IBM WebSphere Application Server < Multiple Vulnerabilities

Medium Nessus Plugin ID 39450


The remote application server is affected by multiple vulnerabilities.


IBM WebSphere Application Server 6.1 before Fix Pack 25 appears to be running on the remote host. As such, it is reportedly affected by multiple vulnerabilities :

- Non-standard HTTP methods are allowed. (PK73246)

- An error in Single Sign-on (SSO) with SPNEGO implementation could allow a remote attacker to bypass security restrictions. (PK77465)

- 'wsadmin' is affected by a security exposure. (PK77495)

- Security flag 'isSecurityEnabled' is incorrectly set after migrating from VMM. (PK78134)

- In certain cases sensitive information may appear in migration trace. (PK78134)

- Use of insecure password obfuscation algorithm by Web services could result in weaker than expected security provided the client module specifies a password in ibm-webservicesclient-bind.xmi and target environment has custom password encryption enabled. (PK79275)

- Sensitive information might appear in trace files.

- XML digital signature is affected by a security issue.

- If CSIv2 Security is configured with Identity Assertion, it may be possible for a remote attacker to bypass security restrictions. (PK83097)

- IBM Stax XMLStreamWriter may write to an incorrect XML file, and hence is susceptible to a XML fuzzing attack.

- Configservice APIs could display sensitive information.

- A security bypass caused by inbound requests that lack a SOAPAction or WS-Addressing Action. (PK72138)


If using WebSphere Application Server, apply Fix Pack 25 ( or later.

Otherwise, if using embedded WebSphere Application Server packaged with Tivoli Directory Server, apply the latest recommended eWAS fix pack.

See Also

Plugin Details

Severity: Medium

ID: 39450

File Name: websphere_6_1_0_25.nasl

Version: $Revision: 1.24 $

Type: remote

Family: Web Servers

Published: 2009/06/19

Modified: 2016/11/29

Dependencies: 57034

Risk Information

Risk Factor: Medium


Base Score: 5

Temporal Score: 4.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Required KB Items: www/WebSphere

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2009/06/16

Reference Information

CVE: CVE-2009-0899, CVE-2009-0903, CVE-2009-0904, CVE-2009-1174, CVE-2009-1899, CVE-2009-1900, CVE-2009-1901, CVE-2009-2085, CVE-2009-2087, CVE-2009-2088, CVE-2009-2089

BID: 35405, 35406, 35594, 35741, 36154, 36156, 36158, 36163

OSVDB: 53253, 55075, 55076, 55077, 55079, 56161, 56162, 57040, 57041, 57044, 57045

Secunia: 35491

CWE: 16, 200, 255, 264, 287, 310