PI25310

PI28632

http://www-01.ibm.com/support/docview.wss?uid=swg21690185

ibm-websphere-cve20146166-info-disc(97746)

The remote host appears to be running IBM WebSphere Application Server 8.5.5.x prior to 8.5.5.4.  Such versions are potentially affected by multiple issues :

 - An unspecified flaw exists that is triggered when handling a specially crafted HTTP method. This may allow a remote attacker to gain access to potentially sensitive cookie and authentication data, which can allow the attacker conduct further, more serious attacks on the system. (CVE-2014-3021)
 - A flaw exists in the administrative console that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-4770)
 - A flaw exists in the administrative console as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions. (CVE-2014-4816)
 - A flaw exists that can allow a context-dependent attacker to spoof the OpenID and OpenID connect cookies with a specially crafted URL. This may allow the attacker to gain access to potentially sensitive information. (CVE-2014-6164)
 - An XXE (Xml eXternal Entity) injection flaw exists in the Communications Enabled Applications (CEA) service that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to potentially sensitive information. (CVE-2014-6166)
 - A flaw exists that allows a reflected XSS attack. This flaw exists because the program does not validate input to session input using URL rewriting before returning it to users. This may allow a context-dependent attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-6167)

The remote host appears to be running IBM WebSphere Application Server 8.0.0.x prior to 8.0.0.10.  Such versions are potentially affected by multiple issues :

 - An unspecified flaw exists that is triggered when handling a specially crafted HTTP method. This may allow a remote attacker to gain access to potentially sensitive cookie and authentication data, which can allow the attacker conduct further, more serious attacks on the system. (CVE-2014-3021)
 - A flaw exists in the administrative console that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-4770)
 - A flaw exists in the administrative console as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions. (CVE-2014-4816)
 - A flaw exists that can allow a context-dependent attacker to spoof the OpenID and OpenID connect cookies with a specially crafted URL. This may allow the attacker to gain access to potentially sensitive information. (CVE-2014-6164)
 - An XXE (Xml eXternal Entity) injection flaw exists in the Communications Enabled Applications (CEA) service that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to potentially sensitive information. (CVE-2014-6166)

The remote host appears to be running IBM WebSphere Application Server 7.0.0.x prior to 7.0.0.35 and is affected by multiple vulnerabilities :

 - An unspecified flaw exists that is triggered when handling a specially crafted HTTP method. This may allow a remote attacker to gain access to potentially sensitive cookie and authentication data, which can allow the attacker conduct further, more serious attacks on the system. (CVE-2014-3021)
 - A flaw exists in the administrative console that allows a stored cross-site scripting (XSS) attack. This flaw exists because the program does not validate input before returning it to users. This may allow an authenticated remote attacker to create a specially crafted request that would execute arbitrary script code in a user's browser session within the trust relationship between their browser and the server. (CVE-2014-4770)
 - A flaw exists in the administrative console as HTTP requests do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to perform unspecified actions. (CVE-2014-4816)
 - An XXE (Xml eXternal Entity) injection flaw exists in the Communications Enabled Applications (CEA) service that is triggered during the parsing of XML data. The issue is due to an incorrectly configured XML parser accepting XML external entities from an untrusted source. By sending specially crafted XML data, a remote attacker can gain access to potentially sensitive information. (CVE-2014-6166)

The remote host is running IBM WebSphere Application Server version 8.0 prior to Fix Pack 10. It is, therefore, affected by the following vulnerabilities :

  - Multiple errors exist related to the included IBM HTTP     server that can allow remote code execution or denial     of service. (CVE-2013-5704, CVE-2014-0118,     CVE-2014-0226, CVE-2014-0231 / PI22070)

  - An error exists related to the implementation of the     Elliptic Curve Digital Signature Algorithm (ECDSA) that     could allow nonce disclosure via the 'FLUSH+RELOAD'     cache side-channel attack. (CVE-2014-0076 / PI19700)

  - An unspecified error exists related to HTTP headers that     can allow information disclosure. (CVE-2014-3021 /     PI08268)

  - An unspecified error caused by improper account creation     with the Virtual Member Manager SPI Admin Task     'addFileRegistryAccount' can allow remote attackers to     bypass security restrictions. (CVE-2014-3070 / PI16765)

