There has been a change to the Java Portlet Specification 2.0 (JSR 286) that may affect some configurations of WebSphere Application Server.
CVEID: CVE-2015-1926**
DESCRIPTION:** The Java Portlet Specification JSR 286 API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102780 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:
There has been a change to the Java Portlet Specification 2.0 JSR 286. CVE-2014-3083 already remediates this issue in WebSphere Application Server.
NOTE: If you have already applied interim fixes for APARs PI17768 and PI30579 and updated your custom portlets as described in the security bulletins linked below then you do not need to take any action.
Custom Portlets:
Your custom portlets may need to be updated as described in the security bulletins below.
**For IBM WebSphere Application Server **APAR PI45900 contains the update to the Java Portlet Specification JSR 286 API jar file code and will be included in fix packs 8.5.5.8, 8.0.0.12 and 7.0.0.39. Installing those fix packs when they become available or installing the interim fixes as noted below will remedy the problem.
For V8.5.0.0. through 8.5.5.6 (Full Profile):**
**
Apply Fix Pack 8 (8.5.5.8), or later.
-- Or –
Refer to the security bulletin for 8.5.5.3 (PI17768 for Portlet Container) and security bulletin for 8.5.5.5 (PI30579 for Faces Portlet). ** **
**
For V8.5.0.0. through 8.5.5.6 (Liberty Profile):** **
If you have the installed the Portlet Container Feature from WASdev Liberty Repository:**
Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:
usr\extension\dev\api\spec\com.ibm.websphere.appserver.api.portlet_2.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.ccpp_1.0.0.jar
usr\extension\dev\api\spec\com.ibm.ws.javaee.portlet_2.0.0.jar
usr\extension\lib\com.ibm.ws.portletcontainer_2.0.0.jar
usr\extension\lib\features\com.ibm.websphere.appserver.portlet-2.0.mf
usr\extension\lib\features\l10n\com.ibm.websphere.appserver.portlet-2.0.properties
usr\extension\lafiles\com.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories
Then install the September 2015 release or a newer version of the Portlet Container from the WASdev Liberty Repository.
-- Or –
**
For V8.0.0.0 through 8.0.0.11:
For V7.0.0.0 through 7.0.0.37:
`
To mitigate around this issue until the fix pack is available that includes the update to the Java Portlet Specification: You should refer to the security bulletins listed above and apply the APAR interim fixes for PI17768 and PI30579 and update your Portlet as described in the bulletin.