Vulnerabilities > CVE-2015-4938 - Spoofing vulnerability in IBM WebSphere Application Server

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
ibm
nessus

Summary

IBM WebSphere Application Server 7.x before 7.0.0.39, 8.0.x before 8.0.0.11, and 8.5.x before 8.5.5.7 allows remote attackers to spoof servlets and obtain sensitive information via unspecified vectors.

Vulnerable Configurations

Part Description Count
Application
Ibm
54

Nessus

  • NASL familyWeb Servers
    NASL idWEBSPHERE_8_5_5_6.NASL
    descriptionThe IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.6. It is, therefore, potentially affected by multiple vulnerabilities : - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138) - An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226) - An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250) - A privilege escalation vulnerability exists due to a flaw that occurs in
    last seen2020-06-01
    modified2020-06-02
    plugin id84639
    published2015-07-09
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/84639
    titleIBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(84639);
      script_version("1.11");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id(
        "CVE-2015-0138",
        "CVE-2015-0226",
        "CVE-2015-0250",
        "CVE-2015-1885",
        "CVE-2015-1927",
        "CVE-2015-1932",
        "CVE-2015-1936",
        "CVE-2015-1946",
        "CVE-2015-2808",
        "CVE-2015-4938"
      );
      script_bugtraq_id(
        72553,
        73326,
        73684,
        74219,
        75480,
        75486,
        75496,
        76463,
        76466
      );
      script_xref(name:"CERT", value:"243585");
    
      script_name(english:"IBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK)");
      script_summary(english:"Reads the version number from the SOAP port.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote application server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The IBM WebSphere Application Server running on the remote host is
    version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to
    8.5.5.6. It is, therefore, potentially affected by multiple
    vulnerabilities :
    
      - A security feature bypass vulnerability, known as FREAK
        (Factoring attack on RSA-EXPORT Keys), exists in the IBM
        Global Security Kit (GSKit) due to the support of weak
        EXPORT_RSA cipher suites with keys less than or equal to
        512 bits. A man-in-the-middle attacker may be able to
        downgrade the SSL/TLS connection to use EXPORT_RSA
        cipher suites which can be factored in a short amount of
        time, allowing the attacker to intercept and decrypt the
        traffic. (CVE-2015-0138)
    
      - An information disclosure vulnerability exists due to a
        flaw in the Bleichenbacher countermeasure implementation 
        in Apache WSS4J. A remote attacker can exploit this, via
        a crafted message, to determine where an encryption
        failure to place, allowing the attacker to gain access
        to the plaintext symmetric key. (CVE-2015-0226)
    
      - An XML External Entity (XXE) vulnerability exists due to
        an incorrectly configured XML parser that accepts XML
        external entities from an untrusted source. A remote
        attacker can exploit this, via specially crafted XML
        data, to gain access to arbitrary files. (CVE-2015-0250)
    
      - A privilege escalation vulnerability exists due to a
        flaw that occurs in 'full' profile and 'liberty' profile
        when using an OAuth grant password. A remote attacker
        can exploit this to gain elevated privileges.
        (CVE-2015-1885)
    
      - A privilege escalation vulnerability exists due to
        incorrect settings in the serveServletsbyClassname
        functionality. A remote attacker can exploit this to
        gain elevated privileges. (CVE-2015-1927)
    
      - An information disclosure vulnerability exists that
        allows an unauthenticated, remote attacker to identify
        the proxy server software by reading the HTTP 'Via'
        header. (CVE-2015-1932)
    
      - An unspecified flaw exists in the administrative console
        that allows a remote attacker, via the 'JSESSIONID'
        parameter, to hijack a user's session. (CVE-2015-1936)
    
      - A privilege escalation vulnerability exists due to an
        unspecified flaw that occurs when handling user roles.
        A local attacker can exploit this to gain elevated
        privileges. (CVE-2015-1946)
      
      - A security feature bypass vulnerability exists, known as
        Bar Mitzvah, due to improper combination of state data
        with key data by the RC4 cipher algorithm during the
        initialization phase. A man-in-the-middle attacker can
        exploit this, via a brute-force attack using LSB values,
        to decrypt the traffic. (CVE-2015-2808)
    
      - An unspecified flaw exists that allows an
        unauthenticated, remote attacker to spoof servlets or
        disclose sensitive information. (CVE-2015-4938)");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21698613");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21959083");
      script_set_attribute(attribute:"see_also", value:"http://www-304.ibm.com/support/docview.wss?uid=swg27004980");
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21963275");
      # https://www.blackhat.com/docs/asia-15/materials/asia-15-Mantin-Bar-Mitzvah-Attack-Breaking-SSL-With-13-Year-Old-RC4-Weakness-wp.pdf
      script_set_attribute(attribute:"see_also", value:"https://www.smacktls.com/#freak");
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?4bbf45ac");
      script_set_attribute(attribute:"solution", value:
    "Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 11 (8.0.0.11) /
    8.5 Fix Pack 6 (8.5.5.6) or later. Alternatively, apply the Interim
    Fixes as recommended in the vendor advisory.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/19");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/06/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/07/09");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
    
