IBM WebSphere Application Server 7.0 < Fix Pack 35 Multiple Vulnerabilities

medium Nessus Plugin ID 78604

Synopsis

The remote application server is affected by multiple vulnerabilities.

Description

The remote host is running a version of IBM WebSphere Application Server 7.0 prior to Fix Pack 35. It is, therefore, affected by the following vulnerabilities :

- Multiple errors exist related to the included IBM HTTP server that could allow remote code execution or denial of service. (CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231 / PI22070)

- An error exists related to HTTP header handling that could allow the disclosure of sensitive information.
(CVE-2014-3021 / PI08268)

- An unspecified error exists that could allow the disclosure of sensitive information.
(CVE-2014-3083 / PI17768)

- An unspecified input-validation errors exist related to the 'Admin Console' that could allow cross-site scripting and cross-site request forgery attacks.
(CVE-2014-4770, CVE-2014-4816 / PI23055)

Solution

Apply Fix Pack 35 (7.0.0.35) or later.

Note that the following interim fixes are available :

- CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, and CVE-2014-0231 are corrected in IF PI22070.
- CVE-2014-3083 is corrected in IF PI17768.
- CVE-2014-4770 and CVE-2014-4816 are corrected in IF PI23055.

See Also

https://www-304.ibm.com/support/docview.wss?uid=swg21684612

http://www-01.ibm.com/support/docview.wss?uid=swg27004980#ver70

http://www.nessus.org/u?834c5fca

https://www-304.ibm.com/support/docview.wss?uid=swg24038178

https://www-304.ibm.com/support/docview.wss?uid=swg21672428

https://www-304.ibm.com/support/docview.wss?uid=swg21682767

Plugin Details

Severity: Medium

ID: 78604

File Name: websphere_7_0_0_35.nasl

Version: 1.8

Type: remote

Family: Web Servers

Published: 10/21/2014

Updated: 8/6/2018

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Required KB Items: www/WebSphere

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/13/2014

Vulnerability Publication Date: 3/31/2014

Reference Information

CVE: CVE-2013-5704, CVE-2014-0118, CVE-2014-0226, CVE-2014-0231, CVE-2014-3021, CVE-2014-3083, CVE-2014-4770, CVE-2014-4816

BID: 66550, 68678, 68742, 68745, 69298, 69980, 69981, 70582

CWE: 20, 442, 629, 711, 712, 722, 725, 74, 750, 751, 79, 800, 801, 809, 811, 864, 900, 928, 931, 990

CERT: 573356