Main Vulnerability Database Vulnerabilities #VU326

CSRF attack in IBM WebSphere Application Server - CVE-2016-0377

Published: August 18, 2016

Vulnerability identifier: #VU326

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2016-0377

CWE-ID: CWE-352

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: IBM Corporation

Affected software:
IBM WebSphere Application Server

Detailed vulnerability description

The vulnerability allows a remote attacker to perform CSRF attack.

The vulnerability exists due to incorrect implementation of anti-CSRF functionality. A remote attacker can obtain potentially sensitive data.

Successful exploitation of this vulnerability may allow an attacker to gain unauthorized access to potemtially sensitive informstion on the target system.

How to mitigate CVE-2016-0377

The vendor has issued the following fixes to address this vulnerability:

For V8.5.0.0 through 8.5.5.9:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI56917
--OR--
· Apply Fix Pack 8.5.5.10 or later

For V8.0.0.0 through 8.0.0.12:
· Upgrade to a minimal fix pack levels as required by interim fix and then apply Interim Fix PI56917

--OR--
· Apply Fix Pack 8.0.0.13 or later (targeted availability 24 October 2016).

For V7.0.0.0 through 7.0.0.41:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PI56917

--OR--
· Apply Fix Pack 7.0.0.43 or later (targeted availability 2Q2017).

Sources

http://www-01.ibm.com/support/docview.wss?uid=swg21980645

CSRF attack in IBM WebSphere Application Server - CVE-2016-0377

Detailed vulnerability description

How to mitigate CVE-2016-0377

Sources

Please verify you're human