Vulnerabilities > CVE-2009-0506 - Local vulnerability in IBM WebSphere Application z/OS CSLv2 Identity Assertion

047910
CVSS 6.2 - MEDIUM
Attack vector
LOCAL
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
high complexity
ibm
nessus
NVD
Published: 2009-02-25
Updated: 2017-08-08

Summary

Unspecified vulnerability in IBM WebSphere Application Server (WAS) 5.1 and 6.0.2 before 6.0.2.33 on z/OS, when CSIv2 Identity Assertion is enabled and Enterprise JavaBeans (EJB) interaction occurs between a WAS 6.1 instance and a WAS pre-6.1 instance, allows local users to have an unknown impact via vectors related to (1) use of the wrong subject and (2) multiple CBIND checks. Per http://www-01.ibm.com/support/docview.wss?uid=swg27006876#60223: "Note: WebSphere Application Server V6.0.2 Fix Pack 2 (6.0.2.2), Fix Pack 4 (6.0.2.4), Fix Pack 6 (6.0.2.6), Fix Pack 8 (6.0.2.8), Fix Pack 10 (6.0.2.10), Fix Pack 12 (6.0.2.12), Fix Pack 14 (6.0.2.14), Fix Pack 16 (6.0.2.16), Fix Pack 18 (6.0.2.18), Fix Pack 20 (6.0.2.20), Fix Pack 22 (6.0.2.22) and Fix Pack 24 (6.0.2.24) were only published for the z/OS® platform."

Vulnerable Configurations

Part Description Count
Application
Ibm
13
OS
Ibm
1

Nessus

NASL familyWeb Servers
NASL idWEBSPHERE_6_0_2_33.NASL
descriptionIBM WebSphere Application Server 6.0.2 before Fix Pack 33 appears to be running on the remote host. As such, it is reportedly affected by multiple vulnerabilities : - Provided an attacker has valid credentials, it may be possible to hijack an authenticated session. (PK66676) - The PerfServlet code writes sensitive information in the
last seen2020-06-01
modified2020-06-02
plugin id36132
published2009-04-10
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/36132
titleIBM WebSphere Application Server < 6.0.2.33 Multiple Vulnerabilities
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
  script_id(36132);
  script_version("1.16");
  script_cvs_date("Date: 2018/08/06 14:03:16");

  script_cve_id("CVE-2009-0891", "CVE-2009-0506");
  script_bugtraq_id(33884, 34330, 35610);
  script_xref(name:"Secunia", value:"34038");

  script_name(english:"IBM WebSphere Application Server < 6.0.2.33 Multiple Vulnerabilities");
  script_summary(english:"Reads the version number from the SOAP port");

  script_set_attribute(attribute:"synopsis", value:
"The remote application server is affected by multiple vulnerabilities.");
  script_set_attribute(attribute:"description", value:
"IBM WebSphere Application Server 6.0.2 before Fix Pack 33 appears to
be running on the remote host.  As such, it is reportedly affected by
multiple vulnerabilities :

  - Provided an attacker has valid credentials, it may be
    possible to hijack an authenticated session. (PK66676)

  - The PerfServlet code writes sensitive information in
    the 'systemout.log' and ffdc files, provided
    Performance Monitoring Infrastructure (PMI) is enabled.
    (PK63886)

  - It may be possible to login to the administrative
    console using a user account that is locked by the
    operating system. (PK67909)

  - An unknown vulnerability affects z/OS-based IBM 
    WebSphere application servers. (PK71143)

  - An unspecified vulnerability in the administrative 
    console could allow arbitrary file retrieval from the
    remote system. (PK72036)

  - If APAR PK41002 has been applied, a vulnerability in 
    the JAX-RPC WS-Security component could incorrectly 
    validate 'UsernameToken'. (PK75992)

  - Certain files associated with interim fixes for Unix-
    based versions of IBM WebSphere Application Server are 
    built with insecure file permissions. (PK78960)");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27006876#60233");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg1PK67909");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21367223");
  script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24022693");
  script_set_attribute(attribute:"solution", value:"Apply Fix Pack 33 (6.0.2.33) or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(287);

  script_set_attribute(attribute:"plugin_publication_date", value:"2009/04/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/02/13");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("websphere_detect.nasl");
  script_require_ports("Services/www", 8880, 8881);
  script_require_keys("www/WebSphere");

  exit(0);
}


include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

port = get_http_port(default:8880, embedded: 0);


version = get_kb_item("www/WebSphere/"+port+"/version");
if (isnull(version)) exit(1, "Failed to extract the version from the IBM WebSphere Application Server instance listening on port " + port + ".");
if (version =~ "^[0-9]+(\.[0-9]+)?$")
  exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + ".");

ver = split(version, sep:'.', keep:FALSE);
for (i=0; i<max_index(ver); i++)
  ver[i] = int(ver[i]);

if (
  (ver[0] == 6 && ver[1] == 0 && ver[2] < 2) ||
  (ver[0] == 6 && ver[1] == 0 && ver[2] == 2 && ver[3] < 33)
)
{
  if (report_verbosity > 0)
  {
    source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");

    report = 
      '\n  Source            : ' + source + 
      '\n  Installed version : ' + version +
      '\n  Fixed version     : 6.0.2.33' +
      '\n';
    security_hole(port:port, extra:report);
  }
  else security_hole(port);
  exit(0);
}
else exit(0, "The WebSphere Application Server "+version+" instance listening on port "+port+" is not affected.");

References