IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix

Apache Struts vulnerabilities affect WebSphere Application Server and WebSphere Application Server Hypervisor Edition Administration Console. There is a potential denial of service with IBM WebSphere Application Server when using SIP services. There are several vulnerabilities that may affect IBM HTTP Server that is used by WebSphere Application Server. There is a vulnerability that allows redirecting of HTTP traffic with CGI applications that may affect IBM HTTP Server (IHS). This vulnerability is known as “HTTPOXY”. There is an Information Disclosure Vulnerability in IBM WebSphere Application Server. There is a potential bypass security restriction vulnerability in IBM WebSphere Application Server. This will only occur in environments that have the webcontainer custom property HttpSessionIdReuse enabled.

CVE(s): CVE-2016-1181, CVE-2016-1182, CVE-2016-2960, CVE-2012-0876, CVE-2012-1148, CVE-2016-4472, CVE-2016-0718, CVE-2016-5387, CVE-2016-0377, CVE-2016-0385

Affected product(s) and affected version(s):

All vulnerabilities affect the following versions and releases of IBM WebSphere Application Server:

• Version 9.0
• Version 8.5 and 8.5.5 Full Profile and Liberty

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://ift.tt/2cEDc7w
X-Force Database: http://ift.tt/2974C3a
X-Force Database: http://ift.tt/29tkNpV
X-Force Database: http://ift.tt/2bH5BuJ
X-Force Database: http://ift.tt/2aA9yyg
X-Force Database: http://ift.tt/2aAaouW
X-Force Database: http://ift.tt/2bykBrC
X-Force Database: http://ift.tt/2aA9DSH
X-Force Database: http://ift.tt/2aO8XMj
X-Force Database: http://ift.tt/2bH6inX
X-Force Database: http://ift.tt/2bH5iQp

from IBM Product Security Incident Response Team http://ift.tt/2cNmekk