CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
Percentile
99.1%
IBM WebSphere Application Server 6.1 before Fix Pack 47 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities :
A remote attacker can bypass authentication because of improper user validation on Linux, Solaris, and HP-UX platforms that use a LocalOS registry.
(CVE-2013-0543, PM75582)
A denial of service can be caused by the way Apache Ant uses bzip2 to compress files. This can be exploited by a local attacker passing specially crafted input.
(CVE-2012-2098, PM90088)
A local attacker can cause a denial of service on Windows platforms with a LocalOS registry using WebSphere Identity Manager. (CVE-2013-0541, PM74909)
Remote attackers can traverse directories by deploying a specially crafted application file to overwrite files outside of the application deployment directory.
(CVE-2012-3305, PM62467)
The TLS protocol implementation is susceptible to plaintext-recovery attacks via statistical analysis of timing data for crafted packets. (CVE-2013-0169, PM85211)
Terminal escape sequences are not properly filtered from logs. Remote attackers could execute arbitrary commands via an HTTP request containing an escape sequence.
(CVE-2013-1862, PM87808)
Improper validation of user input allows for cross-site request forgery. By persuading an authenticated user to visit a malicious website, a remote attacker could exploit this vulnerability to obtain sensitive information. (CVE-2012-4853, CVE-2013-3029, PM62920, PM88746)
Improper validation of user input in the administrative console allows for multiple cross-site scripting attacks. (CVE-2013-0458, CVE-2013-0459, CVE-2013-0461, CVE-2013-0542, CVE-2013-0596, CVE-2013-2967, CVE-2013-4005, CVE-2013-4052, PM71139, PM72536, PM71389, PM73445, PM78614, PM81846, PM88208, PM91892)
Improper validation of portlets in the administrative console allows for cross-site request forgery, which could allow an attacker to obtain sensitive information.
(CVE-2013-0460, PM72275)
Remote, authenticated attackers can traverse directories on Linux and UNIX systems running the application.
(CVE-2013-0544, PM82468)
A denial of service attack is possible if the optional mod_dav module is being used. (CVE-2013-1896, PM89996)
Sensitive information can be obtained by a local attacker because of incorrect caching by the administrative console. (CVE-2013-2976, PM79992)
An attacker may gain elevated privileges because of improper certificate checks. WS-Security and XML Digital Signatures must be enabled. (CVE-2013-4053, PM90949, PM91521)
Deserialization of a maliciously crafted OpenJPA object can result in an executable file being written to the file system. WebSphere is NOT vulnerable to this issue but the vendor suggests upgrading to be proactive.
(CVE-2013-1768, PM86780, PM86786, PM86788, PM86791)
#
# (C) Tenable Network Security, Inc.
#
include('compat.inc');
if (description)
{
script_id(70022);
script_version("1.15");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/12/05");
script_cve_id(
"CVE-2012-2098",
"CVE-2012-3305",
"CVE-2012-4853",
"CVE-2013-0169",
"CVE-2013-0458",
"CVE-2013-0459",
"CVE-2013-0460",
"CVE-2013-0461",
"CVE-2013-0462",
"CVE-2013-0541",
"CVE-2013-0542",
"CVE-2013-0543",
"CVE-2013-0544",
"CVE-2013-0596",
"CVE-2013-1768",
"CVE-2013-1862",
"CVE-2013-1896",
"CVE-2013-2967",
"CVE-2013-2976",
"CVE-2013-3029",
"CVE-2013-4005",
"CVE-2013-4052",
"CVE-2013-4053"
);
script_bugtraq_id(
53676,
55678,
56458,
57508,
57509,
57510,
57512,
57513,
57778,
59247,
59248,
59250,
59251,
59826,
60534,
61129,
61901,
61937,
61940,
61941,
62336,
62338
);
script_xref(name:"CEA-ID", value:"CEA-2019-0547");
script_name(english:"IBM WebSphere Application Server 6.1 < Fix Pack 47 Multiple Vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote application server may be affected by multiple
vulnerabilities.");
script_set_attribute(attribute:"description", value:
"IBM WebSphere Application Server 6.1 before Fix Pack 47 appears to be
running on the remote host. As such, it is potentially affected by the
following vulnerabilities :
- A remote attacker can bypass authentication because of
improper user validation on Linux, Solaris, and HP-UX
platforms that use a LocalOS registry.
(CVE-2013-0543, PM75582)
- A denial of service can be caused by the way Apache
Ant uses bzip2 to compress files. This can be exploited
by a local attacker passing specially crafted input.
