Security Bulletin: File path traversal vulnerabilities affect IBM Workload Deployer (CVE-2014-6158)

Summary

File upload functionality within IBM Workload Deployer might lead to server compromise and Denial of Service (DoS).

Vulnerability Details

CVEID:CVE-2014-6158

DESCRIPTION:
IBM PureApplication System’s file upload functions might lead to server compromise and DoS when authorized users create or edit components such as a “Script Package”, “Add-On”, or “Emergency Fixes”.

CVSS Base Score: 9.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/97707 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)

Affected Products and Versions

IBM Workload Deployer V3.1.0.7 and later

Remediation/Fixes

The solution is to apply the IBM Workload Deployer v3.1.0.7 Interim Fix 5:

http://www-933.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/WebSphere/IBM+Workload+Deployer&release=3.1.0.7&platform=All&function=fixId&fixids=3.1.0.7-ifix5-IBM_Workload_Deployer&includeSupersedes=0

Workarounds and Mitigations

None