Announcing IBM Support Assistant Team Server 5.0.2.3 (Update)

Content

Below is a list of highlights and installation directions for IBM Support Assistant Team Server 5.0.2.3 (Update). If you have questions or problems, please post them to the IBM Support Assistant forum.

• System Requirement Updates
• Update List
• Applying update

System Requirements

With the introduction of 5.0.1.1 and above updates for IBM Support Assistant Team Server, you must be at a minimum of IBM Installation Manager 1.8 or higher in order to apply these updates to the IBM Support Assistant Team Server.

Back

Update List

IBM Support Assistant Team Server 5.0.2.3 fixes multiple vulnerabilities.

ISA Team Server uses the IBM WebSphere Liberty Profile. Multiple vulnerabilities have been identified and corrected in the Liberty version
shipped with ISA 5.0.2.3:

• Notice on Vulnerability (CVE-2016-0359) IBM Liberty WebSphere Application Server is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information.

• Notice on Vulnerability (CVE-2016-0378) IBM Liberty WebSphere Application Server could allow a remote attacker to obtain sensitive information caused by improper handling of exceptions when a default error page does not exist.

• Notice on Vulnerability (CVE-2016-5986) IBM Liberty WebSphere Application Server could allow a remote attacker to obtain sensitive information, caused by the improper handling of responses under certain conditions. An attacker could exploit this vulnerability to gain server identification information. Responses from the server's exception (i.e before request is handled by an application) contains the "IBM WebSphere Application Server" string. Customer's security app scan flags it as a security risk.

The three vulnerabilities listed above are corrected in ISA Team Server 5.0.2.3. For details see IBM Security Bulletin.

• Notice on Vulnerability (CVE-2016-3092) ISA Team Server uses the Apache Commons FileUpload component. Apache Commons is vulnerable to a denial of service caused by an error in the FileUpload component. By sending file upload requests, an attacker could exploit this vulnerability to cause the server to become unresponsive. This vulnerability is corrected in Apache Commons File Upload 1.3.2 now included in ISA Team Server 5.0.2.3. For details see IBM Security Bulletin.

Back

Applying this update

Updating IBM Support Assistant Team Server with Installation Manager:

*Important update: Please verify that you are using IBM Installation Manager 1.8 or higher before attempting to apply updates to IBM Support Assistant Team Server or its associated problem determination tools.

1. Start IBM Installation Manager.
2. Select Update from the IBM Installation Manager panel.
3. Select the IBM Support Assistant package group, then click Next.
4. Select the package and version you would like to update, then click Next.
5. Read and accept the license terms then click Next.
6. Confirm the problem determination tool or update you want to apply, then click Next.
7. Review the update summary and click Update.
8. After the update completes, click Finish and close IBM Installation Manager.

Note that only IBM Installation Manager installations of IBM Support Assistant Team Server will be able to apply fix packs and updates or install and update problem determination tools. For the stand-alone IBM Support Assistant Team Server repository and compressed all-in-one file installations, see the IBM Support Assistant Team Server page to download replacement file containing IBM Support Assistant Team Server 5.0.2.3 updates.
Back