/94832_]() _for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:N/I:P/A:N)_ **
AFFECTED VERSIONS**: The following IBM WebSphere Application Server Versions are affected:
* Version 8.5 Liberty Profile
**
Remediation/Fixes: **The recommended solution is to apply the Fix Pack or PTF for each named product as soon as practical **_
Fix:_**
Apply an Interim Fix, [_Fix Pack or PTF_]() containing this APAR PI21284, as noted below: **
For IBM WebSphere Application Server
**
**For V8.5.0.0 through 8.5.5.2:**
* Apply Fix Pack 3 (8.5.5.3), or later.
— Or — []()
* Apply Interim Fix PI21284[]()
*
**_Workaround(s):_** None known**_
Mitigation(s):_** None known
**IBM SDK: **Please refer to this security bulletin for SDK fixes that were shipped with WebSphere Application Server Version 8.5.5.3 _
_[_https://www-01.ibm.com/support/docview.wss?uid=swg21680418_]()
## Get Notified about Future Security Bulletins
Subscribe to [My Notifications]() to be notified of important product support alerts like this.
## Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the [System z Security web site](). Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
### References
[Complete CVSS v2 Guide]( “Link resides outside of ibm.com” )
[On-line Calculator v2]( “Link resides outside of ibm.com” )
Off
## Related Information
[IBM Secure Engineering Web Portal]()
[IBM Product Security Incident Response Blog]()
## Change History
18 August 2014: original document published
04 September 2014: added links to interim fixes
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
## Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “”AS IS”” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. “Affected Products and Versions” referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
[{“Product”:{“code”:”SSEQTP”,”label”:”WebSphere Application Server”},”Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Component”:”General”,”Platform”:[{“code”:”PF002″,”label”:”AIX”},{“code”:”PF010″,”label”:”HP-UX”},{“code”:”PF012″,”label”:”IBM i”},{“code”:”PF016″,”label”:”Linux”},{“code”:”PF027″,”label”:”Solaris”},{“code”:”PF033″,”label”:”Windows”},{“code”:”PF035″,”label”:”z/OS”}],”Version”:”8.5.5;8.5;8.0;7.0″,”Edition”:”Base;Developer;Enterprise;Liberty;Network Deployment”,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}},{“Product”:{“code”:”SSEQTJ”,”label”:”IBM HTTP Server”},”Business Unit”:{“code”:”BU059″,”label”:”IBM Software w/o TPS”},”Component”:” “,”Platform”:[{“code”:””,”label”:””}],”Version”:””,”Edition”:””,”Line of Business”:{“code”:”LOB45″,”label”:”Automation”}},{“Product”:{“code”:”SSCKBL”,”label”:”WebSphere Application Server Hypervisor Edition”},”Business Unit”:{“code”:”BU053″,”label”:”Cloud u0026 Data Platform”},”Component”:” “,”Platform”:[{“code”:””,”label”:””}],”Version”:””,”Edition”:””,”Line of Business”:{“code”:”LOB36″,”label”:”IBM Automation”}}]Read More