| VID |
22548 |
| Severity |
30 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 6.1 before Fix Pack 43 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities :
- An unspecified error exists related to WS-Security enabled JAX-RPC applications. (PM45181)
- Insecure file permissions are applied to the files in the '$WAS_HOME/systemapps/isclite.ear' and '$WAS_HOME/bin/client_ffdc' directories. These permissions can allow a local attacker read or write files in those directories. Note this issue only affects the application on the IBM i operating system. (PM49712)
- An error exists in the class
'javax.naming.directory.AttributeInUseException' and can allow old passwords to still provide access. This error is triggered when passwords are updated by using IBM Tivoli Directory Server. (PM52049)
- Unspecified cross-site scripting issues exist related to the administrative console. (PM52274, PM53132)
- SSL client certificate authentication can be bypassed when all of the following are true (PM52351) :
- SSL is enabled with 'SSLEnable'
- SSL client authentication is enabled with 'SSLClientAuth required_reset'. This is not enabled by default. Also note, 'SSLClientAuth required' is not affected.
- SSLv2 has not been disabled with 'SSLProtocolDisable SSLv2'
- 'SSLClientAuthRequire' is not enabled
- An issue related to the weak randomization of Java hash data structures can allow a remote attacker to cause a denial of service with maliciously crafted POST requests.
(PM53930)
* References:
https://www-304.ibm.com/support/docview.wss?uid=swg21587015
http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61043
ftp://public.dhe.ibm.com/software/websphere/appserv/support/fixes/PM53930/readme.txt
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* Platforms Affected:
IBM WebSphere Application Server versions 6.1 prior to 6.1 Fix Pack 43 |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 6.1 (Fix Pack 43 for 6.1 (6.1.0.43) or later), available from the IBM Support & downloads Web site at http://www-304.ibm.com/support/docview.wss?uid=swg21587015 |
| Related URL |
CVE-2011-1376,CVE-2011-1377,CVE-2011-4889,CVE-2012-0193,CVE-2012-0716,CVE-2012-0717,CVE-2012-0720 (CVE) |
| Related URL |
50310,51420,51441,52250,52721,52722,52723,52724 (SecurityFocus) |
| Related URL |
(ISS) |
|
