Orange Business Services
Vigil@nce Vigil@nce Vigil@nce
we track for your security since 1999
 home presentation vulnerabilities documentation contact  
subscriber area subscriber area
free access free access
Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them.
recent vulnerabilities recent vulnerabilities
tracked products tracked products
RSS feed RSS feed
vulnerability

vulnerability announce CVE-2009-0217 CVE-2009-0892 CVE-2009-0903

WebSphere AS 7.0.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of WebSphere AS can be used to attack the service.
Severity: 3/4.
Creation date: 26/03/2009.
Revision date: 27/03/2009.

Description of the vulnerability

Several vulnerabilities were announced in WebSphere Application Server.

A vulnerability impacts SOAPAction. [severity:2/4; BID-35594, CVE-2009-0903, PK72138, >]

An attacker can access to sessions of the administrative console. [severity:2/4; BID-34501, CVE-2009-0892, PK74966, >]

The AX-RPC WS-Sexcurity runtime does not correctly validate a usernametoken. [severity:2/4; BID-34502, BID-35610, CVE-2009-1172, PK75992, >]

An attacker can create a Cross Site Scripting in application examples provided with WebSphere (PlantsByWebSphere, JAX-WS Web Services MTOM, JAX-WS Web Services Ping and Echo, Dynamic Query - Employee Finder, Dynamic Query - EJB Data Mediator Service, Application Profile - Account Management, Scheduler Account Report). [severity:1/4; DEFECT 566807, DSECRG-09-013, PK76720, >]

An attacker can create a Cross Site Scripting in the Integrated Solutions Console. [severity:2/4; BID-34259, DEFECT 566807, DSECRG-09-013, PK77505, >]

Some files are created with 777 (world writable) permissions instead of 755. [severity:2/4; BID-34259, CVE-2009-1173, PK77590, >]

Some files are created with 777 (world writable) permissions instead of 755. [severity:2/4; BID-34358, CVE-2009-1173, PK78960, >]

A vulnerability impacts the XML signature (VIGILANCE-VUL-8864). [severity:3/4; BID-34506, BID-35671, CVE-2009-0217, CVE-2009-1174, PK80596, PK80627, VU#466161, >]

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: WebSphere AS 7.0.0: several vulnerabilities.
Keywords: 755 777 466161 566807 AX-RPC Account Application Console Cross DEFECT DSECRG-09-013 Data Dynamic EJB Echo Employee Finder Integrated JAX-WS MTOM Management Mediator PK72138 PK74966 PK75992 PK76720 PK77505 PK77590 PK78960 PK80596 PK80627 Ping PlantsByWebSphere Profile Query Report SOAPAction Scheduler Scripting Server Service Services Site Solutions WS-Sexcurity Web WebSphere XML several vulnerabilities.
Identifiers: BID-34259, BID-34358, BID-34501, BID-34502, BID-34506, BID-35594, BID-35610, BID-35671, CVE-2009-0217, CVE-2009-0892, CVE-2009-0903, CVE-2009-1172, CVE-2009-1173, CVE-2009-1174, DEFECT 566807, DSECRG-09-013, HPSBUX02476, PK72138, PK74966, PK75992, PK76720, PK77505, PK77590, PK78960, PK80596, PK80627, SSRT090250, swg27014463, VIGILANCE-VUL-8567, VU#466161.

Information sources

Publications and announces
Source example: Fix Pack 3 (7.0.0.3)

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : PK72138

A vulnerability impacts SOAPAction.
Severity: 2/4.
Identifiers: BID-35594, CVE-2009-0903, PK72138.

Vulnerability : PK74966

An attacker can access to sessions of the administrative console.
Severity: 2/4.
Identifiers: BID-34501, CVE-2009-0892, PK74966.

Vulnerability : PK75992

The AX-RPC WS-Sexcurity runtime does not correctly validate a usernametoken.
Severity: 2/4.
Identifiers: BID-34502, BID-35610, CVE-2009-1172, PK75992.

Vulnerability : PK76720

An attacker can create a Cross Site Scripting in application examples provided with WebSphere (PlantsByWebSphere, JAX-WS Web Services MTOM, JAX-WS Web Services Ping and Echo, Dynamic Query - Employee Finder, Dynamic Query - EJB Data Mediator Service, Application Profile - Account Management, Scheduler Account Report).
Severity: 1/4.
Identifiers: DEFECT 566807, DSECRG-09-013, PK76720.
Publications and announces

Vulnerability : PK77505

An attacker can create a Cross Site Scripting in the Integrated Solutions Console.
Severity: 2/4.
Identifiers: BID-34259, DEFECT 566807, DSECRG-09-013, PK77505.
Publications and announces

Vulnerability : PK77590

Some files are created with 777 (world writable) permissions instead of 755.
Severity: 2/4.
Identifiers: BID-34259, CVE-2009-1173, PK77590.

Vulnerability : PK78960

Some files are created with 777 (world writable) permissions instead of 755.
Severity: 2/4.
Identifiers: BID-34358, CVE-2009-1173, PK78960.
Publications and announces
Source example: PK78960: Security Vulnerability - Update Installer and Installation Factory

Vulnerability : PK80596

A vulnerability impacts the XML signature (VIGILANCE-VUL-8864).
Severity: 3/4.
Identifiers: BID-34506, BID-35671, CVE-2009-0217, CVE-2009-1174, PK80596, PK80627, VU#466161.
Publications and announces
Source example: Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)

Attack

Exploit 0day or proof of concept

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities



















France Télécom Copyright 1999-2010 Vigil@nce. Vigil@nce is a service from Orange Business Services. Site map. Legal notice. Version française