Detalji

Ispravljeno je nekoliko sigurnosnih ranjivosti vezano uz IBM WebSphere Application Server - sigurno, skalabilno i pouzdano okruženje za izvođenje aplikacija i servisa. Ranjivosti nastaju zbog neodgovarajuće obrade ulaznih podataka u određenim komponentama i neodgovarajućeg rukovanja privremenim datotekama. Napadaču omogućuju obilaženje postavljenih ograničenja, XSS (eng. Cross-site scripting) napad i otkrivanje osjetljivih informacija. S obzirom da je objavljena nadogradnja, korisnici se upućuju na njezino korištenje.

IBM WebSphere Application Server Data Disclosure and Security Bypass

VUPEN ID 	VUPEN/ADV-2011-0564
CVE ID 	GENERIC-MAP-NOMATCH
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	Moderate Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-03-03
Share 	Twitter LinkedIn Facebook Delicious Digg Slashdot

Technical Description

Multiple vulnerabilities have been identified in IBM WebSphere Application Server, which could be exploited by attackers to bypass restrictions or gain knowledge of sensitive information.

The first issue is caused due to an access validation error within console servlets.

The second vulnerability is caused by an error in the installer that creates a temporary directory for logs with insecure ("777") permissions.

The third issue is caused by an input validation error in the IVT application, which could allow cross site scripting attacks.

The fourth vulnerability is caused by an input validation error in the web container, which could allow cross site scripting attacks.

The fifth issue is caused by an unknown error related to Trace requests handling.

Affected Products

IBM WebSphere Application Server versions prior to 7.0.0.15

Solution 

Upgrade to IBM WebSphere Application Server version 7.0.0.15 :
http://www.ibm.com/support/docview.wss?uid=swg24028875

References

http://www.vupen.com/english/advisories/2011/0564
http://www-01.ibm.com/support/docview.wss?uid=swg27014463

Credits 

Vulnerabilities reported by the vendor.

Changelog 

2011-03-03 : Initial release

Idi na vrh