-->
SecPod ID: 10087 Status: Public Report
IBM WebSphere Application Server Multiple Vulnerabilities Severity: High
Release Date: 12-12-2008
CVSS Base Score: 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
CVSS Temporal Score = 7.4
Impact Level: Application
Affected Software/OS/Device:
- IBM WebSphere Application Server(WAS) version prior to 7.0.0.1
OpenVAS Plugin ID:
Snort Signature ID:
OVAL ID:
Vulnerability Insight:
Overview:
IBM WAS is prone to multiple vulnerabilities.
Description:
These flaws are due to
- Unspecified vulnerability in the Feature Pack for Web Services in the
Web Services Security component in IBM WAS related to 'userNameToken'.
- PerfServlet in the PMI/Performance Tools component in IBM WAS which lets
the attacker gain sensitive information through reading 'systemout.log' and
'ffdc' files.
- Unspecified vulnerability in IBM (WAS) which has unknown impact related to
JSP.
- IBM WAS sends SSL traffic over 'unsecured TCP' which causes obtaining
sensitive information by sniffing the network packets.
Impact:
Successful exploitation will let the attacker gain sensitive information about
the remote server.
CVSS Score Report:
ACCESS_VECTOR = NETWORK
ACCESS_COMPLEXITY = LOW
AUTHENTICATION = NOT_REQUIRED
CONFIDENTIALITY_IMPACT = COMPLETE
INTEGRITY_IMPACT = COMPLETE
AVAILABILITY_IMPACT = COMPLETE
EXPLOITABILITY = UNPROVEN
REMEDIATION_LEVEL = OFFICIAL_FIX
REPORT_CONFIDENCE = CONFIRMED
CVSS Base Score = 10.0 (AV:N/AC:L/Au:NR/C:C/I:C/A:C)
CVSS Temporal Score = 7.4
Risk factor = High
Fix:
Upgrade to Fix Pack 1 (7.0.0.1),
http://www-01.ibm.com/support/docview.wss?uid=swg27014463
References:
http://www.novell.com/support/viewContent.do?externalId=7001907
http://secunia.com/Advisories/32989