Security Bulletin: A Security vulnerability has been identified in IBM WebSphere Application Server bundled with IBM WebSphere Application Server Patterns and IBM WebSphere Application Server for Cloud (CVE-2017-1583, CVE-2011-4343)

Summary

There are two potential infomation disclosure vulnerabilities that affects the Java Server Faces (JSF) component used by WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2017-1583**
DESCRIPTION:** IBM WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper error handling by MyFaces in JSF.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132342 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

**
CVEID:CVE-2011-4343
DESCRIPTION:** Apache MyFaces could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability using specially crafted parameters to inject EL expressions into input fields mapped as view parameters and obtain sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132287 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

This vulnerability affects the following versions and releases of IBM WebSphere Application Server:

• Liberty jsf-2.0 feature
• Version 8.5

Remediation/Fixes

Consult the security bulletin: Multiple vulnerabilities affect Java Server Faces (JSF) used by WebSphere Application Server for vulnerability details and information about fixes.