Vulnerability Name:

CVE-2016-0378 (CCN-112240)

Assigned:2015-12-08
Published:2016-09-16
Updated:2016-11-28
Summary:IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when the installation lacks a default error page, allows remote attackers to obtain sensitive information by triggering an exception.
CVSS v3 Severity:3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-200
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2016-0378

Source: AIXAPAR
Type: Broken Link
PI54459

Source: CONFIRM
Type: Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21981529

Source: CCN
Type: IBM Security Bulletin 732325 (Multi-Enterprise Integration Gateway)
Stack Trace Vulnerability Affects IBM B2B Advanced Communication (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin N1021705 (Server Firmware, HMC and SDMC)
Vulnerabilities in IBM WebSphere Application Server affect Power Hardware Management Console (CVE-2016-0378, CVE-2016-3092 and CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 1981529 (WebSphere Application Server)
Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1988267 (Support Assistant)
Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Support Assistant Team Server (CVE-2016-0359, CVE-2016-0378, CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 1990236 (WebSphere Application Server for Bluemix)
Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix

Source: CCN
Type: IBM Security Bulletin 1990527 (Liberty for Java for Bluemix)
Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix

Source: CCN
Type: IBM Security Bulletin 1993571 (Streams)
A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1993794 (Monitoring)
vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Performance Management products

Source: CCN
Type: IBM Security Bulletin 1994537 (Tealeaf Customer Experience)
Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 1995238 (MessageSight)
Information Disclosure in IBM MessageSight (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1995546 (Tivoli Storage Manager Extended Edition)
Multiple security vulnerabilities in IBM WebSphere Application Server Liberty affect Tivoli Storage Manager (IBM Spectrum Protect) Operations Center (CVE-2016-0378, CVE-2016-3040, CVE-2016-3042, CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 1996502 (Tivoli Netcool/Impact)
IBM Tivoli Netcool Impact affected by Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1996614 (Security Privileged Identity Manager)
Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance

Source: CCN
Type: IBM Security Bulletin 1996788 (MQ Light)
Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM MQ Light (CVE-2016-5986, CVE-2016-3040, CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1996968 (SPSS Analytic Server)
Vulnerability in IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 1997638 (Algo One)
Vulnerabilites in IBM Algorithmics Algo One Algo Risk Application (ARA) Stack trace may be thrown if no default error page was set up and exception occurred

Source: CCN
Type: IBM Security Bulletin 1997723 (Transformation Extender Advanced)
Two vulnerabilities in WAS Liberty affect IBM Transformation Extender Advanced and IBM Standards Processing Engine (CVE-2016-0378 and CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 1998328 (Security Identity Governance and Intelligence)
A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM Secutity Identity Governance and Intelligence (CVE-2016-0378 )

Source: CCN
Type: IBM Security Bulletin 1998827 (Control Center)
Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-3042, CVE-2016-3040, CVE-2016-5986, CVE-2016-0378)

Source: CCN
Type: IBM Security Bulletin 2002049 (Security Directory Suite)
Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986)

Source: CCN
Type: IBM Security Bulletin 2013617 (Security Identity Manager)
Multiple vulnerabilities have been fixed in IBM Security Identity Manager

Source: CCN
Type: IBM Security Bulletin C1000214 (MobileFirst Platform Foundation)
Multiple Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Worklight and IBM MobileFirst Platform Foundation

Source: BID
Type: UNKNOWN
93143

Source: CCN
Type: BID-93143
IBM WebSphere Application Server Liberty CVE-2016-0378 Information Disclosure Vulnerability

Source: XF
Type: UNKNOWN
ibm-was-cve20160378-info-disc(112240)

Source: CCN
Type: IBM Security Bulletin 6967241 (Watson Speech Services Cartridge for Cloud Pak for Data)
IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version <= 16.0.0.2)

  • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:::~~liberty~~~:*:*:*:*:*
  • AND
  • cpe:/a:ibm:support_assistant:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:messagesight:1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tealeaf_customer_experience:16.1.01:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:algo_one:5.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_mq_light:1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_manager:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:messagesight:1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:5.4.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_analytic_server:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:liberty:3.13:*:java:*:bluemix:*:*:*
  • OR cpe:/a:ibm:security_privileged_identity_manager:2.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:7.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_mq_light:1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:3.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:*
  • OR cpe:/a:ibm:algo_one:5.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:4.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:-:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:monitoring:8.1.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:monitoring:8.1.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:streams:4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:control_center:6.1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:support_assistant:5.0.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:support_assistant:5.0.1.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:support_assistant:5.0.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:support_assistant:5.0.2.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:support_assistant:5.0.2.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_privileged_identity_manager:2.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_analytic_server:3.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:spss_analytic_server:3.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_directory_suite:8.0.1:*:*:*:*:*:*:*

  • * Denotes that component is vulnerable
    BACK
    ibm websphere application server *
    ibm websphere application server
    ibm support assistant 5.0
    ibm messagesight 1.1
    ibm tealeaf customer experience 16.1.01
    ibm algo one 5.0
    ibm websphere mq light 1
    ibm tivoli netcool/impact 7.1.0
    ibm security identity manager 7.0
    ibm messagesight 1.2
    ibm control center 5.4.2.1
    ibm spss analytic server 2.0
    ibm control center 6.0.0.1
    ibm liberty 3.13
    ibm security privileged identity manager 2.0.2
    ibm mobilefirst platform foundation 7.1
    ibm websphere mq light 1.0
    ibm streams 3.0
    ibm streams 3.1
    ibm streams 3.2
    ibm streams 3.2.1
    ibm streams 4.0
    ibm streams 4.0.1
    ibm streams 4.1
    ibm transformation extender 9.0
    ibm algo one 5.1.0
    ibm security identity governance and intelligence 5.2.1
    ibm streams 4.1.1
    ibm websphere application server -
    ibm websphere application server -
    ibm monitoring 8.1.2
    ibm monitoring 8.1.3
    ibm streams 4.2
    ibm mobilefirst platform foundation 8.0
    ibm control center 6.1.0.1
    ibm support assistant 5.0.1.0
    ibm support assistant 5.0.1.1
    ibm support assistant 5.0.2.0
    ibm support assistant 5.0.2.1
    ibm support assistant 5.0.2.2
    ibm security privileged identity manager 2.1.0
    ibm spss analytic server 3.0
    ibm spss analytic server 3.0.1
    ibm security directory suite 8.0.1