There is an information disclosure and a bypass security vulnerability in WebSphere Application Server Liberty. These vulnerabilities have been addressed.
CVEID: CVE-2019-4304 DESCRIPTION: IBM WebSphere Application Server - Liberty could allow a remote attacker to bypass security restrictions caused by improper session validation.
CVSS Base Score: 6.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160950> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L)
CVEID: CVE-2019-4305 DESCRIPTION: IBM WebSphere Application Server Liberty could allow a remote attacker to obtain sensitive information caused by the improper setting of a cookie.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/160951> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
These vulnerabilities affect the following versions and releases of IBM WebSphere Application Server:
The recommended solution is to apply the interim fix, Fix Pack or PTF containing the APAR for each named product as soon as practical.
For WebSphere Application Server Libertyusing appSecurity-1.0 or appSecurity-2.0 feature:
ยท Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH15518
--ORโ
ยท Apply Fix Pack 19.0.0.10 or later (targeted availability 4Q2019).