Vulnerabilities > CVE-2009-1174 - Cryptographic Issues vulnerability in IBM Websphere Application Server 7.0/7.0.0.1
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.35 and 7.0 before 7.0.0.3 has an unspecified "security problem" in the XML digital-signature specification, which has unknown impact and attack vectors.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Web Servers NASL id WEBSPHERE_6_1_0_25.NASL description IBM WebSphere Application Server 6.1 before Fix Pack 25 appears to be running on the remote host. As such, it is reportedly affected by multiple vulnerabilities : - Non-standard HTTP methods are allowed. (PK73246) - An error in Single Sign-on (SSO) with SPNEGO implementation could allow a remote attacker to bypass security restrictions. (PK77465) - last seen 2020-06-01 modified 2020-06-02 plugin id 39450 published 2009-06-19 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/39450 title IBM WebSphere Application Server < 6.1.0.25 Multiple Vulnerabilities NASL family Web Servers NASL id WEBSPHERE_7_0_0_3.NASL description IBM WebSphere Application Server 7.0 before Fix Pack 3 appears to be running on the remote host. As such, it is reportedly affected by multiple vulnerabilities : - Under certain conditions it may be possible to access administrative console user sessions. (PK74966) - The administrative console is affected by a cross-site scripting vulnerability. (PK77505) - If APAR PK41002 has been applied, a vulnerability in the JAX-RPC WS-Security component could incorrectly validate last seen 2020-06-01 modified 2020-06-02 plugin id 36133 published 2009-04-10 reporter This script is Copyright (C) 2009-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/36133 title IBM WebSphere Application Server 7.0 < Fix Pack 3
References
- http://secunia.com/advisories/34131
- http://secunia.com/advisories/34461
- http://secunia.com/advisories/35301
- http://www.securityfocus.com/bid/34506
- http://www.vupen.com/english/advisories/2009/1464
- http://www-01.ibm.com/support/docview.wss?uid=swg1PK80596
- http://www-01.ibm.com/support/docview.wss?uid=swg21384925
- http://www-01.ibm.com/support/docview.wss?uid=swg27006876
- http://www-01.ibm.com/support/docview.wss?uid=swg27014463