Secunia

IBM has acknowledged some vulnerabilities in IBM WebSphere Application Server, which can be exploited by malicious users and malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service), and by malicious people to conduct cross-site scripting attacks.

1) Some vulnerabilities in APR-util can be exploited by malicious users and malicious people to disclose potentially sensitive information or cause a DoS (Denial of Service).

For more information:
SA35284

2) An error exists in the Servlet Engine/Web Container component when handling the doGet and doTrace methods used by web applications. This can be exploited to bypass access restrictions and disclose sensitive information via a specially crafted HTTP HEAD request.

This vulnerability is reported in versions prior to 6.0.2.37 and prior to 6.1.0.27.

3) Input passed via unspecified parameters to Eclipse Help is not properly sanitised before being being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

4) An unspecified error exists, which can be exploited to cause a DoS. No further information is currently available.

Vulnerabilities #3 and #4 are reported in versions prior to 6.1.0.27.

Solution
WebSphere Application Server 7.0.x:
Further details available in Customer Area

Provided and/or discovered by
2, 3, 4) IBM ISS X-Force.

Changelog
Further details available in Customer Area

Original Advisory
IBM (PK88341, PK88342, PK83258, PK91709, PK78917):
http://www-01.ibm.com/support/docview.wss?uid=swg27007951
http://www-01.ibm.com/support/docview.wss?uid=swg1PK91241
http://www-01.ibm.com/support/docview.wss?uid=swg1PK94127
http://www-01.ibm.com/support/docview.wss?uid=swg27014463

ISS X-Force:
http://xforce.iss.net/xforce/xfdb/53051
http://xforce.iss.net/xforce/xfdb/53342
http://xforce.iss.net/xforce/xfdb/53344

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area