Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

IBM WebSphere Application Server 7.0 < Fix Pack 1 Multiple Vulnerabilities

Medium

Synopsis

The remote application server is affected by multiple vulnerabilities.

Description

IBM WebSphere Application Server 7.0 before Fix Pack 1 appears to be running on the remote host. Such versions are reportedly affected by multiple vulnerabilities.

- A vulnerability in feature pack for web services could lead to information disclosure due to 'userNameToken' (PK67282).

- A user locked by the underlying OS may be able to authenticate via the administrative console (PK67909).

- Web authentication options 'Authenticate when any URI is accessed' and 'Use available authentication data when an unprotected URI is accessed' are ignored. Servlets with no security constraints are not authenticated and usernames with the '@' symbol fail to authenticate (PK71826).

- WS-Security in JAX-WS does not remove UsernameTokens from client cache on failed logins (PK72435).

- SSL traffic is routed over unencrypted TCP routes (PK74777).

Solution

Apply Fix Pack 1 (7.0.0.1) or higher.