Vigil@nce: WebSphere AS 6.1, five vulnerabilities
October 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of WebSphere
Application Server.
– Impacted products: WebSphere AS
– Severity: 2/4
– Creation date: 24/09/2012
– Revision date: 25/09/2012
DESCRIPTION OF THE VULNERABILITY
Five vulnerabilities were announced in WebSphere Application
Server.
An attacker can obtain information via Application Snoop Servlet.
[severity:1/4; BID-53755, CVE-2012-2170, PM56183]
An attacker can use a Cross Frame Scripting on the administrative
console. [severity:2/4; BID-54819, BID-55149, CVE-2012-3293,
PM60839]
When PM44303 is installed on IBM WebSphere Application Server, a
local attacker can access to administration features
(VIGILANCE-VUL-11907 (https://vigilance.fr/tree/1/11907)).
[severity:2/4; BID-55309, CERTA-2012-AVI-475, CVE-2012-3325,
PM71296]
The session identifier is not properly updated, so an attacker can
gain privileges of the victim. [severity:2/4; BID-55678,
CVE-2012-3304, PM54356]
An attacker can send malicious SSL packets, in order to create a
denial of service (VIGILANCE-VUL-12037 (https://vigilance.fr/tree/1/12037)
and VIGILANCE-VUL-12038 (https://vigilance.fr/tree/1/12038)).
[severity:2/4; BID-55185, CVE-2012-2190, CVE-2012-2191, PM66218]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/WebSphere-AS-6-1-five-vulnerabilities-11974