| VID |
22554 |
| Severity |
30 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 7.0 before Fix Pack 23 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities :
- SSL client certificate authentication can be bypassed when all of the following are true (PM52351) :
SSL is enabled with 'SSLEnable'
SSL client authentication is enabled with
'SSLClientAuth required_reset'. This is not enabled by default. Also note, 'SSLClientAuth required' is
not affected.
SSLv2 has not been disabled with 'SSLProtocolDisable SSLv2'
'SSLClientAuthRequire' is not enabled
- Unspecified cross-site scripting issues exist related to the administrative console. (PM52274, PM53132)
- An error exists related to 'Application Snoop Servlet' and missing access controls. This error can allow sensitive information to be disclosed. (PM56183)
- An issue related to the weak randomization of Java hash data structures can allow a remote attacker to cause a denial of service with maliciously crafted POST requests. (PM53930) |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 7.0 (Fix Pack 23 for 7.0 (7.0.0.23) or later), available from the IBM Support & downloads Web site at http://www-01.ibm.com/support/docview.wss?uid=swg27014463#70023 |
| Related URL |
CVE-2012-0193,CVE-2012-0716,CVE-2012-0717,CVE-2012-0720,CVE-2012-2170 (CVE) |
| Related URL |
51441,52721,52722,52724,53755 (SecurityFocus) |
| Related URL |
(ISS) |
|
