Vulnerabilities > CVE-2011-1209 - Cryptographic Issues vulnerability in IBM Websphere Application Server
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.39 and 7.0 before 7.0.0.17 uses a weak WS-Security XML encryption algorithm, which makes it easier for remote attackers to obtain plaintext data from a (1) JAX-RPC or (2) JAX-WS Web Services request via unspecified vectors related to a "decryption attack."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Signature Spoofing by Key Recreation An attacker obtains an authoritative or reputable signer's private signature key by exploiting a cryptographic weakness in the signature algorithm or pseudorandom number generation and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Web Servers NASL id WEBSPHERE_7_0_0_17.NASL description IBM WebSphere Application Server 7.0 before Fix Pack 17 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities : - Use of an insecure XML encryption algorithm could allow for decryption of JAX-RPC or JAX-WS Web Services requests. (PM34841) - A remote attacker can gain unspecified application access on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used. (PM35480) Note that the fix for PM34841 is not enabled by default in order to maintain application compatibility with respect to SOAPFaults. To enable it, it is necessary to set the last seen 2020-06-01 modified 2020-06-02 plugin id 55169 published 2011-06-17 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55169 title IBM WebSphere Application Server 7.0 < Fix Pack 17 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55169); script_version("1.10"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2011-1209", "CVE-2011-1683"); script_bugtraq_id(47122, 47831); script_name(english:"IBM WebSphere Application Server 7.0 < Fix Pack 17 Multiple Vulnerabilities"); script_summary(english:"Reads the version number from the SOAP port"); script_set_attribute( attribute:"synopsis", value: "The remote application server may be affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "IBM WebSphere Application Server 7.0 before Fix Pack 17 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities : - Use of an insecure XML encryption algorithm could allow for decryption of JAX-RPC or JAX-WS Web Services requests. (PM34841) - A remote attacker can gain unspecified application access on z/OS, when a Local OS user registry or Federated Repository with RACF adapter is used. (PM35480) Note that the fix for PM34841 is not enabled by default in order to maintain application compatibility with respect to SOAPFaults. To enable it, it is necessary to set the 'webservices.unify.faults=true' JVM custom property once the update has been installed." ); script_set_attribute(attribute:"see_also",value:"http://www-01.ibm.com/support/docview.wss?uid=swg21404665"); script_set_attribute(attribute:"see_also",value:"http://www-01.ibm.com/support/docview.wss?uid=swg27009778"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg24029632"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21473989"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27014463#70017"); script_set_attribute(attribute:"solution", value: "If using WebSphere Application Server, apply Fix Pack 17 (7.0.0.17) or later. Otherwise, if using embedded WebSphere Application Server packaged with Tivoli Directory Server, apply the latest recommended eWAS fix pack."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/03/30"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/06/17"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("websphere_detect.nasl"); script_require_ports("Services/www", 8880, 8881); script_require_keys("www/WebSphere"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8880, embedded:0); version = get_kb_item("www/WebSphere/"+port+"/version"); if (isnull(version)) exit(1, "Failed to extract the version from the IBM WebSphere Application Server instance listening on port " + port + "."); if (version =~ "^[0-9]+(\.[0-9]+)?$") exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + "."); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 7 && ver[1] == 0 && ver[2] == 0 && ver[3] < 17) { if (report_verbosity > 0) { source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); report = '\n Source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 7.0.0.17' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The WebSphere Application Server "+version+" instance listening on port "+port+" is not affected.");
NASL family Web Servers NASL id WEBSPHERE_6_1_0_39.NASL description IBM WebSphere Application Server 6.1 before Fix Pack 39 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities : - Use of an insecure XML encryption algorithm could allow for decryption of JAX-RPC or JAX-WS Web Services requests. (PM34841) - An error exists in the validation of the last seen 2020-06-01 modified 2020-06-02 plugin id 55649 published 2011-07-22 reporter This script is Copyright (C) 2011-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/55649 title IBM WebSphere Application Server 6.1 < 6.1.0.39 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(55649); script_version("1.6"); script_cvs_date("Date: 2018/08/06 14:03:16"); script_cve_id("CVE-2011-1209", "CVE-2011-1355", "CVE-2011-1356"); script_bugtraq_id(47831, 48709, 48710); script_name(english:"IBM WebSphere Application Server 6.1 < 6.1.0.39 Multiple Vulnerabilities"); script_summary(english:"Reads the version number from the SOAP port"); script_set_attribute( attribute:"synopsis", value: "The remote application server is affected by multiple vulnerabilities." ); script_set_attribute( attribute:"description", value: "IBM WebSphere Application Server 6.1 before Fix Pack 39 appears to be running on the remote host. As such, it is potentially affected by the following vulnerabilities : - Use of an insecure XML encryption algorithm could allow for decryption of JAX-RPC or JAX-WS Web Services requests. (PM34841) - An error exists in the validation of the 'logoutExitPage' parameter that can allow a remote attacker to bypass security restrictions and redirect users in support of a phishing attack. (PM35701) - An error exists in the handling of administration console requests. This error can allow a local attacker to use a specially crafted request to view sensitive stack-trace information. (PM36620)" ); script_set_attribute(attribute:"see_also",value:"http://www-01.ibm.com/support/docview.wss?uid=swg21404665"); script_set_attribute(attribute:"see_also",value:"http://www-01.ibm.com/support/docview.wss?uid=swg27009778"); script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg27007951#61039"); script_set_attribute(attribute:"solution", value: "If using WebSphere Application Server, apply Fix Pack 39 (6.1.0.39) or later. Otherwise, if using embedded WebSphere Application Server packaged with Tivoli Directory Server, apply the latest recommended eWAS fix pack."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/04/04"); script_set_attribute(attribute:"patch_publication_date", value:"2011/07/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/07/22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2011-2018 Tenable Network Security, Inc."); script_dependencies("websphere_detect.nasl"); script_require_ports("Services/www", 8880, 8881); script_require_keys("www/WebSphere"); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("http.inc"); port = get_http_port(default:8880, embedded:FALSE); version = get_kb_item("www/WebSphere/"+port+"/version"); if (isnull(version)) exit(1, "Failed to extract the version from the IBM WebSphere Application Server instance listening on port " + port + "."); if (version =~ "^[0-9]+(\.[0-9]+)?$") exit(1, "Failed to extract a granular version from the IBM WebSphere Application Server instance listening on port " + port + "."); ver = split(version, sep:'.', keep:FALSE); for (i=0; i<max_index(ver); i++) ver[i] = int(ver[i]); if (ver[0] == 6 && ver[1] == 1 && ver[2] == 0 && ver[3] < 39) { if (report_verbosity > 0) { source = get_kb_item_or_exit("www/WebSphere/"+port+"/source"); report = '\n Source : ' + source + '\n Installed version : ' + version + '\n Fixed version : 6.1.0.39' + '\n'; security_warning(port:port, extra:report); } else security_warning(port); exit(0); } else exit(0, "The WebSphere Application Server "+version+" instance listening on port "+port+" is not affected.");
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM34841
- http://www-01.ibm.com/support/docview.wss?uid=swg24029632
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67115
- http://www-01.ibm.com/support/docview.wss?uid=swg1PM34841
- https://exchange.xforce.ibmcloud.com/vulnerabilities/67115
- http://www-01.ibm.com/support/docview.wss?uid=swg24029632