IBM WebSphere Application Server 6.1 < Fix Pack 47 Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

The remote application server may be affected by multiple
vulnerabilities.

Description :

IBM WebSphere Application Server 6.1 before Fix Pack 47 appears to be
running on the remote host. As such, it is potentially affected by the
following vulnerabilities :

- A remote attacker can bypass authentication because of
improper user validation on Linux, Solaris, and HP-UX
platforms that use a LocalOS registry.
(CVE-2013-0543, PM75582)

- A denial of service can be caused by the way Apache
Ant uses bzip2 to compress files. This can be exploited
by a local attacker passing specially crafted input.
(CVE-2012-2098, PM90088)

- A local attacker can cause a denial of service on
Windows platforms with a LocalOS registry using
WebSphere Identity Manager. (CVE-2013-0541, PM74909)

- Remote attackers can traverse directories by deploying
a specially crafted application file to overwrite files
outside of the application deployment directory.
(CVE-2012-3305, PM62467)

- The TLS protocol implementation is susceptible to
plaintext attacks. (CVE-2013-0169, PM85211)

- Terminal escape sequences are not properly filtered from
logs. Remote attackers could execute arbitrary commands
via an HTTP request containing an escape sequence.
(CVE-2013-1862, PM87808)

- Improper validation of user input allows for cross-site
request forgery. By persuading an authenticated user
to visit a malicious website, a remote attacker could
exploit this vulnerability to obtain sensitive
information. (CVE-2012-4853, CVE-2013-3029, PM62920,
PM88746)

- Improper validation of user input in the administrative
console allows for multiple cross-site scripting
attacks. (CVE-2013-0458, CVE-2013-0459, CVE-2013-0461,
CVE-2013-0542, CVE-2013-0596, CVE-2013-2967,
CVE-2013-4005, CVE-2013-4052, PM71139, PM72536, PM71389,
PM73445, PM78614, PM81846, PM88208, PM91892)

- Improper validation of portlets in the administrative
console allows for cross-site request forgery, which
could allow an attacker to obtain sensitive information.
(CVE-2013-0460, PM72275)

- Remote, authenticated attackers can traverse directories
on Linux and UNIX systems running the application.
(CVE-2013-0544, PM82468)

- A denial of service attack is possible if the optional
mod_dav module is being used. (CVE-2013-1896, PM89996)

- Sensitive information can be obtained by a local
attacker because of incorrect caching by the
administrative console. (CVE-2013-2976, PM79992)

- An attacker may gain elevated privileges because of
improper certificate checks. WS-Security and XML Digital
Signatures must be enabled. (CVE-2013-4053, PM90949,
PM91521)

- Deserialization of a maliciously crafted OpenJPA object
can result in an executable file being written to the
file system. WebSphere is NOT vulnerable to this issue
but the vendor suggests upgrading to be proactive.
(CVE-2013-1768, PM86780, PM86786, PM86788, PM86791)

See also :

http://www.nessus.org/u?187690fd
https://www-304.ibm.com/support/docview.wss?uid=swg21647522
http://www-01.ibm.com/support/docview.wss?uid=swg24035508
https://www-304.ibm.com/support/docview.wss?&uid=swg27004980#ver61

Solution :

If using WebSphere Application Server, apply Fix Pack 47 (6.1.0.47)
or later.

Otherwise, if using embedded WebSphere Application Server packaged with
Tivoli Directory Server, apply the latest recommended eWAS fix pack.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.0
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false