Title: IBM WebSphere Application Server Multiple Vulnerabilities
Severity: HIGH
Description:
IBM WebSphere Application Server is a utility designed to facilitate the creation of various enterprise web applications.
WebSphere Application Server is prone to multiple vulnerabilities.
The following issues have been disclosed:
- An unspecified security vulnerability regarding HTTP request handlers. This issue affects version 6.0.2.x.
- An information-disclosure vulnerability. User credentials may be written to the 'addNode.log' file in plain text when adding the base node into the deployment manager. This issue affects versions 5.0.2.x, 5.1.1.x, and 6.0.2.x.
- An unspecified vulnerability affects the administrative console. This issue affects version 6.0.2.x.
- An information-disclosure vulnerability. Sensitive information may be displayed in the trace due to an error in the 'WebSphere Common Configuration Mode and CommonArchive' and 'J2EE Models'. This issue affects version 5.1.1.x.
- An unauthorized-access vulnerability. An attacker can access EJB on Solaris systems through a manipulated LTPA token from subjects' credentials. This issues requires that LTPA authentication be used. This issue affects version 5.0.2.x and 5.1.1.x.
- Unspecified security vulnerability refarding the execution of scripts when inserting certain script tags in URLs. This issue affects versions 5.0.2.x and 5.1.1.x.
Other potentially security-related issues were also addressed.
Information regarding CVE-2006-2431 has been removed. This issue is discussed in detail in BID 21018 (IBM WebSphere Faultactor Cross-Site Scripting Vulnerability).
Affected Products:
- IBM Websphere Application Server 5.0.2
- IBM Websphere Application Server 5.0.2 .1
- IBM Websphere Application Server 5.0.2 .2
- IBM Websphere Application Server 5.0.2 .3
- IBM Websphere Application Server 5.0.2 .4
- IBM Websphere Application Server 5.0.2 .5
- IBM Websphere Application Server 5.0.2 .6
- IBM Websphere Application Server 5.0.2 .7
- IBM Websphere Application Server 5.0.2 .8
- IBM Websphere Application Server 5.0.2 .9
- IBM Websphere Application Server 5.0.2.10
- IBM Websphere Application Server 5.0.2.11
- IBM Websphere Application Server 5.0.2.12
- IBM Websphere Application Server 5.0.2.13
- IBM Websphere Application Server 5.0.2.14
- IBM Websphere Application Server 5.0.2.15
- IBM Websphere Application Server 5.1.1
- IBM Websphere Application Server 5.1.1 .1
- IBM Websphere Application Server 5.1.1 .2
- IBM Websphere Application Server 5.1.1 .3
- IBM Websphere Application Server 5.1.1 .4
- IBM Websphere Application Server 5.1.1.11
- IBM Websphere Application Server 5.1.1.5
- IBM Websphere Application Server 5.1.1.6
- IBM Websphere Application Server 5.1.1.7
- IBM Websphere Application Server 5.1.1.8
- IBM Websphere Application Server 5.1.1.9
- IBM Websphere Application Server 6.0.2
References:
- CVE: CVE-2006-2431
- IBM: 5.0.2.16: WebSphere Application Server 5.0.2 Cumulative Fix 16 for AIX
- IBM: 5.1.1.10: WebSphere Application Server V5.1.1 Cumulative Fix 10 for AIX
- IBM: 6.0.2.9: WebSphere Application Server V6.0.2 Fix Pack 9 for AIX platforms
- IBM: IBM WebSphere Application Server Product Page
- NISCC: NISCC Vulnerability Advisory 756460/NISCC/WEBSPHERE
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
