IBM Security Bulletin: Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix
There is a potential bypass security restriction vulnerability in IBM WebSphere Application Server. This will only occur in environments that have the webcontainer custom property HttpSessionIdReuse enabled. There is a potential denial of service with IBM WebSphere Application Server when using SIP services. IBM WebSphere Application Server Liberty could allow a remote attacker to conduct phishing attacks, caused by an open redirect vulnerability. An attacker could exploit this vulnerability to redirect a victim to arbitrary Web sites. IBM WebSphere Application Server Liberty is vulnerable to cross-site scripting in OpenID Connect clients caused by improper validation of input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials. There is an Information Disclosure Vulnerability in IBM WebSphere Application Server Liberty. Apache Commons Fileupload vulnerability affects WebSphere Application Server. There is a potential information disclosure in WebSphere Application Server.
CVE(s): CVE-2016-0385, CVE-2016-2960, CVE-2016-3040, CVE-2016-3042, CVE-2016-0378, CVE-2016-3092, CVE-2016-5986
Affected product(s) and affected version(s):
This vulnerability affects all versions of Liberty for Java in IBM Bluemix up to and including v3.2.
Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2cRUuA6
X-Force Database: http://ift.tt/2bH5iQp
X-Force Database: http://ift.tt/2bH5BuJ
X-Force Database: http://ift.tt/2ciMesr
X-Force Database: http://ift.tt/2coBlSO
X-Force Database: http://ift.tt/2cG9hh7
X-Force Database: http://ift.tt/2bozrA8
X-Force Database: http://ift.tt/2ccJKps
from IBM Product Security Incident Response Team http://ift.tt/2dfrhKG