1. Introduction
IBM WebSphere eXtreme Scale 8.6.1.0 is affected by multiple vulnerabilities in its Java components, potentially allowing an unauthenticated attacker to cause a denial of service or unauthorized data access. This impacts systems running the web application server and could lead to service disruption or data compromise. The likely impact on confidentiality, integrity, and availability is medium.
2. Technical Explanation
The vulnerabilities stem from flaws in Oracle Java SE versions used by WebSphere eXtreme Scale. Specifically, issues exist within the Serialization and Libraries components of Java SE (versions 7u271, 8u261, 11.0.8, and 15) and JSSE component of Java SE (versions 7u311, 8u301, 11.0.12, and 17). These vulnerabilities allow an attacker with network access to compromise the Java runtime environment. Successful exploitation can result in partial denial of service or unauthorized data manipulation.
- Root cause: The root cause is insecure deserialization and insufficient access controls within the affected Java SE components.
- Exploit mechanism: An unauthenticated attacker can send crafted data to APIs, potentially through web services, sandboxed Java Web Start applications, or sandboxed Java applets, triggering the vulnerabilities.
- Scope: Affected versions include IBM WebSphere eXtreme Scale 8.6.1.0 and earlier, relying on vulnerable Oracle Java SE versions (7u271, 8u261, 11.0.8, 15 for Serialization/Libraries; 7u311, 8u301, 11.0.12, 17 for JSSE).
3. Detection and Assessment
Confirming vulnerability requires checking the Java version used by WebSphere eXtreme Scale. A thorough assessment involves reviewing logs for exploitation attempts.
- Quick checks: Check the Java version using
java -versionon systems running WebSphere eXtreme Scale. - Scanning: Nessus relies on self-reported version numbers, so ensure accurate reporting within your environment. Other vulnerability scanners may have signatures for these CVEs (see section 8).
- Logs and evidence: Review application logs for errors related to Java deserialization or access control failures. Specific log patterns will vary depending on the WebSphere configuration.
java -version4. Solution / Remediation Steps
The primary solution is to upgrade IBM WebSphere eXtreme Scale to version 8.6.1.5 or later.
4.1 Preparation
- Roll back plan: Restore from backup or revert to the previous snapshot if issues occur during the upgrade process.
- Change window needs and approval may be required depending on your organization’s policies.
4.2 Implementation
- Step 1: Download IBM WebSphere eXtreme Scale version 8.6.1.5 or later from the IBM support website.
- Step 2: Stop all WebSphere server instances and the deployment manager.
- Step 3: Install the new version of WebSphere eXtreme Scale, following the official IBM installation guide.
- Step 4: Start the deployment manager and then restart all WebSphere server instances.
4.3 Config or Code Example
The fix involves upgrading the entire WebSphere product; there is no specific config change.
Before
WebSphere eXtreme Scale 8.6.1.0 (or earlier)After
WebSphere eXtreme Scale 8.6.1.5 (or later)4.4 Security Practices Relevant to This Vulnerability
- Least privilege: Ensure WebSphere processes run with the minimum necessary privileges to reduce the impact of a successful exploit.
- Patch cadence: Implement a regular patch management process to apply security updates promptly.
4.5 Automation (Optional)
Automation is not directly applicable for this vulnerability, as it requires a full product upgrade.
5. Verification / Validation
- Post-fix check: Run
java -versionon systems running WebSphere eXtreme Scale to confirm the Java version is now within a secure range. - Re-test: Re-run the initial version check (
java -version) to ensure the upgrade was successful. - Smoke test: Verify that key web applications and services accessible through WebSphere are functioning as expected.
java -version6. Preventive Measures and Monitoring
- Baselines: Update your security baseline to require WebSphere eXtreme Scale 8.6.1.5 or later.
- Asset and patch process: Establish a regular schedule for patching WebSphere and its dependencies, including Java SE.
7. Risks, Side Effects, and Roll Back
8. References and Resources
- Vendor advisory or bulletin: https://www.ibm.com/support/pages/node/6598349
- NVD or CVE entry: CVE-2020-14779