  - An information disclosure vulnerability exists due to a     failure to restrict access to resources located within     the web application. A remote attacker can exploit this     to obtain configuration data and other sensitive     information. (CVE-2014-3083 / PI17768, PI30579 )

  - A man-in-the-middle (MitM) information disclosure     vulnerability known as POODLE. The vulnerability is due     to the way SSL 3.0 handles padding bytes when decrypting     messages encrypted using block ciphers in cipher block     chaining (CBC) mode. MitM attackers can decrypt a     selected byte of a cipher text in as few as 256 tries if     they are able to force a victim application to     repeatedly send the same data over newly created SSL 3.0     connections. (CVE-2014-3566 / PI28435, PI28436, PI28437)

  - An unspecified flaw in the Load Balancer for IPv4     Dispatcher component allows a remote attacker to cause     a denial of service. (CVE-2014-4764 / PI21189)

  - An unspecified input validation error exists related to     the administrative console that can allow cross-site     scripting and cross-site request forgery attacks.
    (CVE-2014-4770, CVE-2014-4816 / PI23055)

  - An error exists related to the Communications Enabled     Applications (CEA) service that can allow XML External     Entity Injection (XXE) attacks leading to information     disclosure. This only occurs if CEA is enabled, and by     default this is disabled. (CVE-2014-6166 / PI25310)

  - An input validation error exists related to session     input using URL rewriting that can allow cross-site     scripting attacks. (CVE-2014-6167 / PI23819)

  - An error exists related to the administrative console     that can allow click-jacking attacks. (CVE-2014-6174 /     PI27152)

The IBM WebSphere Application Server running on the remote host is version 8.5 prior to Fix Pack 8.5.5.4. It is, therefore, affected by the following vulnerabilities :

  - Multiple errors exist related to the included IBM HTTP     server that can allow remote code execution or denial     of service. (CVE-2013-5704, CVE-2014-0118,     CVE-2014-0226, CVE-2014-0231 / PI22070)

  - An unspecified error exists related to HTTP headers     that can allow information disclosure. (CVE-2014-3021     / PI08268)

  - An error exists related to the way SSL 3.0 handles     padding bytes when decrypting messages encrypted using     block ciphers in cipher block chaining (CBC) mode. A     man-in-the-middle attacker can decrypt a selected byte     of a cipher text in as few as 256 tries if they are able     to force a victim application to repeatedly send the     same data over newly created SSL 3.0 connections. This     is also known as the 'POODLE' issue. (CVE-2014-3566 /     PI28435, PI28436, PI28437)

  - An unspecified input validation errors exist related to     the administrative console that can allow cross-site     scripting and cross-site request forgery attacks.
    (CVE-2014-4770, CVE-2014-4816 / PI23055)

  - An unspecified error exists that can allow OpenID and     OpenID Connect cookies to be spoofed, allowing     information disclosure. (CVE-2014-6164 / PI23430)

  - An error exists related to the Communications Enabled     Applications (CEA) service that can allow XML External     Entity Injection (XXE) attacks leading to information     disclosure. This only occurs if CEA is enabled. By     default this is disabled. (CVE-2014-6166 / PI25310)

  - An input validation error exists related to session     input using URL rewriting that can allow cross-site     scripting attacks. (CVE-2014-6167 / PI23819)

  - An error exists related to the administrative console     that can allow 'click-jacking' attacks. (CVE-2014-6174 /     PI27152)

  - An error exists related to deployment descriptor     security constraints and ServletSecurity annotations on     a servlet that can allow privilege escalation. Note that     this issue only affects the 'Liberty Profile'.
    (CVE-2014-8890 / PI29911)

ID	Name	Product	Family	Severity
700046	IBM WebSphere Application Server 8.5.5.x < 8.5.5.4 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
700045	IBM WebSphere Application Server 8.0.0.x < 8.0.0.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
700044	IBM WebSphere Application Server 7.0.0.x < 7.0.0.35 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
81401	IBM WebSphere Application Server 8.0 < Fix Pack 10 Multiple Vulnerabilities (POODLE)	Nessus	Web Servers	medium
80398	IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.4 Multiple Vulnerabilities (POODLE)	Nessus	Web Servers	medium

CVE-2014-6166

medium

New! CVE Severity Now Using CVSS v3

Description

References

Details

Risk Information

CVSS v2

Vulnerable Software

Configuration 1

Tenable Plugins

medium

medium

high

medium

medium