Vulnerability Name: CVE-2016-0378 (CCN-112240) Assigned: 2015-12-08 Published: 2016-09-16 Updated: 2016-11-28 Summary: IBM WebSphere Application Server (WAS) Liberty before 16.0.0.3, when the installation lacks a default error page, allows remote attackers to obtain sensitive information by triggering an exception. CVSS v3 Severity: 3.7 Low (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N )3.2 Low (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
3.7 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N )3.2 Low (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C )Exploitability Metrics: Attack Vector (AV): NetworkAttack Complexity (AC): HighPrivileges Required (PR): NoneUser Interaction (UI): NoneScope: Scope (S): UnchangedImpact Metrics: Confidentiality (C): LowIntegrity (I): NoneAvailibility (A): None
CVSS v2 Severity: 4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): MediumAuthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
2.6 Low (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:P/I:N/A:N )Exploitability Metrics: Access Vector (AV): NetworkAccess Complexity (AC): HighAthentication (Au): NoneImpact Metrics: Confidentiality (C): PartialIntegrity (I): NoneAvailibility (A): None
Vulnerability Type: CWE-200 Vulnerability Consequences: Obtain Information References: Source: MITRE Type: CNACVE-2016-0378 Source: AIXAPAR Type: Broken LinkPI54459 Source: CONFIRM Type: Vendor Advisoryhttp://www-01.ibm.com/support/docview.wss?uid=swg21981529 Source: CCN Type: IBM Security Bulletin 732325 (Multi-Enterprise Integration Gateway)Stack Trace Vulnerability Affects IBM B2B Advanced Communication (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin N1021705 (Server Firmware, HMC and SDMC)Vulnerabilities in IBM WebSphere Application Server affect Power Hardware Management Console (CVE-2016-0378, CVE-2016-3092 and CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 1981529 (WebSphere Application Server)Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1988267 (Support Assistant)Security vulnerabilities have been identified in WebSphere Application Server shipped with IBM Support Assistant Team Server (CVE-2016-0359, CVE-2016-0378, CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 1990236 (WebSphere Application Server for Bluemix) Multiple security vulnerabilities affect IBM WebSphere Application Server for Bluemix Source: CCN Type: IBM Security Bulletin 1990527 (Liberty for Java for Bluemix)Multiple security vulnerabilities affect Liberty for Java for IBM Bluemix Source: CCN Type: IBM Security Bulletin 1993571 (Streams) A security vulnerability has been identified in IBM WebSphere Application Server Liberty which may impact IBM Streams (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1993794 (Monitoring)vulnerabilities in IBM WebSphere Application Server Liberty affects IBM Performance Management products Source: CCN Type: IBM Security Bulletin 1994537 (Tealeaf Customer Experience)Vulnerabilities in IBM WebSphere Application Server and IBM Java Runtime affect IBM Tealeaf Customer Experience (CVE-2016-0378, CVE-2016-3485, CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 1995238 (MessageSight) Information Disclosure in IBM MessageSight (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1995546 (Tivoli Storage Manager Extended Edition)Multiple security vulnerabilities in IBM WebSphere Application Server Liberty affect Tivoli Storage Manager (IBM Spectrum Protect) Operations Center (CVE-2016-0378, CVE-2016-3040, CVE-2016-3042, CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 1996502 (Tivoli Netcool/Impact)IBM Tivoli Netcool Impact affected by Information Disclosure in IBM WebSphere Application Server Liberty (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1996614 (Security Privileged Identity Manager)Multiple Security Vulnerabilities affect IBM Security Privileged Identity Manager Virtual Appliance Source: CCN Type: IBM Security Bulletin 1996788 (MQ Light)Multiple vulnerabilities in IBM WebSphere Application Server Liberty affect IBM MQ Light (CVE-2016-5986, CVE-2016-3040, CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1996968 (SPSS Analytic Server)Vulnerability in IBM WebSphere Application Server Liberty affects IBM SPSS Analytic Server (CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 1997638 (Algo One)Vulnerabilites in IBM Algorithmics Algo One Algo Risk Application (ARA) Stack trace may be thrown if no default error page was set up and exception occurred Source: CCN Type: IBM Security Bulletin 1997723 (Transformation Extender Advanced)Two vulnerabilities in WAS Liberty affect IBM Transformation Extender Advanced and IBM Standards Processing Engine (CVE-2016-0378 and CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 1998328 (Security Identity Governance and Intelligence)A security vulnerability has been identified in WebSphere Liberty Profile shipped with IBM Secutity Identity Governance and Intelligence (CVE-2016-0378 ) Source: CCN Type: IBM Security Bulletin 1998827 (Control Center)Multiple vulnerabilities in IBM WebSphere affect IBM Control