IBM WebSphere Application Server (WAS) 7.x before 7.0.0.43, 8.0.0.x before 8.0.0.13, 8.5.0.x before 8.5.5.10, 8.5.0.x and 16.0.0.x Liberty before Liberty Fix Pack 16.0.0.3, and 9.0.0.x before 9.0.0.1 allows remote attackers to cause a denial of service via crafted SIP messages.

The IBM WebSphere Application Server running on the remote host is version 7.0.0.x prior to 7.0.0.43, 8.0.0.x prior to 8.0.0.13, 8.5.0.x prior to 8.5.5.10 or 9.0.x prior to 9.0.0.1. It is, therefore, affected by a denial of service vulnerability when using SIP services. An unauthenticated, remote attacker can exploit this, with specially-crafted SIP messages.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host appears to be running IBM WebSphere Application Server 8.0.0.x prior to 8.0.0.13.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses. This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages. This may allow a remote attacker to cause a denial of service.
 - An unspecified flaw exists that is triggered during the handling of responses. This may allow a remote attacker gain access to sensitive server identification information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact. No further details have been provided by the vendor. Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.
 - An unspecified flaw exists that is triggered as input is not properly sanitized when deserializing Java objects. This may allow an authenticated remote attacker to potentially execute arbitrary code.

The remote host appears to be running IBM WebSphere Application Server 7.0.0.x prior to 7.0.0.43. Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses. This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages. This may allow a remote attacker to cause a denial of service.
 - An unspecified flaw exists that is triggered during the handling of responses. This may allow a remote attacker gain access to sensitive server identification information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact. No further details have been provided by the vendor. Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.
 - An unspecified flaw exists that is triggered as input is not properly sanitized when deserializing Java objects. This may allow an authenticated remote attacker to potentially execute arbitrary code.

The remote host appears to be running IBM WebSphere Application Server 9.0 prior to 9.0.0.1.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered during the handling of specially crafted SIP messages.  This may allow a remote attacker to cause a denial of service.
 - An overflow condition exists that is triggered as certain input is not properly validated.  This may allow an authenticated remote attacker to cause a buffer overflow, potentially allowing them to bypass security restrictions and disclose sensitive information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact.  No further details have been provided by the vendor.  Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.

The remote host appears to be running IBM WebSphere Application Server 8.5 prior to 8.5.5.10.  Such versions are potentially affected by multiple issues :

 - A flaw exists that is triggered as CRLF (Carriage Return and Line Feed) character sequences are not properly sanitized before being included in HTTP responses.  This allows a remote attacker to inject additional headers into responses to conduct HTTP response splitting attacks.
 - A flaw exists that is triggered during the handling of specially crafted SIP messages.  This may allow a remote attacker to cause a denial of service.
 - A flaw exists that is due to the program improperly setting the CSRFtoken cookie.  This may allow an authenticated remote attacker to gain access to potentially sensitive information.
 - An overflow condition exists that is triggered as certain input is not properly validated.  This may allow an authenticated remote attacker to cause a buffer overflow, potentially allowing them to bypass security restrictions and disclose sensitive information.
 - A flaw exists that is due to the program setting insecure unspecified flags on CSRF token cookies, which may allow an attacker to have an unspecified impact.  No further details have been provided by the vendor.  Based on past disclosures from IBM, this is likely the 'secure' and/or 'HttpOnly' flag.

ID	Name	Product	Family	Severity
142138	IBM WebSphere Application Server 7.0.0.x < 7.0.0.43 / 8.0.0.x < 8.0.0.13 / 8.5.x < 8.5.5.10 / 9.0.x < 9.0.0.1 DoS (CVE-2016-2960)	Nessus	Web Servers	low
700016	IBM WebSphere Application Server 8.0.0.x < 8.0.0.13 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	low
700015	IBM WebSphere Application Server 7.0.0.x < 7.0.0.43 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	low
9722	IBM WebSphere Application Server 9.0 < 9.0.0.1 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
9720	IBM WebSphere Application Server 8.5 < 8.5.5.10 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium

Detections

Analytics

CVE-2016-2960

low

Tenable Plugins

low

low

low

medium

medium