we track for your security since 1999

vulnerabilities

The Vigil@nce team watches vulnerabilities impacting your computers, and then offers solutions, a database and tools to correct them.

recent vulnerabilities

tracked products

RSS feed

vulnerability

vulnerability announce CVE-2009-0217 CVE-2009-0892 CVE-2009-0903

WebSphere AS 7.0.0: several vulnerabilities

Synthesis of the vulnerability

Several vulnerabilities of WebSphere AS can be used to attack the service.

Severity: 3/4.
Creation date: 26/03/2009.
Revision date: 27/03/2009.

Impacted products

Description of the vulnerability

Several vulnerabilities were announced in WebSphere Application Server.

A vulnerability impacts SOAPAction. [severity:2/4; BID-35594, CVE-2009-0903, PK72138, >]

An attacker can access to sessions of the administrative console. [severity:2/4; BID-34501, CERTA-2009-AVI-126, CVE-2009-0892, PK74966, >]

The AX-RPC WS-Sexcurity runtime does not correctly validate a usernametoken. [severity:2/4; BID-34502, BID-35610, CVE-2009-1172, PK75992, >]

An attacker can create a Cross Site Scripting in application examples provided with WebSphere (PlantsByWebSphere, JAX-WS Web Services MTOM, JAX-WS Web Services Ping and Echo, Dynamic Query - Employee Finder, Dynamic Query - EJB Data Mediator Service, Application Profile - Account Management, Scheduler Account Report). [severity:1/4; DEFECT 566807, DSECRG-09-013, PK76720, >]

An attacker can create a Cross Site Scripting in the Integrated Solutions Console. [severity:2/4; BID-34259, DEFECT 566807, DSECRG-09-013, PK77505, >]

Some files are created with 777 (world writable) permissions instead of 755. [severity:2/4; BID-34259, CVE-2009-1173, PK77590, >]

Some files are created with 777 (world writable) permissions instead of 755. [severity:2/4; BID-34358, CVE-2009-1173, PK78960, >]

A vulnerability impacts the XML signature (VIGILANCE-VUL-8864). [severity:3/4; BID-34506, BID-35671, CERTA-2009-AVI-279, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CVE-2009-0217, CVE-2009-1174, PK80596, PK80627, VU#466161, >]

Share this bulletin

Complete Vigil@nce bulletin

WebSphere AS 7.0.0: several vulnerabilities

Characteristics

Title: WebSphere AS 7.0.0: several vulnerabilities.
Keywords: 755 777 466161 566807 AX-RPC Account Application CERTA-2009-AVI-126 CERTA-2009-AVI-279 CERTA-2009-AVI-452 CERTA-2010-AVI-253 Console Cross DEFECT DSECRG-09-013 Data Dynamic EJB Echo Employee Finder Integrated JAX-WS MTOM Management Mediator PK72138 PK74966 PK75992 PK76720 PK77505 PK77590 PK78960 PK80596 PK80627 Ping PlantsByWebSphere Profile Query Report SOAPAction Scheduler Scripting Server Service Services Site Solutions WS-Sexcurity Web WebSphere XML several vulnerabilities.
Identifiers: BID-34259, BID-34358, BID-34501, BID-34502, BID-34506, BID-35594, BID-35610, BID-35671, CERTA-2009-AVI-126, CERTA-2009-AVI-279, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CVE-2009-0217, CVE-2009-0892, CVE-2009-0903, CVE-2009-1172, CVE-2009-1173, CVE-2009-1174, DEFECT 566807, DSECRG-09-013, HPSBUX02476, PK72138, PK74966, PK75992, PK76720, PK77505, PK77590, PK78960, PK80596, PK80627, SSRT090250, swg27014463, VIGILANCE-VUL-8567, VU#466161.

Information sources

Publications and announces
Source example: Fix Pack 3 (7.0.0.3)

Solutions for this vulnerability

Patch or workaround

Supplements

Vulnerability : PK72138

A vulnerability impacts SOAPAction.
Severity: 2/4.
Identifiers: BID-35594, CVE-2009-0903, PK72138.

Vulnerability : PK74966

An attacker can access to sessions of the administrative console.
Severity: 2/4.
Identifiers: BID-34501, CERTA-2009-AVI-126, CVE-2009-0892, PK74966.

Vulnerability : PK75992

The AX-RPC WS-Sexcurity runtime does not correctly validate a usernametoken.
Severity: 2/4.
Identifiers: BID-34502, BID-35610, CVE-2009-1172, PK75992.

Vulnerability : PK76720

An attacker can create a Cross Site Scripting in application examples provided with WebSphere (PlantsByWebSphere, JAX-WS Web Services MTOM, JAX-WS Web Services Ping and Echo, Dynamic Query - Employee Finder, Dynamic Query - EJB Data Mediator Service, Application Profile - Account Management, Scheduler Account Report).
Severity: 1/4.
Identifiers: DEFECT 566807, DSECRG-09-013, PK76720.

Publications and announces

Vulnerability : PK77505

An attacker can create a Cross Site Scripting in the Integrated Solutions Console.
Severity: 2/4.
Identifiers: BID-34259, DEFECT 566807, DSECRG-09-013, PK77505.

Publications and announces

Vulnerability : PK77590

Some files are created with 777 (world writable) permissions instead of 755.
Severity: 2/4.
Identifiers: BID-34259, CVE-2009-1173, PK77590.

Vulnerability : PK78960

Some files are created with 777 (world writable) permissions instead of 755.
Severity: 2/4.
Identifiers: BID-34358, CVE-2009-1173, PK78960.

Publications and announces
Source example: PK78960: Security Vulnerability - Update Installer and Installation Factory

Vulnerability : PK80596

A vulnerability impacts the XML signature (VIGILANCE-VUL-8864).
Severity: 3/4.
Identifiers: BID-34506, BID-35671, CERTA-2009-AVI-279, CERTA-2009-AVI-452, CERTA-2010-AVI-253, CVE-2009-0217, CVE-2009-1174, PK80596, PK80627, VU#466161.

Publications and announces
Source example: Possible security exposure with XML digital signature with IBM WebSphere Application Server (PK80596 and PK80627)

Attack

Exploit 0day or proof of concept

Attack

Exploit 0day or proof of concept

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability watch. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities.