| VID |
22690 |
| Severity |
40 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 7.0 prior to Fix Pack 39 is running on the remote host. It is, therefore, affected by the following vulnerabilities :
- An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)
- An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)
- A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885)
- A privilege escalation vulnerability exists due to incorrect settings in the serveServletsbyClassname functionality. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)
- An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)
- A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles. A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www-01.ibm.com/support/docview.wss?uid=swg21959083
http://www-304.ibm.com/support/docview.wss?uid=swg27004980
* Platforms Affected:
IBM WebSphere Application Server versions 7.0 prior to 7.0 Fix Pack 39 |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 7.0.0.39 or later, available from the IBM Support & downloads Web site at http://www-304.ibm.com/support/docview.wss?uid=swg27004980#ver70 |
| Related URL |
CVE-2015-0226,CVE-2015-0250,CVE-2015-1885,CVE-2015-1927,CVE-2015-1936,CVE-2015-1946 (CVE) |
| Related URL |
72553,74219,75480,75486,75496 (SecurityFocus) |
| Related URL |
(ISS) |
|