(CVE-2012-2098, PM90088)
- A local attacker can cause a denial of service on
Windows platforms with a LocalOS registry using
WebSphere Identity Manager. (CVE-2013-0541, PM74909)
- Remote attackers can traverse directories by deploying
a specially crafted application file to overwrite files
outside of the application deployment directory.
(CVE-2012-3305, PM62467)
- The TLS protocol implementation is susceptible to
plaintext-recovery attacks via statistical analysis of
timing data for crafted packets. (CVE-2013-0169,
PM85211)
- Terminal escape sequences are not properly filtered from
logs. Remote attackers could execute arbitrary commands
via an HTTP request containing an escape sequence.
(CVE-2013-1862, PM87808)
- Improper validation of user input allows for cross-site
request forgery. By persuading an authenticated user
to visit a malicious website, a remote attacker could
exploit this vulnerability to obtain sensitive
information. (CVE-2012-4853, CVE-2013-3029, PM62920,
PM88746)
- Improper validation of user input in the administrative
console allows for multiple cross-site scripting
attacks. (CVE-2013-0458, CVE-2013-0459, CVE-2013-0461,
CVE-2013-0542, CVE-2013-0596, CVE-2013-2967,
CVE-2013-4005, CVE-2013-4052, PM71139, PM72536, PM71389,
PM73445, PM78614, PM81846, PM88208, PM91892)
- Improper validation of portlets in the administrative
console allows for cross-site request forgery, which
could allow an attacker to obtain sensitive information.
(CVE-2013-0460, PM72275)
- Remote, authenticated attackers can traverse directories
on Linux and UNIX systems running the application.
(CVE-2013-0544, PM82468)
- A denial of service attack is possible if the optional
mod_dav module is being used. (CVE-2013-1896, PM89996)
- Sensitive information can be obtained by a local
attacker because of incorrect caching by the
administrative console. (CVE-2013-2976, PM79992)
- An attacker may gain elevated privileges because of
improper certificate checks. WS-Security and XML Digital
Signatures must be enabled. (CVE-2013-4053, PM90949,
PM91521)
- Deserialization of a maliciously crafted OpenJPA object
can result in an executable file being written to the
file system. WebSphere is NOT vulnerable to this issue
but the vendor suggests upgrading to be proactive.
(CVE-2013-1768, PM86780, PM86786, PM86788, PM86791)");
# https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_potential_security_exposure_in_ibm_http_server_cve_2013_1862_pm87808?lang=en_us
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?187690fd");
script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?uid=swg21647522");
script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24035508");
script_set_attribute(attribute:"see_also", value:"https://www-304.ibm.com/support/docview.wss?&uid=swg27004980#ver61");
script_set_attribute(attribute:"solution", value:
"If using WebSphere Application Server, apply Fix Pack 47 (6.1.0.47)
or later.
Otherwise, if using embedded WebSphere Application Server packaged with
Tivoli Directory Server, apply the latest recommended eWAS fix pack.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-0462");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);
script_set_attribute(attribute:"vuln_publication_date", value:"2012/05/23");
script_set_attribute(attribute:"patch_publication_date", value:"2013/09/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2013/09/20");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2013-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("websphere_detect.nasl");
script_require_keys("www/WebSphere");
script_require_ports("Services/www", 8880, 8881);
exit(0);
}
include("global_settings.inc");
include("audit.inc");
include("misc_func.inc");
include("http.inc");
port = get_http_port(default:8880, embedded:0);
version = get_kb_item_or_exit("www/WebSphere/"+port+"/version");
if (version =~ "^[0-9]+(\.[0-9]+)?$")
exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + ".");
ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
ver[i] = int(ver[i]);
if (ver[0] == 6 && ver[1] == 1 && ver[2] == 0 && ver[3] < 47)
{
set_kb_item(name:'www/'+port+'/XSS', value:TRUE);
set_kb_item(name:'www/'+port+'/XSRF', value:TRUE);
if (report_verbosity > 0)
{
source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");
report =
'\n Version source : ' + source +
'\n Installed version : ' + version +
'\n Fixed version : 6.1.0.47' +
'\n';
security_hole(port:port, extra:report);
}
else security_hole(port);
exit(0);
}
else audit(AUDIT_LISTEN_NOT_VULN, "WebSphere", port, version);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3305
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4853
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0458
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0459
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0460
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0461
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0462
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0541
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0542
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0543
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0596
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1768
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1862
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1896
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2967
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2976
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3029
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4005
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4052
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4053
www-01.ibm.com/support/docview.wss?uid=swg24035508
www.nessus.org/u?187690fd
www-304.ibm.com/support/docview.wss?&uid=swg27004980#ver61
www-304.ibm.com/support/docview.wss?uid=swg21647522