CVE-2019-4505: WebSphere arbitrary file read vulnerability alert
Recently, IBM issues an alert about the WebSphere any file read vulnerability (CVE-2019-4505). This vulnerability allows remote attackers to construct a specific URL to get sensitive files on the server. This can allow an attacker to view any file in a directory.
Affected version
- WebSphere Application Server Version 9.0
- WebSphere Application Server Version 8.5
- WebSphere Virtual Enterprise Version 8.0
- WebSphere Virtual Enterprise Version 7.0
Solution
For V9.0.0.0 through 9.0.5.0:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH14796
–OR–
· Apply Fix Pack 9.0.5.1 or later (targeted availability 3Q2019).For V8.5.0.0 through 8.5.5.16:
· Upgrade to minimal fix pack levels as required by interim fix and then apply Interim Fix PH14796
–OR–
· Apply Fix Pack 8.5.5.17 or later (targeted availability 1Q 2020).For WebSphere Virtual Enterprise Edition:
For V7.0:
· Apply interim fix PH14796