Vigil@nce: WebSphere AS 6.1.0, several vulnerabilities
September 2009 by Vigil@nce
Several vulnerabilities of WebSphere AS can be used to attack the
service.
Severity: 2/4
Consequences: user access/rights, client access/rights, data
reading, data creation/edition, denial of service of service
Provenance: internet client
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 7
Creation date: 22/09/2009
IMPACTED PRODUCTS
– IBM WebSphere Application Server
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in WebSphere Application
Server.
An attacker can generate a Cross Site Scripting in the Eclipse
help. [grav:2/4; BID-36455, CVE-2009-2742, PK78917]
An unknown vulnerability has the reference PK88341. [grav:2/4;
PK88341]
An unknown vulnerability has the reference PK88342. [grav:2/4;
PK88342]
An attacker can generate an error (wsadmin and JAAS-J2C
Authentication Data), then read the FFDC log file, in order to
obtain sensitive information. [grav:2/4; BID-36458, CVE-2009-2743,
PK86137]
An attacker can use doGet and doTrace methods in order to bypass
access restrictions. [grav:2/4; PK83258]
An attacker can generate a denial of service. [grav:2/4;
BID-36456, CVE-2009-2744, PK91709]
An unknown vulnerability has the reference PK83308. [grav:1/4;
BID-36157, CVE-2009-2091, PK83308]
CHARACTERISTICS
Identifiers: BID-36157, BID-36455, BID-36456, BID-36458,
CVE-2009-2091, CVE-2009-2742, CVE-2009-2743, CVE-2009-2744,
PK78917, PK83258, PK83308, PK86137, PK88341, PK88342, PK91709,
swg27007951, VIGILANCE-VUL-9041
http://vigilance.fr/vulnerability/WebSphere-AS-6-1-0-several-vulnerabilities-9041