IBM WebSphere Application Server 8.0 < Fix Pack 8 Multiple Vulnerabilities

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote application server may be affected by multiple
vulnerabilities.

Description :

IBM WebSphere Application Server 8.0 before Fix Pack 8 appears to be
running on the remote host. It is, therefore, potentially affected by
the following vulnerabilities :

- A CSRF vulnerability exists in IBM WebSphere Application
Server due to improper validation of portlets in the
Administrative console. (CVE-2013-0460, PM72275)

- A privilege escalation vulnerability exists on IBM
WebSphere Application Servers using WS-Security that are
configured for XML Digital Signature using trust store.
(CVE-2013-4053, PM90949, PM91521)

- An XSS vulnerability exists in IBM WebSphere Application
Server caused by a failure to sanitize user-supplied
input in the UDDI Administrative console.
(CVE-2013-4052, PM91892)

- A privilege escalation vulnerability exists in IBM
WebSphere Application Servers that have been migrated
from version 6.1 or later. (CVE-2013-5414, PM92313)

- An XSS vulnerability exists in IBM WebSphere Application
Server due to a failure to sanitize application HTTP
response data. (CVE-2013-5417, PM93323, PM93944)

- An XSS vulnerability exists in IBM WebSphere Application
Server due to a failure to sanitize user-supplied input
in the Administrative console. (CVE-2013-5418, PM96477)

- An XSS vulnerability exists in IBM WebSphere Application
Server due to a failure to sanitize user-supplied input
in the Administrative console. (CVE-2013-6725, PM98132)

- A denial of service vulnerability exists in IBM
WebSphere Application Server due to a failure to
properly handle requests by a web services endpoint.
(CVE-2013-6325, PM99450)

- An information disclosure vulnerability exists in the
IBM SDK for Java that ships with IBM WebSphere
Application Server related to JSSE. (CVE-2013-5780)

- A denial of service vulnerability exists in the IBM SDK
for Java that ships with IBM WebSphere Application
Server related to XML. (CVE-2013-5372)

- A denial of service vulnerability exists in the IBM SDK
for Java that ships with IBM WebSphere Application
Server related to JSSE. (CVE-2013-5803)

See also :

http://www.nessus.org/u?e351e029
https://www-304.ibm.com/support/docview.wss?uid=swg21661325
https://www-304.ibm.com/support/docview.wss?uid=swg21655990

Solution :

Apply Fix Pack 8 for version 8.0 (8.0.0.8) or later.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 5.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false