| VID |
22500 |
| Severity |
40 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 6.1 before Fix Pack 33 appears to be running on the remote host. Such versions are reportedly affected by multiple vulnerabilities :
- An unspecified cross-site scripting vulnerability exists in the Administration Console. (PM09250, PM11778)
- An unspecified error exists when a Java API for XML Web Services (JAX-WS) application with the WS-Security policy specifies a Time Stamp value. (PM16014 / PM08360)
- Sensitive information is stored by 'ceiDbPasswordDefaulter' in the '<WAS_HOME>/logs/managedprofiles/*_create.log file. (PM12065)
- When security tracing is enabled, it is possible for a NullPointerException to be thrown when calling a logout on a LoginContext. (PM02636)
* References:
http://www-01.ibm.com/support/docview.wss?uid=swg1PM02636
http://www-01.ibm.com/support/docview.wss?uid=swg21443736
http://www-01.ibm.com/support/docview.wss?uid=swg1PM12065
http://www-01.ibm.com/support/docview.wss?uid=swg1PM11778
http://www-01.ibm.com/support/docview.wss?uid=swg1PM09250
http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61033
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
IBM WebSphere Application Server versions 6.1 prior to 6.1.0.33 |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 6.1 (Fix Pack 33 for 6.1 (6.1.0.33) or later), available from the IBM Support & downloads Web site at http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61033 |
| Related URL |
CVE-2010-0778,CVE-2010-0779,CVE-2010-0781,CVE-2010-3186 (CVE) |
| Related URL |
41148,41149,42801,43425 (SecurityFocus) |
| Related URL |
(ISS) |
|
