IBM WebSphere Application Server 7.0 < Fix Pack 1 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 4783

Synopsis

The remote application server is affected by multiple vulnerabilities.

Description

IBM WebSphere Application Server 7.0 before Fix Pack 1 appears to be running on the remote host. Such versions are reportedly affected by multiple vulnerabilities.

- A vulnerability in feature pack for web services could lead to information disclosure due to 'userNameToken' (PK67282).

- A user locked by the underlying OS may be able to authenticate via the administrative console (PK67909).

- Web authentication options 'Authenticate when any URI is accessed' and 'Use available authentication data when an unprotected URI is accessed' are ignored. Servlets with no security constraints are not authenticated and usernames with the '@' symbol fail to authenticate (PK71826).

- WS-Security in JAX-WS does not remove UsernameTokens from client cache on failed logins (PK72435).

- SSL traffic is routed over unencrypted TCP routes (PK74777).

Solution

Apply Fix Pack 1 (7.0.0.1) or higher.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg24021073

http://www-01.ibm.com/support/docview.wss?uid=swg1PK67909

http://www-01.ibm.com/support/docview.wss?uid=swg1PK71826

http://www-01.ibm.com/support/docview.wss?uid=swg1PK72435

http://www-01.ibm.com/support/docview.wss?uid=swg27014463#7001

http://www.ibm.com/support

Plugin Details

Severity: Medium

ID: 4783

Family: Web Servers

Published: 2008/12/10

Modified: 2016/01/21

Dependencies: 4270

Nessus ID: 35082

Risk Information

Risk Factor: Medium

CVSSv2

Base Score: 5.1

Temporal Score: 5

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSSv3

Base Score: 5.6

Temporal Score: 4.9

Vector: CVSS3#AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Reference Information

CVE: CVE-2008-4283, CVE-2008-4284, CVE-2009-0432, CVE-2009-0433, CVE-2009-0434, CVE-2009-0435, CVE-2009-0436, CVE-2009-0438, CVE-2008-5411, CVE-2008-5412, CVE-2008-5413, CVE-2008-5414

BID: 33700, 33879, 32679