CVE-2015-1927

Name of the Vulnerable Software and Affected Versions WebSphere Application Server versions 7.0.0 through 7.0.0.38 WebSphere Application Server versions 8.0.0 through 8.0.0.10 WebSphere Application Server versions 8.5 through 8.5.5.5

Description The issue is related to insufficient access control in the WebSphere Application Server. Exploitation of this issue may allow a remote attacker to gain privileged access by manipulating the value of the com.ibm.ws.webcontainer.disallowServeServletsByClassname object. The default configuration of the server has a false value for the com.ibm.ws.webcontainer.disallowServeServletsByClassname WebContainer property, which allows remote attackers to obtain privileged access.

Recommendations For WebSphere Application Server versions 7.0.0 through 7.0.0.38, update to version 7.0.0.39 or later. For WebSphere Application Server versions 8.0.0 through 8.0.0.10, update to version 8.0.0.11 or later. For WebSphere Application Server versions 8.5 through 8.5.5.5, update to version 8.5.5.6 or later. As a temporary workaround, consider setting the com.ibm.ws.webcontainer.disallowServeServletsByClassname property to true to restrict access.