Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBMD9EC41C3278F0CF27EE51F88F9E3BA69BA96BF3459F3DF84DA3FBE84AA8D9D11
HistoryJun 15, 2018 - 7:03 a.m.

Security Bulletin: : The WebSphere eXtreme Scale 7.1.0 and 7.1.1 monitoring console lacks protection for various vulnerabilities. (CVE-2015-2025 CVE-2015-2026 CVE-2015-2027 CVE-2015-2028 CVE-2015-2029 CVE-2015-2030 CVE-2015-2031)

2018-06-1507:03:22
www.ibm.com
9

EPSS

0.003

Percentile

69.1%

JSON

Summary

These vulnerabilities in the WebSphere eXtreme Scale monitoring console may allow an attacker to gain access to the monitoring console, getting read/only access to statistics data on grid usage.

Vulnerability Details

CVEID: CVE-2015-2025

DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote attacker to obtain sensitive information, caused by the failure to set the secure flag for the session cookie in SSL mode. By intercepting its transmission within an HTTP session, an attacker could exploit this vulnerability to capture the cookie and obtain sensitive information.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104053&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVEID:CVE-2015-2026** **DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to cross-site request forgery, caused by improper validation of user-supplied input. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

CVSS Base Score: 3.5

CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104054 for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-2027

DESCRIPTION: IBM WebSphere Extreme Scale could allow a local user to bypass security on another user’s session due to it improperly logging out the previous user.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104056&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-2028

DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to a HTTP response splitting attack. A remote unauthenticated attacker could specify a specially crafted URL to inject a malicious response to future requests.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104057&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-2029

DESCRIPTION: IBM WebSphere Extreme Scale could allow a remote attacker to hijack a user’s session, caused by the failure to invalidate an existing session identifier. An attacker could exploit this vulnerability to gain access to another user’s session.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104058&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2015-2030

DESCRIPTION: IBM WebSphere Extreme Scale uses an inadequate account lockout setting that could allow a remote attacker to brute force account credentials.

CVSS Base Score: 5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104070&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-2031

DESCRIPTION: IBM WebSphere Extreme Scale is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVSS Base Score: 3.5

CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/104071&gt; for the current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

Affected Products and Versions

WebSphere eXtreme Scale V7.1.0

WebSphere eXtreme Scale V7.1.1

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
WebSphere eXtreme Scale| 7.1.0| PI44105| http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.0.3&platform=All&function=all
WebSphere eXtreme Scale| 7.1.1| PI44098| http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=ibm~WebSphere&product=ibm/WebSphere/WebSphere+eXtreme+Scale&release=7.1.1.1&platform=All&function=all

Workarounds and Mitigations

None. For WebSphere Extreme Scale you will need to apply the appropriate fix.

Related

nvd 7
cve 7
prion 7
cvelist 7
nvd
nvd
CVE-2015-2027
2015-10-04 02:59:10
CVE-2015-2025
2015-10-04 02:59:08
CVE-2015-2029
2015-10-04 02:59:13
cve
cve
CVE-2015-2025
2015-10-04 02:59:08
CVE-2015-2026
2015-10-04 02:59:09
CVE-2015-2027
2015-10-04 02:59:10
prion
prion
Cross site request forgery (csrf)
2015-10-04 02:59:00
Design/Logic Flaw
2015-10-04 02:59:00
Crlf injection
2015-10-04 02:59:00
cvelist
cvelist
CVE-2015-2029
2015-10-04 01:00:00
CVE-2015-2027
2015-10-04 01:00:00
CVE-2015-2028
2015-10-04 01:00:00

EPSS

0.003

Percentile

69.1%

JSON
Related for D9EC41C3278F0CF27EE51F88F9E3BA69BA96BF3459F3DF84DA3FBE84AA8D9D11
nvd7cve7prion7cvelist7