IBM1B20B239AD3161EAA809736483E5A77E89C656E8407697D1F391193D09E07822Security Bulletin: Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments
EPSS
Percentile
44.8%
Summary
Security vulnerabilities in WebSphere Application Server Liberty, such as spoofing, obtaining sensitive information, and bypassing security restrictions, affect IBM Spectrum Protect Backup-Archive Client web user interface, IBM Spectrum Protect for Space Management, and IBM Spectrum Protect for Virtual Environments.
Vulnerability Details
CVEID:CVE-2019-4305
**DESCRIPTION:**IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie. IBM X-Force ID: 160951.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160951 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:CVE-2014-3603
**DESCRIPTION:**Shibboleth Identity Provider (IdP) and OpenSAML Java could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate. A man-in-the-middle attacker could exploit this vulnerability using an arbitrary valid certificate.to spoof SSL servers.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/164271 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N)
CVEID:CVE-2019-4304
**DESCRIPTION:**IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation. IBM X-Force ID: 160950.
CVSS Base score: 6.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/160950 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID:CVE-2019-4441
**DESCRIPTION:**IBM WebSphere Application Server 7.0, 8.0, 8.5, 9.0, and Liberty could allow a remote attacker to obtain sensitive information when a stack trace is returned in the browser. IBM X-Force ID: 163177.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/163177 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Spectrum Protect Backup-Archive Client web user interface | 8.1.7.0-8.1.9.0 (Linux/Windows) |
| 8.1.9 (AIX) | |
| IBM Spectrum Protect for Space Management | 8.1.9.0 |
| IBM Spectrum Protect for Virtual Environments: Data Protection for VMware | 8.1.0.0-8.1.9.0 |
| 7.1.0.0-7.1.8.7 | |
| IBM Spectrum Protect for Virtual Environments: Data Protection for Hyper-V | 8.1.4.0-8.1.9.0 |
Remediation/Fixes
Spectrum Protect Backup-Archive Client web user interface Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.9.1| AIX
Linux
Windows| <https://www.ibm.com/support/pages/node/589103>
Spectrum Protect for Space Management Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.9.1| AIX
Linux| <https://www.ibm.com/support/pages/node/316077>
Spectrum Protect for Virtual Environments: Data Protection for VMware Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.9.1| Linux
Windows| <https://www.ibm.com/support/pages/node/5736999>
7.1| 7.1.8.8| Linux
Windows| <https://www.ibm.com/support/pages/node/316625>
Spectrum Protect for Virtual Environments: Data Protection for Hyper-V Release|First Fixing
VRM Level|Platform|Link to Fix
—|—|—|—
8.1| 8.1.9.1| Linux| <https://www.ibm.com/support/pages/node/5737497>
Workarounds and Mitigations
None
Related
EPSS
Percentile
44.8%