Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in IBM WebSphere Products

 

Systems Affected


IBM WebSphere Application Server Versions 7, 8, 8.5 (Full Profile and Liberty Profile)
IBM WebSphere Virtual Enterprise Versions 7 on WebSphere Application Server Version 7,8

Threat Level


High


Overview


Multiple vulnerabilities have been reported in IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise which could allow a remote attacker to bypass the intended access restrictions, access sensitive information or gain unauthorized elevated privileges on the target system.


Description


1. Information Disclosure Vulnerability ( CVE-2015-1932 )
This vulnerability exists due to improper handling of "http.compliance.via" custom property by Proxy and ODR servers. A remote attacker could successfully exploit this vulnerability to access sensitive information.

2. Remote Privilege Escalation Vulnerability ( CVE-2015-1885 )
This vulnerability exists in IBM WebSphere Application Server Full and Liberty Profile. A remote attacker could exploit this vulnerability when an "OAuth grant type of password" is used leading gain elevated privileges.

3. Unauthorized Access Vulnerability ( CVE-2015-1927 )
This vulnerability exists due to the application not having the correct WebContainer "serveServletsbyClassname" setting. A remote attacker could successfully exploit this vulnerability to gain unauthorized access.


Impact



Solution/ Workarounds


Apply the appropriate fix/patch as mentioned by the vendor http://www-01.ibm.com/support/docview.wss?uid=swg21963275


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.