Vulnerability identifier: #VU8566
Vulnerability risk: Medium
CVSSv3.1: 7.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-22
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
WebSphere Portal
Server applications /
Application servers
Vendor: IBM Corporation
Description
The vulnerability allows a remote attacker to read arbitrary files on the target system.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can use a specially crafted URL, containing directory traversal sequences (e.g. “../”) to view contents of arbitrary files on the target system.
Mitigation
Install updates from vendor's website:
Product | VRMF | Fix |
IBM WebSphere Portal | 9.0 |
Upgrade to Cumulative Fix 15 (CF15), targeted for 4Q 2017. OR Upgrade to either Cumulative Fix 13 (CF13) or Cumulative Fix 14 (CF14). Then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 9.0.0.0) |
IBM WebSphere Portal | 8.5 |
Upgrade to Cumulative Fix 15 (CF15), targeted for 4Q 2017. OR Upgrade to either Cumulative Fix 13 (CF13) or Cumulative Fix 14 (CF14). Then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 8.5.0.0) |
IBM WebSphere Portal | 8.0.0.0 through 8.0.0.1 |
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 22 (CF22) and then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 8.0.0.1) |
IBM WebSphere Portal | 7.0.0.0 through 7.0.0.2 |
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 30 (CF30) and then apply the Interim Fix PI87495. (Combined Cumulative fixes for WebSphere Portal 7.0.0.2) |
Vulnerable software versions
WebSphere Portal: 7.0.0 - 9.0.0.0
External links
http://www-01.ibm.com/support/docview.wss?uid=swg22008586
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.