|
Systems Affected
IBM WebSphere Application Server Versions 7, 8, 8.5 (Full Profile and Liberty Profile)
IBM WebSphere Virtual Enterprise Versions 7 on WebSphere Application Server Version 7,8
Threat Level
Overview
Multiple vulnerabilities have been reported in IBM WebSphere Application Server and IBM WebSphere Virtual Enterprise which could allow a remote attacker to bypass the intended access restrictions, access sensitive information or gain unauthorized elevated privileges on the target system.
Description
1. Information Disclosure Vulnerability ( CVE-2015-1932 )
This vulnerability exists due to improper handling of "http.compliance.via" custom property by Proxy and ODR servers. A remote attacker could successfully exploit this vulnerability to access sensitive information.
2. Remote Privilege Escalation Vulnerability ( CVE-2015-1885 )
This vulnerability exists in IBM WebSphere Application Server Full and Liberty Profile. A remote attacker could exploit this vulnerability when an "OAuth grant type of password" is used leading gain elevated privileges.
3. Unauthorized Access Vulnerability ( CVE-2015-1927 )
This vulnerability exists due to the application not having the correct WebContainer "serveServletsbyClassname" setting. A remote attacker could successfully exploit this vulnerability to gain unauthorized access.
Impact
Solution/ Workarounds
Apply the appropriate fix/patch as mentioned by the vendor
http://www-01.ibm.com/support/docview.wss?uid=swg21963275
References
http://www.cert-in.org.in/
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
|
