The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of WebSphere AS 7: eleven vulnerabilities

Synthesis of the vulnerability 

An attacker can use several vulnerabilities of WebSphere Application Server.
Impacted software: WebSphere AS Traditional.
Severity of this computer vulnerability: 2/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 21/06/2010.
Revisions dates: 11/10/2010, 25/10/2010.
Références of this announce: 62947, 62948, 62949, BID-43425, BID-43874, BID-43875, BID-44670, BID-44862, BID-44875, CERTA-2010-AVI-480, CERTA-2010-AVI-535, CVE-2010-0781, CVE-2010-0783, CVE-2010-0784, CVE-2010-0785, CVE-2010-0786, CVE-2010-1632, CVE-2010-3186, CVE-2010-4220, PM11777, PM11807, PM12392, PM13777, PM14251, PM14765, PM14844, PM14847, PM15623, PM16014, PM16366, PM17046, PM18909, swg21433581, VIGILANCE-VUL-9718, was-admin-console-csrf, was-admin-cons-xss, was-admins-console-xss.

Description of the vulnerability 

Eleven vulnerabilities were announced in WebSphere Application Server.

An attacker can generate a Cross Site Scripting in Integrated Solution Console. [severity:2/4; BID-44875, CVE-2010-4220, PM11777]

An attacker can use a special url, in order to overload the processor. [severity:2/4; BID-43425, CVE-2010-0781, PM11807]

An attacker can generate a Cross Site Scripting in the administration console. [severity:2/4; 62947, BID-44670, CERTA-2010-AVI-535, CVE-2010-0783, PM14251, was-admin-cons-xss]

An attacker can generate a Cross Site Request Forgery in the administration console. [severity:2/4; 62949, BID-43875, CVE-2010-0785, PM18909, was-admin-console-csrf]

An attacker can send a malformed message, in order to read a file or to generate a denial of service via JAX-WS/JAX-RS. [severity:2/4; CVE-2010-1632, PM14765, PM14844, PM14847, swg21433581]

Nested groups are not correctly processed by mod_LDAP. [severity:2/4; PM15623]

Timeouts of mod_proxy_http are not detected. [severity:2/4; PM16366]

An attacker can generate several Cross Site Scripting. [severity:2/4; 62948, BID-43874, CVE-2010-0784, PM17046, was-admins-console-xss]

On z/OS, the _bpx_batch_umask file creation mask is not set to 022. [severity:2/4; PM12392]

Data are incorrectly encoded by JAX-WS. [severity:2/4; BID-44862, CVE-2010-0786, PM13777]

The runtime Java API for XML Web Services (JAX-WS) does not correctly process TimeStamps in the WS-SecurityPolicy specification (VIGILANCE-VUL-9888). [severity:2/4; CERTA-2010-AVI-480, CVE-2010-3186, PM16014]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer threat alert impacts software or systems such as WebSphere AS Traditional.

Our Vigil@nce team determined that the severity of this weakness announce is medium.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 11 vulnerabilities.

An attacker with a expert ability can exploit this computer weakness bulletin.

Solutions for this threat 

WebSphere AS: version 7.0.0.13.
Version 7.0.0.13 is corrected:
  http://www-01.ibm.com/support/docview.wss?uid=swg24027977
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides a computer security announce. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.