vulnerability announce CVE-2010-0563

WebSphere AS: SSL not used for SSO

Synthesis of the vulnerability

When the Single Sign-On authentication of WebSphere is configured to enforce SSL, the session does not use SSL.

Severity: 2/4. Creation date: 08/02/2010.

Description of the vulnerability

The Single Sign-On authentication of WebSphere can be configured to enforce SSL:  - WebSphere Application Server Administration Console  - Global Security  - Web and SIP Security  - Single Sign-on (SSO)  - requires SSL However, this directive is not honored, so authentication data are not encrypted. An attacker can therefore capture authentication data.

Complete Vigil@nce bulletin

Access to the complete Vigil@nce bulletin

Characteristics

Title: WebSphere AS: SSL not used for SSO. Keywords: Administration Application Console Global SIP SSL SSO Security Server Sign-On Sign-on Single Web WebSphere used. Identifiers: BID-38122, CVE-2010-0563, PM00610, swg21417839, VIGILANCE-VUL-9412.

Information sources

Publications and announces Source example: Potential security exposure with WebSphere Application Server with "Requires SSL" option of single sign-on (PM00610)

Solutions for this vulnerability

Patch or workaround

Computer vulnerabilities tracking service

The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Computer vulnerability bulletins