|
IBM WebSphere Application Server Multiple Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA23028
|
|
|
Release Date:
|
2006-11-20
|
|
Last Update:
|
2007-08-13
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Unknown
Security Bypass
DoS
System access
|
|
Where:
|
From remote
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | IBM WebSphere Application Server 6.1.x
|
| | CVE reference: | CVE-2006-3747 (Secunia mirror)
CVE-2006-6135 (Secunia mirror)
CVE-2006-6136 (Secunia mirror)
|
|
|
Want to know the next time vulnerabilities are fixed in this product?
- Companies can be alerted via email and SMS! |
|
|
Description:
Some vulnerabilities have been reported in IBM WebSphere Application Server, where some have unknown impacts and others can be exploited by malicious users to bypass certain security restrictions, and by malicious people to potentially compromise a vulnerable system.
1) An off-by-one error in mod_rewrite within the ldap scheme handling can be exploited to cause a one-byte buffer overflow.
For more information:
SA21197
2) An unspecified vulnerability with an unknown impact exists.
3) During the registering of response operations, Eal4 authentication checks are not performed as one of the first actions.
4) Every user is authorized for "handleServantNotification" on Z/Os.
Solution:
Apply Fix Pack 3 (6.1.0.3).
http://www.ibm.com/support/docview.wss?rs=180&uid=swg24013830
Provided and/or discovered by:
Reported by the vendor.
Changelog:
2006-11-30: Added CVE reference.
2007-08-13: Added additional link.
Original Advisory:
IBM:
http://www-1.ibm.com/support/docview.wss?uid=swg27007951
http://www-1.ibm.com/support/docview.wss?uid=swg24014713
Other References:
SA21197:
http://secunia.com/advisories/21197/
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
15 Related Secunia Security Advisories, displaying 10
|
|
|
1. IBM WebSphere Application Server Web Services Unspecified Vulnerability
|
|
2. IBM WebSphere Application Server for z/OS HTTP Server mod_status Cross-Site Scripting
|
|
3. IBM WebSphere Application Server Multiple Vulnerabilities
|
|
4. IBM WebSphere Application Server serveServletsByClassnameEnabled Information Disclosure
|
|
5. IBM WebSphere Application Server for z/OS HTTP Server Vulnerability
|
|
6. IBM WebSphere Application Server Two Vulnerabilities
|
|
7. IBM WebSphere "uddigui/navigateTree.do" Cross-Site Scripting and Request Forgery
|
|
8. IBM WebSphere Application Server for z/OS HTTP Server Vulnerabilities
|
|
9. IBM WebSphere Application Server Unspecified Vulnerability
|
|
10. IBM WebSphere Application Server Web Container Information Disclosure
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|
