There is an information disclosure and a bypass security vulnerability in WebSphere Application Server Liberty. These vulnerabilities have been addressed.
CVEID: CVE-2019-4304 DESCRIPTION: IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160950> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2019-4305 DESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160951> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
This vulnerability affects all versions of Liberty for Java in IBM Cloud up to and including v3.36.
To upgrade to Liberty for Java v3.37-20191002-1726 or higher, you must re-stage or re-push your application and use the alternate runtime.
See the following instructions on how to used the alternate runtime.
<https://cloud.ibm.com/docs/runtimes/liberty?topic=liberty-using_monthly_runtime>
To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:
cf ssh <appname> -c cat โstaging_info.ymlโ
Look for the following lines:
{โdetected_buildpackโ:โLiberty for Javaโข (WAR, liberty-19.0.0_9, buildpack-v3.37-20191002-1726, ibmjdk-1.8.0_sr5fp41-20190919, env)โ,โstart_commandโ:โ.liberty/initial_startup.rbโ}
To re-stage your application using the command-line Cloud Foundry client, use the following command:
cf restage <appname>
To re-push your application using the command-line Cloud Foundry client, use the following command:
cf push <appname>
None.