The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WebSphere AS Traditional

threat alert CVE-2015-1916

IBM Java: denial of service via Secure Socket Extension

Synthesis of the vulnerability

An attacker can generate a fatal error in Secure Socket Extension of IBM Java, in order to trigger a denial of service.
Severity: 2/4.
Creation date: 22/09/2015.
Identifiers: 1902260, 1903541, 1903704, 1966551, 1967498, 1968485, CVE-2015-1916, VIGILANCE-VUL-17953.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate a fatal error in Secure Socket Extension of IBM Java, in order to trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-1932 CVE-2015-4938

WebSphere AS 8.5: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere AS 8.5.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 11/09/2015.
Identifiers: 1965444, CVE-2015-1932, CVE-2015-4938, PI37396, PI38403, VIGILANCE-VUL-17871.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in WebSphere AS 8.5.

An attacker can bypass security features in On Demand Router, in order to obtain sensitive information. [severity:2/4; CVE-2015-1932, PI38403]

An attacker can spoof an identity. [severity:2/4; CVE-2015-4938, PI37396]
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2015-0254

Jakarta Tag Library: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Jakarta Tag Library, in order to read a file, scan sites, or trigger a denial of service.
Severity: 2/4.
Creation date: 31/08/2015.
Identifiers: 1978495, 1989475, 1995377, 7014463, CVE-2015-0254, openSUSE-SU-2015:1751-1, RHSA-2015:1695-01, RHSA-2016:0121-01, RHSA-2016:0122-01, RHSA-2016:0123-01, RHSA-2016:0124-01, RHSA-2016:0125-01, RHSA-2016:1838-01, RHSA-2016:1839-01, RHSA-2016:1840-01, RHSA-2016:1841-01, SUSE-SU-2017:1568-1, SUSE-SU-2017:1701-1, USN-2551-1, VIGILANCE-VUL-17779.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

XML data can contain external entities (DTD):
  <!ENTITY name SYSTEM "file">
  <!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
 - content disclosure from files of the server
 - private web site scan
 - a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.

However, the Jakarta Tag Library parser allows external entities.

An attacker can therefore transmit malicious XML data to Jakarta Tag Library, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

security vulnerability CVE-2014-8890 CVE-2014-8917 CVE-2015-1885

WebSphere AS 8.0: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere AS 8.0.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 6.
Creation date: 17/08/2015.
Identifiers: 1963275, 7022958, CVE-2014-8890, CVE-2014-8917, CVE-2015-1885, CVE-2015-1927, CVE-2015-1932, CVE-2015-4938, PI31339, PI31622, PI33012, PI33202, PI36211, PI37396, PI38403, VIGILANCE-VUL-17690.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in WebSphere AS 8.0.

An attacker can trigger a Cross Site Scripting in Dojox, in order to run JavaScript code in the context of the web site. [severity:2/4; CVE-2014-8917, PI33012]

An attacker can use Liberty Profile, in order to escalate his privileges. [severity:2/4; CVE-2015-1885, PI33202, PI36211]

An attacker can bypass security features in On Demand Router, in order to obtain sensitive information. [severity:2/4; CVE-2015-1932, PI38403]

An attacker can spoof an identity. [severity:2/4; CVE-2015-4938, PI37396]

An attacker can use servlets, in order to obtain sensitive information. [severity:2/4; CVE-2014-8890, PI31339]

An attacker can bypass security features in serveServletsbyClassname, in order to escalate his privileges. [severity:2/4; CVE-2015-1927, PI31622]
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2015-1283

Expat: integer overflow of XML

Synthesis of the vulnerability

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Severity: 2/4.
Creation date: 27/07/2015.
Identifiers: 1964428, 1965444, 1967199, 1969062, 1990421, 1990658, bulletinjul2016, CVE-2015-1283, DSA-3318-1, FreeBSD-SA-15:20.expat, JSA10904, openSUSE-SU-2016:1441-1, openSUSE-SU-2016:1523-1, SOL15104541, SSA:2016-359-01, SUSE-SU-2016:1508-1, SUSE-SU-2016:1512-1, USN-2726-1, USN-3013-1, VIGILANCE-VUL-17498.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can generate an integer overflow in the XML parser of Expat, in order to trigger a denial of service, and possibly to run code.
Full Vigil@nce bulletin... (Free trial)

weakness alert CVE-2015-1885 CVE-2015-1927 CVE-2015-1936

WebSphere AS 8.5: four vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere AS 8.5.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 4.
Creation date: 15/07/2015.
Identifiers: 1959083, 1963672, 1963673, 7022958, CVE-2015-1885, CVE-2015-1927, CVE-2015-1936, CVE-2015-1946, PI31622, PI33202, PI35180, PI36211, PI37230, VIGILANCE-VUL-17411.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in WebSphere AS 8.5.

