| VID |
22628 |
| Severity |
40 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 7.0 prior to Fix Pack 33 is running on the remote host. It is, therefore, affected by the following vulnerabilities :
- A cross-site scripting flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust elationship. (CVE-2013-6323, PI04777 and PI04880)
- A denial of service flaw exists within the Global Security Kit when handling SSLv2 resumption during the SSL/TLS handshake. This could allow a remote attacker to crash the program. (CVE-2013-6329, PI05309)
- A buffer overflow flaw exists in the HTTP server with the mod_dav module when using add-ons. This could allow a remote attacker to cause a buffer overflow and a denial of service. (CVE-2013-6438, PI09345)
- A cross-site scripting flaw exists within OAuth where user input is not properly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser / server trust relationship. (CVE-2013-6738, PI05661)
- A denial of service flaw exists within the Global Security Kit when handling X.509 certificate chain
during the initiation of an SSL/TLS connection. A remote attacker, using a malformed certificate chain, could cause the client or server to crash by hanging the Global Security Kit. (CVE-2013-6747, PI09443)
- A denial of service flaw exists within the Apache Commons FileUpload when parsing a content-type header for a multipart request. A remote attacker, using a specially crafted request, could crash the program. (CVE-2014-0050, PI12648, PI12926 and PI13162)
- A denial of service flaw exists in the 'mod_log_config' when logging a cookie with an unassigned value. A remote attacker, using a specially crafted request, can cause the program to crash. (CVE-2014-0098, PI13028)
- A remote code execution flaw exists with Apache Struts. The failure to restrict setting of Class loader attributes could allow a remote attacker to execute arbitrary script code. (CVE-2014-0114, PI17190)
- An information disclosure flaw exists in the 'sun.security.rsa.RSAPadding' with 'PKCS#1' unpadding. This many allow a remote attacker to gain timing information intended to be protected by encryption. (CVE-2014-0453)
- A flaw exists within 'com.sun.jndi.dns.DnsClient' related to the randomization of query IDs. This could allow a remote attacker to conduct spoofing attacks. (CVE-2014-0460)
- A denial of service flaw exists in a web server plugin on servers configured to retry failed POST request. This could allow a remote attacker to crash the application. (CVE-2014-0859, PI08892)
- A flaw exists with the 'IBMJCE' and 'IBMSecureRandom' cryptographic providers by generating numbers in a predictable manner. This could allow a remote attacker to easily guess the output of the random number generator. (CVE-2014-0878)
- An information disclosure flaw exists within Proxy and ODR servers. This could allow a remote attacker, using a specially crafted request, to gain access to potentially sensitive information. (CVE-2014-0891, PI09786)
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
https://www-304.ibm.com/support/docview.wss?uid=swg21676091
https://www-304.ibm.com/support/docview.wss?uid=swg21659548
https://www-304.ibm.com/support/docview.wss?uid=swg21663941
https://www-304.ibm.com/support/docview.wss?uid=swg21667254
https://www-304.ibm.com/support/docview.wss?uid=swg21667526
https://www-304.ibm.com/support/docview.wss?uid=swg21672843
https://www-304.ibm.com/support/docview.wss?uid=swg21672316
https://www-304.ibm.com/support/docview.wss?uid=swg21673013
* Platforms Affected:
IBM WebSphere Application Server versions 7.0 prior to 7.0 Fix Pack 33 |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 7.0.0.33 or later, available from the IBM Support & downloads Web site at https://www-304.ibm.com/support/docview.wss?rs=180&uid=swg27004980#ver70 |
| Related URL |
CVE-2013-6323,CVE-2013-6329,CVE-2013-6438,CVE-2013-6738,CVE-2013-6747,CVE-2014-0050,CVE-2014-0098,CVE-2014-0114,CVE-2014-0453,CVE-2014-0460 (CVE) |
| Related URL |
64249,65156,65400,66303,66914,66916,67051,67121,67238,67335,67579,67601,67720,68210,68211 (SecurityFocus) |
| Related URL |
(ISS) |
|
