| VID |
22692 |
| Severity |
40 |
| Port |
8880, ... |
| Protocol |
TCP |
| Class |
WWW |
| Detailed Description |
IBM WebSphere Application Server 8.5.5 prior to Fix Pack 6 is running on the remote host. It is, therefore, affected by the following vulnerabilities :
- An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)
- An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)
- A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1885)
- A privilege escalation vulnerability exists due to incorrect settings in the serveServletsbyClassname functionality. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)
- An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)
- A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles. A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
* Note: This check solely relied on the banner of the remote Web server to assess this vulnerability, so this might be a false positive.
* References:
http://www-01.ibm.com/support/docview.wss?uid=swg21959083
http://www-304.ibm.com/support/docview.wss?uid=swg27004980
* Platforms Affected:
IBM WebSphere Application Server versions 8.5.5 prior to 8.5.5 Fix Pack 6 |
| Recommendation |
Upgrade to the latest version of IBM WebSphere Application Server 8.5.5.6 or later, available from the IBM Support & downloads Web site at http://www-304.ibm.com/support/docview.wss?uid=swg27004980#ver85_0 |
| Related URL |
CVE-2015-0226,CVE-2015-0250,CVE-2015-1885,CVE-2015-1927,CVE-2015-1936,CVE-2015-1946 (CVE) |
| Related URL |
72553,74219,75480,75486,75496 (SecurityFocus) |
| Related URL |
(ISS) |
|
