• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: IBM WebSphere Application Server Predictable Session ID Vulnerability

Severity: HIGH

Description:

IBM WebSphere Application Server uses predictable sequence numbers for session IDs when issuing cookies to users. Specifically, IBM WebSphere cycles through a limited range of possibilities when determining the sequence number to use for a session ID.

This is an example of a sequence number:

TWG111YAAACVPQ3UUSZQV2I
xxxx y

The sequence number is based on two counters, xxxx and y, with the rest of the session ID being static. xxxx and y must be alphanumeric characters. The first counter increases incrementally based on the system clock. The last character of the first counter(xxxx) has been determined to be Y, I, A or Q approximately 95% of the time. The second counter(y) will increase by two per request. Since most of the session ID is static and those characters that are variable are not entirely random, this makes it a trivial task to guess the session ID after only a limited number of attempts.

If this issue is successfully exploited then it is possible for an attacker to obtain the cookie-based authentication credentials for other users, allowing unauthorized access to the vulnerable application.

NOTE: This issue was resolved in IBM WebSphere Application Server 4.0(and later) and any information about patching these versions should be disregarded.

Affected Products:

• IBM WebSphere Application Server Advanced Edition 3.0.0.2.1
• IBM WebSphere Commerce Suite Service Provider 3.1.2
• IBM WebSphere Commerce Suite Service Provider 3.2.0
• IBM Websphere Application Server 3.0.0.2.2
• IBM Websphere Application Server 3.0.0.2.3
• IBM Websphere Application Server 3.0.0.2.4
• IBM Websphere Application Server 3.5.1
• IBM Websphere Application Server 3.5.2
• IBM Websphere Application Server 3.5.3

References:

• IBM: IBM WebSphere Application Server Product Page
• Netcraft: Netcraft Security Advisory 2001-01.1 - Predictable Session IDs

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.