New! Vulnerability Priority Rating (VPR)
Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.
VPR Score: 5.9
Synopsis
The remote application server may be affected by multiple vulnerabilities.
Description
IBM WebSphere Application Server 8.0 before Fix Pack 7 appears to be running on the remote host. It is, therefore, potentially affected by the following vulnerabilities :
- A flaw exists related to Apache Ant and file compression that could lead to denial of service conditions. (CVE-2012-2098 / PM90088)
- The TLS protocol in the GSKIT component is vulnerable to a plaintext recovery attack.
(CVE-2013-0169 / PM85211)
- A flaw exists relating to OAuth that could allow a remote attacker to obtain someone else's credentials.
(CVE-2013-0597 / PM85834 / PM87131)
- A flaw exists relating to OpenJPA that is triggered during deserialization, which could allow a remote attacker to write to the file system and potentially execute arbitrary code. Note the vendor states this application is not directly affected by this flaw;
however, this application does include the affected version of OpenJPA. (CVE-2013-1768 / PM86780)
- An input validation flaw exists in the optional 'mod_rewrite' module in the included IBM HTTP Server that could allow arbitrary command execution via HTTP requests containing certain escape sequences.
(CVE-2013-1862 / PM87808)
- A flaw exists related to the optional 'mod_dav' module in the included IBM HTTP Server that could allow denial of service conditions.
(CVE-2013-1896 / PM89996)
- User-supplied input validation errors exist related to the administrative console that could allow cross-site scripting attacks.
(CVE-2013-2967 / PM78614, CVE-2013-4004 / PM81571, CVE-2013-4005 / PM88208)
- An information disclosure vulnerability exists related to incorrect caching by the administrative console.
(CVE-2013-2976 / PM79992)
- A user-supplied input validation error exists that could allow cross-site request forgery (CSRF) attacks to be carried out. (CVE-2013-3029 / PM88746)
Solution
Apply Fix Pack 7 for version 8.0 (8.0.0.7) or later.