IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server in IBM Cloud

There is an information disclosure due to an XML external entity (XXE) vulnerability when using the OpenSAML features in WebSphere Application Server Liberty. There is an information disclosure vulnerability and a denial of service vulnerability that affect the IBM HTTP Server used by WebSphere Application Server.

CVE(s): CVE-2013-6440, CVE-2017-9798, CVE-2017-12618

Affected product(s) and affected version(s):

CVE-2013-6440 affects the following versions and releases of IBM WebSphere Application Server:

Liberty using samlWeb-2.0 feature
Liberty using wsSecuritySaml-1.1 feature

CVE-2017-9798 and CVE-2017-12618 affect the following versions and releases of IBM HTTP Server (powered by Apache) component in all editions of WebSphere Application Server and bundling products.
Version 9.0
Version 8.5

Refer to the following reference URLs for remediation and additional vulnerability details:
Source Bulletin: http://www.ibm.com/support/docview.wss?uid=swg22013153
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/89714
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/132159
X-Force Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/134048

The post IBM Security Bulletin: Multiple security vulnerabilities affect IBM WebSphere Application Server in IBM Cloud appeared first on IBM PSIRT Blog.



from IBM Product Security Incident Response Team http://ift.tt/2EAKRiy