Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMBAF13421FA6B7B5E144D2C8CC876CCAC9DB9A301E2A64CADB39C104B8B8413D6
HistoryOct 23, 2019 - 6:31 p.m.

Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Cloud (CVE-2019-4304, CVE-2019-4305)

2019-10-2318:31:35
www.ibm.com
17

EPSS

0.001

Percentile

44.3%

JSON

Summary

There is an information disclosure and a bypass security vulnerability in WebSphere Application Server Liberty. These vulnerabilities have been addressed.

Vulnerability Details

CVEID: CVE-2019-4304 DESCRIPTION: IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160950&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2019-4305 DESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160951&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

This vulnerability affects all versions of Liberty for Java in IBM Cloud up to and including v3.36.

Remediation/Fixes

To upgrade to Liberty for Java v3.37-20191002-1726 or higher, you must re-stage or re-push your application and use the alternate runtime.

See the following instructions on how to used the alternate runtime.

<https://cloud.ibm.com/docs/runtimes/liberty?topic=liberty-using_monthly_runtime&gt;

To find the current version of Liberty for Java in IBM Cloud being used, from the command-line Cloud Foundry client by running the following commands:

cf ssh <appname> -c cat โ€œstaging_info.ymlโ€

Look for the following lines:

{โ€œdetected_buildpackโ€:โ€œLiberty for Javaโ„ข (WAR, liberty-19.0.0_9, buildpack-v3.37-20191002-1726, ibmjdk-1.8.0_sr5fp41-20190919, env)โ€,โ€œstart_commandโ€:โ€œ.liberty/initial_startup.rbโ€}

To re-stage your application using the command-line Cloud Foundry client, use the following command:

cf restage <appname>

To re-push your application using the command-line Cloud Foundry client, use the following command:

cf push <appname>

Workarounds and Mitigations

None.

Related

ibm 48
cvelist 2
cve 2
prion 2
nvd 2
ibm
ibm
Security Bulletin: Vulnerabilities in WebSphere Application Server Liberty affects IBM Rational products based on IBM Jazz technology
2021-04-28 18:35:50
Security Bulletin: Multiple vulnerabilities in WebSphere Application Server Liberty (CVE-2019-4304, CVE-2019-4305)
2019-09-26 22:15:14
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server Liberty shipped with IBM Tivoli Netcool Impact (CVE-2019-4305)
2020-03-24 05:50:19
cvelist
cvelist
CVE-2019-4305
2019-09-30 15:20:31
CVE-2019-4304
2019-09-30 15:20:31
cve
cve
CVE-2019-4305
2019-09-30 16:15:11
CVE-2019-4304
2019-09-30 16:15:11
prion
prion
Information disclosure
2019-09-30 16:15:00
Authentication flaw
2019-09-30 16:15:00
nvd
nvd
CVE-2019-4305
2019-09-30 16:15:11
CVE-2019-4304
2019-09-30 16:15:11

EPSS

0.001

Percentile

44.3%

JSON
Related for BAF13421FA6B7B5E144D2C8CC876CCAC9DB9A301E2A64CADB39C104B8B8413D6
ibm48cvelist2cve2prion2nvd2