#VU8566 Path traversal in WebSphere Portal - CVE-2017-1577
Published: September 21, 2017 / Updated: September 21, 2017
Vulnerability identifier: #VU8566
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2017-1577
CWE-ID: CWE-22
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
WebSphere Portal
WebSphere Portal
Software vendor:
IBM Corporation
IBM Corporation
Description
The vulnerability allows a remote attacker to read arbitrary files on the target system.
The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can use a specially crafted URL, containing directory traversal sequences (e.g. “../”) to view contents of arbitrary files on the target system.
Remediation
Install updates from vendor's website:
| Product | VRMF | Fix |
| IBM WebSphere Portal | 9.0 |
Upgrade to Cumulative Fix 15 (CF15), targeted for 4Q 2017. OR Upgrade to either Cumulative Fix 13 (CF13) or Cumulative Fix 14 (CF14). Then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 9.0.0.0) |
| IBM WebSphere Portal | 8.5 |
Upgrade to Cumulative Fix 15 (CF15), targeted for 4Q 2017. OR Upgrade to either Cumulative Fix 13 (CF13) or Cumulative Fix 14 (CF14). Then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 8.5.0.0) |
| IBM WebSphere Portal | 8.0.0.0 through 8.0.0.1 |
Upgrade to Fix Pack 8.0.0.1 with Cumulative Fix 22 (CF22) and then apply the Interim Fix PI87495. (Combined Cumulative Fixes for WebSphere Portal 8.0.0.1) |
| IBM WebSphere Portal | 7.0.0.0 through 7.0.0.2 |
Upgrade to Fix Pack 7.0.0.2 with Cumulative Fix 30 (CF30) and then apply the Interim Fix PI87495. (Combined Cumulative fixes for WebSphere Portal 7.0.0.2) |