The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

weakness bulletin CVE-2013-6323 CVE-2013-6329 CVE-2013-6438

WebSphere AS 8.0: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of WebSphere AS 8.0.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 15.
Creation date: 24/06/2014.
Références of this weakness: 1676092, BID-64249, BID-65400, c04483248, CERTFR-2014-AVI-131, CERTFR-2014-AVI-253, CVE-2013-6323, CVE-2013-6329, CVE-2013-6438, CVE-2013-6738, CVE-2013-6747, CVE-2014-0050, CVE-2014-0076, CVE-2014-0098, CVE-2014-0823, CVE-2014-0857, CVE-2014-0859, CVE-2014-0891, CVE-2014-0963, CVE-2014-0965, CVE-2014-3022, HPSBUX03150, PI04777, PI04880, PI05309, PI05324, PI05661, PI07808, PI08892, PI09345, PI09443, PI09594, PI09786, PI11434, PI12648, PI12926, PI13028, PI13162, PI17025, PI19700, SSRT101681, VIGILANCE-VUL-14930.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

Several vulnerabilities were announced in WebSphere AS 8.0.

An attacker can trigger a Cross Site Scripting in Administration Console, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2013-6323, PI04777, PI04880]

An attacker can send malicious SSLv2 messages to applications using IBM GSKit, in order to trigger a denial of service (VIGILANCE-VUL-14155). [severity:2/4; BID-64249, CVE-2013-6329, PI05309]

An attacker can use Full/Liberty Profile, in order to obtain sensitive information. [severity:2/4; CVE-2014-0823, PI05324]

An attacker can trigger a Cross Site Scripting in Oauth, in order to execute JavaScript code in the context of the web site. [severity:2/4; CVE-2013-6738, PI05661]

An attacker can use the Administrative Console, in order to escalate his privileges. [severity:2/4; CVE-2014-0857, PI07808]

An attacker can use POST queries, in order to trigger a denial of service. [severity:2/4; CVE-2014-0859, PI08892]

An attacker can send a DAV WRITE query starting by spaces, in order to trigger a denial of service in mod_dav of Apache HTTP Server (VIGILANCE-VUL-14439). [severity:2/4; CERTFR-2014-AVI-131, CVE-2013-6438, PI09345]

An attacker can send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service (VIGILANCE-VUL-14158). [severity:2/4; CVE-2013-6747, PI09443]

An attacker can trigger an error, in order to obtain sensitive information. [severity:1/4; CVE-2014-3022, PI09594]

An attacker can use the Proxy/ODR, in order to obtain sensitive information. [severity:2/4; CVE-2014-0891, PI09786]

An attacker can use a long Content-Type header, to generate an infinite loop in Apache Commons FileUpload or Apache Tomcat, in order to trigger a denial of service (VIGILANCE-VUL-14183). [severity:2/4; BID-65400, CVE-2014-0050, PI12648, PI12926, PI13162]

An attacker can use SOAP, in order to obtain sensitive information. [severity:2/4; CVE-2014-0965, PI11434]

An attacker can use a truncated cookie, in order to trigger a denial of service in mod_log_config of Apache HTTP Server (VIGILANCE-VUL-14438). [severity:2/4; CERTFR-2014-AVI-131, CVE-2014-0098, PI13028]

An attacker can send malicious SSL/TLS messages to applications using IBM GSKit, in order to trigger a denial of service (VIGILANCE-VUL-14775). [severity:3/4; CVE-2014-0963, PI17025]

A local attacker can guess the ECDSA secret used by the OpenSSL implementation, in order to obtain sensitive information (VIGILANCE-VUL-14462). [severity:1/4; CERTFR-2014-AVI-253, CVE-2014-0076, PI19700]
Full Vigil@nce bulletin... (Free trial)

This computer weakness impacts software or systems such as HP-UX, WebSphere AS Traditional.

Our Vigil@nce team determined that the severity of this vulnerability note is important.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 15 vulnerabilities.

An attacker with a expert ability can exploit this cybersecurity threat.

Solutions for this threat

HP-UX: patch for several vulnerabilities.
A patch is available:
  http://software.hp.com/
The whole list of patch is included in the HP announce.

WebSphere AS: version 8.0.0.9.
The version 8.0.0.9 is fixed:
  http://www-01.ibm.com/
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a computers vulnerabilities bulletin. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system. The Vigil@nce vulnerability database contains several thousand vulnerabilities.