| Vigil@nce describes vulnerabilities impacting your systems, and offers solutions to correct them. |
|
 |
|
|
|
vulnerability announce CVE-2010-0563
WebSphere AS: SSL not used for SSO
Synthesis of the vulnerability
| When the Single Sign-On authentication of WebSphere is configured to enforce SSL, the session does not use SSL. |
Severity: 2/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Means of attack: no proof of concept, no attack.
Ability of attacker: expert (4/4).
Confidence: confirmed by the editor (5/5).
Diffusion of the vulnerable configuration: high (3/3).
Creation date: 08/02/2010.
|
Impacted products
Description of the vulnerability
The Single Sign-On authentication of WebSphere can be configured to enforce SSL:
- WebSphere Application Server Administration Console
- Global Security
- Web and SIP Security
- Single Sign-on (SSO)
- requires SSL
However, this directive is not honored, so authentication data are not encrypted.
An attacker can therefore capture authentication data. |
Characteristics
Title: WebSphere AS: SSL not used for SSO
Identifiers: BID-38122, CVE-2010-0563, PM00610, swg21417839, VIGILANCE-VUL-9412.
Url: https://vigilance.fr/tree/1/9412
|
Information sources
Solutions for this vulnerability
|