Center (CVE-2016-3042, CVE-2016-3040, CVE-2016-5986, CVE-2016-0378) Source: CCN Type: IBM Security Bulletin 2002049 (Security Directory Suite)Multiple security vulnerabilities have been identified in IBM WebSphere Application Server Liberty shipped with IBM Security Directory Suite (CVE-2016-0378, CVE-2016-5983 and CVE-2016-5986) Source: CCN Type: IBM Security Bulletin 2013617 (Security Identity Manager)Multiple vulnerabilities have been fixed in IBM Security Identity Manager Source: CCN Type: IBM Security Bulletin C1000214 (MobileFirst Platform Foundation)Multiple Vulnerabilities in IBM WebSphere Application Server Liberty affect IBM Worklight and IBM MobileFirst Platform Foundation Source: BID Type: UNKNOWN93143 Source: CCN Type: BID-93143IBM WebSphere Application Server Liberty CVE-2016-0378 Information Disclosure Vulnerability Source: XF Type: UNKNOWNibm-was-cve20160378-info-disc(112240) Source: CCN Type: IBM Security Bulletin 6967241 (Watson Speech Services Cartridge for Cloud Pak for Data)IBM Watson Speech Services Cartridge for IBM Cloud Pak for Data is vulnerable to an information exposure in WebSphere Application Server Liberty (CVE-2016-0378 Vulnerable Configuration: Configuration 1 :cpe:/a:ibm:websphere_application_server:*:*:*:*:liberty:*:*:* (Version <= 16.0.0.2)Configuration CCN 1 :cpe:/a:ibm:websphere_application_server:::~~liberty~~~:*:*:*:*:* AND cpe:/a:ibm:support_assistant:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:messagesight:1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:tealeaf_customer_experience:16.1.01:*:*:*:*:*:*:* OR cpe:/a:ibm:algo_one:5.0:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_mq_light:1:*:*:*:*:*:*:* OR cpe:/a:ibm:tivoli_netcool/impact:7.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_manager:7.0:*:*:*:*:*:*:* OR cpe:/a:ibm:messagesight:1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:5.4.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_analytic_server:2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:6.0.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:liberty:3.13:*:java:*:bluemix:*:*:* OR cpe:/a:ibm:security_privileged_identity_manager:2.0.2:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:7.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_mq_light:1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:3.1:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:3.2:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:3.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:4.0:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:4.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:4.1:*:*:*:*:*:*:* OR cpe:/a:ibm:transformation_extender:9.0:*:advanced:*:*:*:*:* OR cpe:/a:ibm:algo_one:5.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:security_identity_governance_and_intelligence:5.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:4.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:-:*:*:*:*:*:*:* OR cpe:/a:ibm:websphere_application_server:-:*:*:*:*:*:*:* OR cpe:/a:ibm:monitoring:8.1.2:*:*:*:*:*:*:* OR cpe:/a:ibm:monitoring:8.1.3:*:*:*:*:*:*:* OR cpe:/a:ibm:streams:4.2:*:*:*:*:*:*:* OR cpe:/a:ibm:mobilefirst_platform_foundation:8.0:*:*:*:*:*:*:* OR cpe:/a:ibm:control_center:6.1.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:support_assistant:5.0.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:support_assistant:5.0.1.1:*:*:*:*:*:*:* OR cpe:/a:ibm:support_assistant:5.0.2.0:*:*:*:*:*:*:* OR cpe:/a:ibm:support_assistant:5.0.2.1:*:*:*:*:*:*:* OR cpe:/a:ibm:support_assistant:5.0.2.2:*:*:*:*:*:*:* OR cpe:/a:ibm:security_privileged_identity_manager:2.1.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_analytic_server:3.0:*:*:*:*:*:*:* OR cpe:/a:ibm:spss_analytic_server:3.0.1:*:*:*:*:*:*:* OR cpe:/a:ibm:security_directory_suite:8.0.1:*:*:*:*:*:*:* Denotes that component is vulnerable BACK
ibm websphere application server *
ibm websphere application server
ibm support assistant 5.0
ibm messagesight 1.1
ibm tealeaf customer experience 16.1.01
ibm algo one 5.0
ibm websphere mq light 1
ibm tivoli netcool/impact 7.1.0
ibm security identity manager 7.0
ibm messagesight 1.2
ibm control center 5.4.2.1
ibm spss analytic server 2.0
ibm control center 6.0.0.1
ibm liberty 3.13
ibm security privileged identity manager 2.0.2
ibm mobilefirst platform foundation 7.1
ibm websphere mq light 1.0
ibm streams 3.0
ibm streams 3.1
ibm streams 3.2
ibm streams 3.2.1
ibm streams 4.0
ibm streams 4.0.1
ibm streams 4.1
ibm transformation extender 9.0
ibm algo one 5.1.0
ibm security identity governance and intelligence 5.2.1
ibm streams 4.1.1
ibm websphere application server -
ibm websphere application server -
ibm monitoring 8.1.2
ibm monitoring 8.1.3
ibm streams 4.2
ibm mobilefirst platform foundation 8.0
ibm control center 6.1.0.1
ibm support assistant 5.0.1.0
ibm support assistant 5.0.1.1
ibm support assistant 5.0.2.0
ibm support assistant 5.0.2.1
ibm support assistant 5.0.2.2
ibm security privileged identity manager 2.1.0
ibm spss analytic server 3.0
ibm spss analytic server 3.0.1
ibm security directory suite 8.0.1