An attacker can use Liberty Profile, in order to escalate his privileges. [severity:2/4; CVE-2015-1885, PI33202, PI36211]

An attacker can bypass security features in serveServletsbyClassname, in order to escalate his privileges. [severity:2/4; CVE-2015-1927, PI31622]

An attacker can bypass security features with the JSESSIONID parameter, in order to escalate his privileges. [severity:2/4; CVE-2015-1936, PI37230]

An attacker can bypass security features of User Roles, in order to escalate his privileges. [severity:2/4; CVE-2015-1946, PI35180]
Full Vigil@nce bulletin... (Free trial)

cybersecurity announce CVE-2015-0253 CVE-2015-3183 CVE-2015-3185

Apache httpd: three vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Apache httpd.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 3.
Creation date: 15/07/2015.
Identifiers: 1963361, 1965444, 1967197, 1969062, bulletinoct2015, c04832246, c04926789, CVE-2015-0253, CVE-2015-3183, CVE-2015-3185, DSA-2019-131, DSA-3325-1, DSA-3325-2, FEDORA-2015-11689, FEDORA-2015-11792, HPSBUX03435, HPSBUX03512, openSUSE-SU-2015:1684-1, RHSA-2015:1666-01, RHSA-2015:1667-01, RHSA-2015:1668-01, RHSA-2015:2659-01, RHSA-2015:2660-01, RHSA-2015:2661-01, RHSA-2016:0062-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SOL17251, SSA:2015-198-01, SSRT102254, SSRT102977, USN-2686-1, VIGILANCE-VUL-17378.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Apache httpd.

An attacker can generate an error during the analysis of the HTTP Chunk header, in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2015-3183]

The ap_some_auth_required directive is not honored, so an attacker can access to the service with no authentication. [severity:2/4; CVE-2015-3185]

When the configuration of "ErrorDocument 400" points to a local url/file, and when the INCLUDES filter is enabled, an attacker can trigger a denial of service. [severity:2/4; CVE-2015-0253]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2013-2186 CVE-2014-1568 CVE-2014-1569

Oracle Fusion: several vulnerabilities of July 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in July 2015.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 39.
Creation date: 15/07/2015.
Identifiers: 1962107, cpujul2015, CVE-2013-2186, CVE-2014-1568, CVE-2014-1569, CVE-2014-3566, CVE-2014-3567, CVE-2014-3571, CVE-2014-7809, CVE-2015-0286, CVE-2015-0443, CVE-2015-0444, CVE-2015-0445, CVE-2015-0446, CVE-2015-1926, CVE-2015-2593, CVE-2015-2598, CVE-2015-2602, CVE-2015-2603, CVE-2015-2604, CVE-2015-2605, CVE-2015-2606, CVE-2015-2623, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-2658, CVE-2015-4742, CVE-2015-4744, CVE-2015-4745, CVE-2015-4747, CVE-2015-4751, CVE-2015-4758, CVE-2015-4759, VIGILANCE-VUL-17373.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-2186]

An attacker can use a vulnerability of Oracle Directory Server Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4745]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2603]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2602]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2604]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2605]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2606]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle Traffic Director, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle iPlanet Web Proxy Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle iPlanet Web Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain or alter information. [severity:3/4; CVE-2015-2593]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:3/4; CVE-2014-3567]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0443]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0444]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0445]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0446]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4759]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4758]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2634]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2635]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2636]

An attacker can use a vulnerability of Oracle Event Processing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4747]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-7809]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain or alter information. [severity:2/4; CVE-2015-1926]

An attacker can use a vulnerability of Oracle Access Manager, in order to trigger a denial of service. [severity:2/4; CVE-2015-4751]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can use a vulnerability of Oracle JDeveloper, in order to trigger a denial of service. [severity:2/4; CVE-2015-4742]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:2/4; CVE-2014-3571]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can use a vulnerability of Web Cache, in order to obtain information. [severity:2/4; CVE-2015-2658]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2015-2623]

