IBM Security Bulletin: Vulnerability in Tivoli LWI impacts pConsole and WebSM for AIX (CVE-2016-6038)

A directory traversal vulnerability in the Eclipse Help component shipped by the Tivoli Lightweight Infrastructure (LWI) allows remote attackers to read arbitrary files via a crafted URL. This vulnerability affects IBM System Director Console for AIX (pConsole) and Web Based SystemManagement Remote Client (WebSM Remote).

CVE(s): CVE-2016-6038

Affected product(s) and affected version(s):

AIX 5.3, 6.1, 7.1

Some AIX releases are potentially vulnerable if an impacted LWI version is present on the system.

1. If one of the following filesets are installed, then LWI version will need to be verified:

sysmgt.pconsole.rte
sysmgt.websm.rte

Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -L | grep -i sysmgt.pconsole.rte

2. Verify LWI version. The following LWI versions are vulnerable:

Fileset Lower Level Upper Level
—————————————
lwi.runtime 5.0.0.0 5.3.12.9
lwi.runtime 6.0.0.0 6.1.9.99
lwi.runtime 7.0.0.0 7.1.3.x

Note: to find out whether the affected filesets are installed on your systems, refer to the lslpp command found in AIX user’s guide.

Example: lslpp -L | grep -i lwi.runtime

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://http://aix.software.ibm.com/aix/efixes/security/pconsole_mitigation.asc
X-Force Database: http://ift.tt/2cRVfZZ

from IBM Product Security Incident Response Team http://ift.tt/2dfssKg