Security Bulletin: Vulnerability with Java Portlet Specification JSR 286 may affect WebSphere Application Server (CVE-2015-1926)

Summary

There has been a change to the Java Portlet Specification 2.0 (JSR 286) that may affect some configurations of WebSphere Application Server.

Vulnerability Details

CVEID: CVE-2015-1926**
DESCRIPTION:** The Java Portlet Specification JSR 286 API jar file code could allow a remote attacker to obtain sensitive information, caused by the failure to restrict access to resources located within the web application. An attacker could exploit this vulnerability to obtain configuration data and other sensitive information.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/102780 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

AFFECTED VERSIONS: The following IBM WebSphere Application Server Versions are affected:

• Version 8.5 Full Profile
• Version 8.5 Portlet Container feature for WebSphere Application Server Liberty
• Version 8
• Version 7

There has been a change to the Java Portlet Specification 2.0 JSR 286. CVE-2014-3083 already remediates this issue in WebSphere Application Server.

NOTE: If you have already applied interim fixes for APARs PI17768 and PI30579 and updated your custom portlets as described in the security bulletins linked below then you do not need to take any action.

Remediation/Fixes

Custom Portlets:
Your custom portlets may need to be updated as described in the security bulletins below.

**For IBM WebSphere Application Server **APAR PI45900 contains the update to the Java Portlet Specification JSR 286 API jar file code and will be included in fix packs 8.5.5.8, 8.0.0.12 and 7.0.0.39. Installing those fix packs when they become available or installing the interim fixes as noted below will remedy the problem.

For V8.5.0.0. through 8.5.5.6 (Full Profile):**
**

• Apply Fix Pack 8 (8.5.5.8), or later.
  -- Or –

• Refer to the security bulletin for 8.5.5.3 (PI17768 for Portlet Container) and security bulletin for 8.5.5.5 (PI30579 for Faces Portlet). ** **
  **
  For V8.5.0.0. through 8.5.5.6 (Liberty Profile):** **
  If you have the installed the Portlet Container Feature from WASdev Liberty Repository:**

• Remove the Portlet Container feature from your Liberty Profile server by deleting the following files and directories:
  usr\extension\dev\api\spec\com.ibm.websphere.appserver.api.portlet_2.0.0.jar usr\extension\dev\api\spec\com.ibm.ws.javaee.ccpp_1.0.0.jar usr\extension\dev\api\spec\com.ibm.ws.javaee.portlet_2.0.0.jar usr\extension\lib\com.ibm.ws.portletcontainer_2.0.0.jar usr\extension\lib\features\com.ibm.websphere.appserver.portlet-2.0.mf usr\extension\lib\features\l10n\com.ibm.websphere.appserver.portlet-2.0.properties usr\extension\lafiles\com.ibm.websphere.appserver.portlet-2.0 directory and all subdirectories

• Then install the September 2015 release or a newer version of the Portlet Container from the WASdev Liberty Repository.

-- Or –

• Refer to the security bulletin for 8.5.5.3 for Portlet Container PI17768 regarding the WASdev Liberty Repository**

**
For V8.0.0.0 through 8.0.0.11:

• Apply Fix Pack 12 (8.0.0.12), or later.
  -- Or –
• Refer to the security bulletin for 8.0.0.10 for Portlet Container and FacesPortlet.

For V7.0.0.0 through 7.0.0.37:

• Apply Fix Pack 39 (7.0.0.39), or later.
  -- Or –
• Refer to the security bulletin for 7.0.0.35 for Portlet Container. Faces Portlet is not applicable to version 7.0 `

`

Workarounds and Mitigations

To mitigate around this issue until the fix pack is available that includes the update to the Java Portlet Specification: You should refer to the security bulletins listed above and apply the APAR interim fixes for PI17768 and PI30579 and update your Portlet as described in the bulletin.