An attacker can use a vulnerability of Oracle Tuxedo, in order to obtain information. [severity:2/4; CVE-2014-3566]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2015-2623]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to alter information. [severity:2/4; CVE-2015-2598]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:1/4; CVE-2015-4744]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:1/4; CVE-2015-4744]
Full Vigil@nce bulletin... (Free trial)

computer threat alert CVE-2015-0250

Apache Batik: external XML entity injection

Synthesis of the vulnerability

An attacker can transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Severity: 2/4.
Creation date: 05/06/2015.
Identifiers: 1959083, 1963275, 2015810, 7014463, 7022958, CVE-2015-0250, DSA-3205-1, FEDORA-2015-8745, FEDORA-2015-8783, FEDORA-2015-8803, MDVSA-2015:203, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2016:0041-01, RHSA-2016:0042-01, USN-2548-1, VIGILANCE-VUL-17069.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

An attacker can transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial)

security note CVE-2015-4000

TLS: weakening Diffie-Hellman via Logjam

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Severity: 2/4.
Creation date: 20/05/2015.
Revision date: 20/05/2015.
Identifiers: 1610582, 1647054, 1957980, 1958984, 1959033, 1959539, 1959745, 1960194, 1960418, 1960862, 1962398, 1962694, 1963151, 9010038, 9010039, 9010041, 9010044, BSA-2015-005, bulletinjan2016, bulletinjul2015, c04725401, c04760669, c04767175, c04770140, c04773119, c04773241, c04774058, c04778650, c04832246, c04918839, c04926789, CERTFR-2016-AVI-303, CTX216642, CVE-2015-4000, DLA-507-1, DSA-3287-1, DSA-3300-1, DSA-3688-1, FEDORA-2015-10047, FEDORA-2015-10108, FEDORA-2015-9048, FEDORA-2015-9130, FEDORA-2015-9161, FreeBSD-EN-15:08.sendmail, FreeBSD-SA-15:10.openssl, HPSBGN03399, HPSBGN03407, HPSBGN03411, HPSBGN03417, HPSBHF03433, HPSBMU03345, HPSBMU03401, HPSBUX03363, HPSBUX03388, HPSBUX03435, HPSBUX03512, JSA10681, Logjam, NetBSD-SA2015-008, NTAP-20150616-0001, NTAP-20150715-0001, NTAP-20151028-0001, openSUSE-SU-2015:1139-1, openSUSE-SU-2015:1209-1, openSUSE-SU-2015:1216-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0226-1, openSUSE-SU-2016:0255-1, openSUSE-SU-2016:0261-1, openSUSE-SU-2016:2267-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2015:1072-01, RHSA-2015:1185-01, RHSA-2015:1197-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, SA111, SA40002, SA98, SB10122, SSA:2015-219-02, SSRT102180, SSRT102254, SSRT102964, SSRT102977, SUSE-SU-2015:1143-1, SUSE-SU-2015:1150-1, SUSE-SU-2015:1177-1, SUSE-SU-2015:1177-2, SUSE-SU-2015:1181-1, SUSE-SU-2015:1181-2, SUSE-SU-2015:1182-2, SUSE-SU-2015:1183-1, SUSE-SU-2015:1183-2, SUSE-SU-2015:1184-1, SUSE-SU-2015:1184-2, SUSE-SU-2015:1185-1, SUSE-SU-2015:1268-1, SUSE-SU-2015:1268-2, SUSE-SU-2015:1269-1, SUSE-SU-2015:1581-1, SUSE-SU-2016:0224-1, SUSE-SU-2018:1768-1, TSB16728, USN-2624-1, USN-2625-1, USN-2656-1, USN-2656-2, VIGILANCE-VUL-16950, VN-2015-007.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Diffie-Hellman algorithm is used to exchange cryptographic keys. The DHE_EXPORT suite uses prime numbers smaller than 512 bits.

The Diffie-Hellman algorithm is used by TLS. However, during the negotiation, an attacker, located as a Man-in-the-Middle, can force TLS to use DHE_EXPORT (event if stronger suites are available).

This vulnerability can then be combined with VIGILANCE-VUL-16951.

An attacker, located as a Man-in-the-Middle, can therefore force the TLS client/server to accept a weak export algorithm, in order to more easily capture or alter exchanged data.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WebSphere AS Traditional: