Vulnerability Name:

CVE-2018-1996 (CCN-154650)

Assigned:2017-12-13
Published:2019-02-14
Updated:2020-08-24
Summary:IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 could provide weaker than expected security, caused by the improper TLS configuration. A remote attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. IBM X-Force ID: 154650.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N)
4.6 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): Low
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): None
Availibility (A): None
CVSS v2 Severity:3.5 Low (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
4.9 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): None
Availibility (A): None
Vulnerability Type:CWE-327
Vulnerability Consequences:Obtain Information
References:Source: MITRE
Type: CNA
CVE-2018-1996

Source: CCN
Type: IBM Security Bulletin 873104 (Tivoli Monitoring V6)
Multiple vulnerabilities affect IBM Tivoli Monitoring embedded WebSphere Application Server

Source: CCN
Type: IBM Security Bulletin 874598 (Spectrum Control Standard Edition)
Potential WebSphere Application Server weakness in security affects IBM Spectrum Control (formerly Tivoli Storage Productivity Center) (CVE-2018-1996)

Source: CCN
Type: IBM Security Bulletin 880985 (Content Collector)
Content Collector for Email is affected by a Weaker than expected security when using transition mode for SP800-131a in WebSphere App Server

Source: BID
Type: Third Party Advisory, VDB Entry
107155

Source: XF
Type: UNKNOWN
ibm-websphere-cve20181996-info-disc(154650)

Source: XF
Type: VDB Entry, Vendor Advisory
ibm-websphere-cve20181996-info-disc(154650)

Source: CCN
Type: IBM Security Bulletin 0793421 (WebSphere Application Server)
Weaker than expected security in WebSphere Application Server with SP800-131 transition mode (CVE-2018-1996)

Source: CONFIRM
Type: Patch, Vendor Advisory
https://www.ibm.com/support/docview.wss?uid=ibm10793421

Source: CCN
Type: IBM Security Bulletin 793597 (WebSphere Application Server in Cloud)
Multiple Security Vulnerabilities Affect IBM WebSphere Application Server in IBM Cloud

Source: CCN
Type: IBM Security Bulletin 1127589 (App Connect Enterprise)
IBM Integration Bus & IBM App Connect Enterprise are affected by a Websphere Application Server Vulnerability (CVE-2018-1996)

Source: CCN
Type: IBM Security Bulletin 1150930 (WebSphere Message Broker)
WebSphere Message Broker is affected by a Websphere Application Server Vulnerability (CVE-2018-1996)

Source: CCN
Type: IBM Security Bulletin 960284 (Cloud Orchestrator)
A security vulnerability has been identified in WebSphere Application Server shipped with IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise (CVE-2018-1996)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 7.0.0.0 and <= 7.0.0.45)
  • OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 8.0.0.0 and <= 8.0.0.15)
  • OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 8.5.0.0 and <= 8.5.5.14)
  • OR cpe:/a:ibm:websphere_application_server:*:*:*:*:*:*:*:* (Version >= 9.0.0.0 and <= 9.0.0.10)

    • Configuration CCN 1:
  • cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server:9.0:*:*:*:*:*:*:*
  • AND
  • cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:9.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:content_collector:4.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.4.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.2.3.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:tivoli_monitoring:6.3.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:8.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:9.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_application_server_in_cloud:*:*:*:*:liberty:*:*:*
  • OR cpe:/a:ibm:websphere_message_broker:8.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_orchestrator:2.5.0.9:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere application server *
    ibm websphere application server *
    ibm websphere application server *
    ibm websphere application server *
    ibm websphere application server 7.0
    ibm websphere application server 8.0
    ibm websphere application server 8.5
    ibm websphere application server 9.0
    ibm tivoli monitoring 6.2.3
    ibm tivoli monitoring 6.2.3.1
    ibm tivoli monitoring 6.2.3.2
    ibm integration bus 9.0.0.0
    ibm content collector 4.0.0.0
    ibm cloud orchestrator 2.4
    ibm tivoli monitoring 6.2.3
    ibm tivoli monitoring 6.2.3.1
    ibm tivoli monitoring 6.2.3.2
    ibm tivoli monitoring 6.2.3.3
    ibm tivoli monitoring 6.2.3.4
    ibm tivoli monitoring 6.2.3.5
    ibm tivoli monitoring 6.3.0.2
    ibm tivoli monitoring 6.3.0.3
    ibm tivoli monitoring 6.3.0.4
    ibm cloud orchestrator 2.4.0.1
    ibm cloud orchestrator 2.4.0.2
    ibm cloud orchestrator 2.5
    ibm cloud orchestrator 2.5.0.1
    ibm cloud orchestrator 2.4.0.3
    ibm cloud orchestrator 2.5.0.2
    ibm tivoli monitoring 6.3.0.5
    ibm tivoli monitoring 6.3.0.6
    ibm tivoli monitoring 6.3.0.7
    ibm cloud orchestrator 2.4.0.4
    ibm cloud orchestrator 2.5.0.3
    ibm cloud orchestrator 2.5.0.4
    ibm cloud orchestrator 2.4.0.5
    ibm cloud orchestrator 2.5.0.5
    ibm tivoli monitoring 6.2.3.3
    ibm tivoli monitoring 6.2.3.4
    ibm tivoli monitoring 6.2.3.5
    ibm tivoli monitoring 6.3.0.2
    ibm tivoli monitoring 6.3.0.3
    ibm tivoli monitoring 6.3.0.4
    ibm tivoli monitoring 6.3.0.5
    ibm tivoli monitoring 6.3.0.6
    ibm tivoli monitoring 6.3.0.7
    ibm websphere application server in cloud 8.5
    ibm websphere application server in cloud 9.0
    ibm websphere application server in cloud *
    ibm websphere message broker 8.0.0.0
    ibm integration bus 10.0.0.0
    ibm cloud orchestrator 2.5.0.6
    ibm cloud orchestrator 2.5.0.7
    ibm cloud orchestrator 2.5.0.8
    ibm cloud orchestrator 2.5.0.9