Otkrivene su dvije nepravilnosti vezane uz IBM WebSphere Application Server, sigurno, skalabilno i pouzdano okruženje za izvođenje aplikacija i servisa. Prvi propust je rezultat nepravilne obrade određenih ulaznih podataka, a može se iskoristiti za umetanje proizvoljnog HTML i skriptnog koda (XSS ranjivost). Sljedeća je ranjivost vezana uz nepravilno rukovanje pojedinim ovlastima zbog čega udaljeni napadač ima mogućnost otkrivanja osjetljivih informacija. Korisnike se potiče na primjenu dostupne nadogradnje.
IBM WebSphere Application Server Two Vulnerabilities
Secunia Advisory SA42938
Release Date 2011-01-17
Criticality level Less criticalLess critical
Impact Security Bypass
Cross Site Scripting
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Software:
IBM WebSphere Application Server 7.0.x
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2011-0315 CVSS available in Customer Area
CVE-2011-0316 CVSS available in Customer Area
Description
Two vulnerabilities have been reported in IBM WebSphere Application Server, which can be exploited by malicious people to conduct cross-site scripting attacks and bypass certain security restrictions.
1) Certain unspecified input passed to the web container can be exploited to conduct cross-site scripting attacks.
For more information see vulnerability #2 in:
SA42190
2) The administration console does not properly restrict access to console servlets.
For more information see vulnerability #3 in:
SA42136
The vulnerabilities are reported in versions prior to 7.0 Fix Pack 15 (7.0.0.15).
Solution
Apply APARs PM18512 and PM24372 or update to version 7.0.0.15 scheduled to be released on 7th February, 2011.
Provided and/or discovered by
Reported by the vendor.
Original Advisory
IBM (PM18512, PM24372):
http://www-01.ibm.com/support/docview.wss?uid=swg27004980
http://xforce.iss.net/xforce/xfdb/64554
http://xforce.iss.net/xforce/xfdb/64558
Other references
Further details available in Customer Area
Deep Links
Links available in Customer Area
Posljednje sigurnosne preporuke