Lucene search

MitreCVE-2008-4679

HistoryOct 22, 2008 - 6:00 p.m.

CVE-2008-4679

2008-10-2218:00:00

CWE-287

mitre

web.nvd.nist.gov

ibm

websphere

app server

was

certificate revocation

vulnerability

crl

java security

soap

nvd

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

High

EPSS

0.011

Percentile

84.7%

JSON

The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), does not call the setRevocationEnabled method on the PKIXBuilderParameters object, which prevents the “Java security method” from checking the revocation status of X.509 certificates and allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked certificate.

Affected configurations

Nvd

Node

ibmwebsphere_application_serverMatch6.0.1.1

ibmwebsphere_application_serverMatch6.0.1.2

ibmwebsphere_application_serverMatch6.0.1.3

ibmwebsphere_application_serverMatch6.0.1.5

ibmwebsphere_application_serverMatch6.0.1.7

ibmwebsphere_application_serverMatch6.0.1.9

ibmwebsphere_application_serverMatch6.0.1.11

ibmwebsphere_application_serverMatch6.0.1.13

ibmwebsphere_application_serverMatch6.0.1.15

ibmwebsphere_application_serverMatch6.0.1.17

ibmwebsphere_application_serverMatch6.0.2

ibmwebsphere_application_serverMatch6.0.2.1

ibmwebsphere_application_serverMatch6.0.2.2

ibmwebsphere_application_serverMatch6.0.2.3

ibmwebsphere_application_serverMatch6.0.2.4

ibmwebsphere_application_serverMatch6.0.2.5

ibmwebsphere_application_serverMatch6.0.2.6

ibmwebsphere_application_serverMatch6.0.2.9

ibmwebsphere_application_serverMatch6.0.2.11

ibmwebsphere_application_serverMatch6.0.2.13

ibmwebsphere_application_serverMatch6.0.2.15

ibmwebsphere_application_serverMatch6.0.2.17

ibmwebsphere_application_serverMatch6.0.2.19

ibmwebsphere_application_serverMatch6.0.2.23

ibmwebsphere_application_serverMatch6.0.2.25

ibmwebsphere_application_serverMatch6.0.2.27

VendorProductVersionCPE
ibmwebsphere_application_server6.0.1.1cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.2cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.3cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.5cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.7cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.9cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.11cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.13cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.15cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:*:*:*:*:*:*:*
ibmwebsphere_application_server6.0.1.17cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	websphere_application_server	6.0.1.1	cpe:2.3:a:ibm:websphere_application_server:6.0.1.1:::::::*
ibm	websphere_application_server	6.0.1.2	cpe:2.3:a:ibm:websphere_application_server:6.0.1.2:::::::*
ibm	websphere_application_server	6.0.1.3	cpe:2.3:a:ibm:websphere_application_server:6.0.1.3:::::::*
ibm	websphere_application_server	6.0.1.5	cpe:2.3:a:ibm:websphere_application_server:6.0.1.5:::::::*
ibm	websphere_application_server	6.0.1.7	cpe:2.3:a:ibm:websphere_application_server:6.0.1.7:::::::*
ibm	websphere_application_server	6.0.1.9	cpe:2.3:a:ibm:websphere_application_server:6.0.1.9:::::::*
ibm	websphere_application_server	6.0.1.11	cpe:2.3:a:ibm:websphere_application_server:6.0.1.11:::::::*
ibm	websphere_application_server	6.0.1.13	cpe:2.3:a:ibm:websphere_application_server:6.0.1.13:::::::*
ibm	websphere_application_server	6.0.1.15	cpe:2.3:a:ibm:websphere_application_server:6.0.1.15:::::::*
ibm	websphere_application_server	6.0.1.17	cpe:2.3:a:ibm:websphere_application_server:6.0.1.17:::::::*

Rows per page:

1-10 of 261

References

secunia.com/advisories/32296

www-01.ibm.com/support/docview.wss?uid=swg27006876

www-01.ibm.com/support/docview.wss?uid=swg27007951

www-1.ibm.com/support/docview.wss?uid=swg1PK61258

www.securityfocus.com/bid/31839

www.vupen.com/english/advisories/2008/2871

exchange.xforce.ibmcloud.com/vulnerabilities/46002

CVSS2

6.8

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

AI Score

6.4

Confidence

High

EPSS

0.011

Percentile

84.7%

JSON

Related for CVE-2008-4679