IBM WebSphere Application Server 6.0 < 6.0.2.41 Multiple Vulnerabilities

This script is Copyright (C) 2010-2012 Tenable Network Security, Inc.


Synopsis :

The remote application server is affected by multiple vulnerabilities.

Description :

IBM WebSphere Application Server 6.0 before Fix Pack 41 for 6.0.2
appears to be running on the remote host. As such, it is reportedly
affected by multiple vulnerabilities :

- An unspecified cross-site scripting vulnerability in the
Administration Console. (PK97376)

- An error when defining a wsadmin scripting
'J2CConnectionFactory' object results in passwords being
stored unencrypted in the resources.xml file. (PK95089)

- An error related to the ORB ListenerThread could allow
remote, authenticated users to cause a denial of service.
(PK93653)

- WS-Security processing problems with PKIPath and
PKCS#7 tokens could lead to a security bypass
vulnerability. (PK96427)

- An OutOfMemory condition related to the
Deployment Manager and nodeagent cause lead to a
denial of service. (PM05663)

See also :

http://www-01.ibm.com/support/docview.wss?uid=swg27004980
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg27006876

Solution :

Apply Fix Pack 41 for version 6.0.2 (6.0.2.41) or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.2
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 45429 ()

Bugtraq ID: 39051
39056
40322
40325

CVE ID: CVE-2010-0768
CVE-2010-0769
CVE-2010-0770
CVE-2010-0774
CVE-2010-0775