IBM WebSphere Application Server 7.0 < Fix Pack 1 Multiple Vulnerabilities

Medium Nessus Network Monitor Plugin ID 4783


The remote application server is affected by multiple vulnerabilities.


IBM WebSphere Application Server 7.0 before Fix Pack 1 appears to be running on the remote host. Such versions are reportedly affected by multiple vulnerabilities.

- A vulnerability in feature pack for web services could lead to information disclosure due to 'userNameToken' (PK67282).

- A user locked by the underlying OS may be able to authenticate via the administrative console (PK67909).

- Web authentication options 'Authenticate when any URI is accessed' and 'Use available authentication data when an unprotected URI is accessed' are ignored. Servlets with no security constraints are not authenticated and usernames with the '@' symbol fail to authenticate (PK71826).

- WS-Security in JAX-WS does not remove UsernameTokens from client cache on failed logins (PK72435).

- SSL traffic is routed over unencrypted TCP routes (PK74777).


Apply Fix Pack 1 ( or higher.

See Also

Plugin Details

Severity: Medium

ID: 4783

Family: Web Servers

Published: 2008/12/10

Modified: 2016/01/21

Dependencies: 4270

Nessus ID: 35082

Risk Information

Risk Factor: Medium


Base Score: 5.1

Temporal Score: 5

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C


Base Score: 5.6

Temporal Score: 4.9


Temporal Vector: CVSS3#E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Reference Information

CVE: CVE-2008-4283, CVE-2008-4284, CVE-2009-0432, CVE-2009-0433, CVE-2009-0434, CVE-2009-0435, CVE-2009-0436, CVE-2009-0438, CVE-2008-5411, CVE-2008-5412, CVE-2008-5413, CVE-2008-5414

BID: 33700, 33879, 32679