IBM WebSphere Application Server 8.5 < Fix Pack 8.5.5.2 Multiple Vulnerabilities
High Nessus Plugin ID 74235
Synopsis
The remote application server may be affected by multiple vulnerabilities.
Description
IBM WebSphere Application Server 8.5 prior to Fix Pack 8.5.5.2 appears to be running on the remote host and is, therefore, potentially affected by the following vulnerabilities :
- Numerous errors exist related to the included IBM SDK for Java (based on the Oracle JDK) that could allow denial of service attacks and information disclosure.
(CVE-2013-5372, CVE-2013-5780, CVE-2013-5803)
- User input validation errors exist related to the Administrative console and the Oauth component that could allow cross-site scripting attacks.
(CVE-2013-6725 / PM98132, CVE-2013-6323 / PI04777, CVE-2013-6738 / PI05661)
- An error exists due to a failure to properly handle by web services endpoint requests that could allow denial of service attacks.
(CVE-2013-6325 / PM99450, PI08267)
- An error exists in the included IBM Global Security Kit related to SSL handling that could allow denial of service attacks. (CVE-2013-6329 / PI05309)
- A flaw exists with the 'mod_dav' module that is caused when tracking the length of CDATA that has leading white space. A remote attacker with a specially crafted DAV WRITE request can cause the service to stop responding. (CVE-2013-6438 / PI09345)
- An error exists in the included IBM Global Security Kit related to malformed X.509 certificate chain handling that could allow denial of service attacks.
(CVE-2013-6747 / PI09443)
- An error exists in the included Apache Tomcat version related to handling 'Content-Type' HTTP headers and multipart requests such as file uploads that could allow denial of service attacks. (CVE-2014-0050 / PI12648, PI12926)
- An unspecified error exists that could allow file disclosures to remote unauthenticated attackers.
(CVE-2014-0823 / PI05324)
- An unspecified error exists related to the Administrative console that could allow a security bypass. (CVE-2014-0857 / PI07808)
- An error exists related to a web server plugin and retrying failed POST requests that could allow denial of service attacks. (CVE-2014-0859 / PI08892)
- An error exists related to the Proxy and ODR components that could allow information disclosure. (CVE-2014-0891 / PI09786)
- An unspecified error exists related to the 'Liberty Profile' that could allow information disclosure.
(CVE-2014-0896 / PI10134)
Solution
Apply Fix Pack 8.5.5.2 for version 8.5 (8.5.5.0) or later.