icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons icons_061

IBM WebSphere Application Server 7.0 < Fix Pack 3 Multiple Vulnerabilities

High

Synopsis

The remote host is vulnerable to multiple attack vectors.

Description

IBM WebSphere Application Server 7.0 before Fix Pack 3 appears to be running on the remote host. Such versions are reportedly affected by multiple vulnerabilities.

- Under certain conditions it may be possible to access administrative console user sessions. (PK74966)

- The adminitrative console is affected by a cross-site scripting vulnerability. (PK77505)

- If APAR PK41002 has been applied, an unspecified vulnerability in JAX-RPC WS-Security component could incorrectly validate 'UsernameToken'. (PK75992)

- Sample applications shipped with IBM WebSphere Application Server are affected by cross-site scripting vulnerabilities. (PK76720)

- Certain files associated with interim fixes for Unix-based versions of IBM WebSphere Application Server are built with insecure file permissions. (PK77590)

- The Web Services Security component is affected by an unspecified security issue in digital-signature specification. (PK80596)

- It may be possible for an attacker to read arbitrary application-specific war files. (PK81387)

- The application is prone to a session-highjacking vulnerability related to the 'forced logout' feature. (PK74966)

- A vulnerability affects the XML Digital Signature Specification in the web services security component. (PK80596)

Solution

Apply Fix Pack 3 (7.0.0.3) or higher.