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("websphere_detect.nasl");
      script_require_ports("Services/www", 8880, 8881);
      script_require_keys("www/WebSphere", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:8880, embedded:0);
    
    version = get_kb_item_or_exit("www/WebSphere/"+port+"/version");
    source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");
    
    app_name = "IBM WebSphere Application Server";
    
    if (version =~ "^[0-9]+(\.[0-9]+)?$")
      audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version);
    
    fix = FALSE; # Fixed version for compare
    min = FALSE; # Min version for branch
    pck = FALSE; # Fix pack name (tacked onto fix in report)
    itr = "PI36563, PI36211, PI39768, PI31622, PI37230, and PI35180"; # Required interim fixes
    
    if (version =~ "^8\.5\.")
    {
      fix = '8.5.5.6';
      min = '8.5.0.0';
      # CVE-2015-0226 only 8.5.5.2 - 8.5.5.5
      # has an additional interim fix.
      if(version =~ "^8\.5\.5\.[2-5]$")
        itr = 'PI36866, ' + itr;
      pck = " (Fix Pack 6)";
    }
    else if (version =~ "^8\.0\.")
    {
      fix = '8.0.0.11';
      min = '8.0.0.0';
      itr = 'PI37396, PI38403, ' + itr;
      pck = " (Fix Pack 11)";
    }
    else if (version =~ "^7\.0\.")
    {
      fix = '7.0.0.39';
      min = '7.0.0.0';
      itr = 'PI37396, PI38403, ' + itr;
      pck = " (Fix Pack 39)";
    }
    
    if (fix && min &&
        ver_compare(ver:version, fix:fix, strict:FALSE) <  0 &&
        ver_compare(ver:version, fix:min, strict:FALSE) >= 0
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + source  +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix + pck +
          '\n  Interim fixes     : ' + itr +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);
    
  • NASL familyWeb Servers
    NASL idWEBSPHERE_8_5_5_7.NASL
    descriptionThe IBM HTTP Server running on the remote host is version 6.1 prior to or equal to 6.1.0.47, 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.12, or 8.5 prior to 8.5.5.7. It is, therefore, potentially affected by multiple vulnerabilities : - An overflow condition exists in the XML_GetBuffer() function in xmlparse.c due to improper validation of user-supplied input when handling compressed XML content. An attacker can exploit this to cause a buffer overflow, resulting in the execution of arbitrary code. (CVE-2015-1283) - A denial of service vulnerability exists when processing an ECParameters structure due to an infinite loop that occurs when a specified curve is over a malformed binary polynomial field. A remote attacker can exploit this to perform a denial of service against any system that processes public keys, certificate requests, or certificates. This includes TLS clients and TLS servers with client authentication enabled. (CVE-2015-1788) - An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP
    last seen2020-06-01
    modified2020-06-02
    plugin id86018
    published2015-09-18
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/86018
    titleIBM HTTP Server 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.12 (FP12) / 8.5 < 8.5.5.7 (FP7) Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(86018);
      script_version("1.10");
      script_cvs_date("Date: 2018/08/06 14:03:16");
    
      script_cve_id(
        "CVE-2015-1283",
        "CVE-2015-1788",
        "CVE-2015-1932",
        "CVE-2015-3183",
        "CVE-2015-4938",
        "CVE-2015-4947"
      );
      script_bugtraq_id(
        75158,
        75963,
        75973,
        76463,
        76466,
        76658
      );
      script_xref(name:"IAVB", value:"2015-B-0115");
    
      script_name(english:"IBM HTTP Server 6.1 <= 6.1.0.47 (FP47) / 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.12 (FP12) / 8.5 < 8.5.5.7 (FP7) Multiple Vulnerabilities");
      script_summary(english:"Reads the version number from the SOAP port.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote IBM HTTP Server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "The IBM HTTP Server running on the remote host is version 6.1 prior
    to or equal to 6.1.0.47, 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.12,
    or 8.5 prior to 8.5.5.7. It is, therefore, potentially affected by
    multiple vulnerabilities :
    
      - An overflow condition exists in the XML_GetBuffer()
        function in xmlparse.c due to improper validation of
        user-supplied input when handling compressed XML
        content. An attacker can exploit this to cause a buffer
        overflow, resulting in the execution of arbitrary code.
        (CVE-2015-1283)
    
      - A denial of service vulnerability exists when processing
        an ECParameters structure due to an infinite loop that
        occurs when a specified curve is over a malformed binary
        polynomial field. A remote attacker can exploit this to
        perform a denial of service against any system that
        processes public keys, certificate requests, or
        certificates. This includes TLS clients and TLS servers
        with client authentication enabled. (CVE-2015-1788)
    
      - An information disclosure vulnerability exists that
        allows an unauthenticated, remote attacker to identify
        the proxy server software by reading the HTTP 'Via'
        header. (CVE-2015-1932)
    
      - A flaw exists in the chunked transfer coding
        implementation due to a failure to properly parse chunk
        headers. A remote attacker can exploit this to conduct
        HTTP request smuggling attacks. (CVE-2015-3183)
    
      - An unspecified flaw exists that allows an
        unauthenticated, remote attacker to spoof servlets or
        disclose sensitive information. (CVE-2015-4938)
    
      - An overflow condition exists in the Administration
        Server due to improper validation of user-supplied
        input. An attacker can exploit this, via a specially
        crafted request, to cause a stack-based buffer overflow,
        resulting in a denial of service condition or the
        execution of arbitrary code. (CVE-2015-4947)
    
    Note that :
      - CVE-2015-1788 does not affect the 6.1 and 7.0 branches.
      
      - CVE-2015-1932 and CVE-2015-4938 do not affect the 6.1
        branch.");
      # CVE-2015-3183 / PI42928 / PI45596 (6.1.x)
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21963361");
      # CVE-2015-4947 / PI44793 / PI45596 (6.1.x)
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21965419");
      # CVE-2015-1788 / PI44809
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21963362");
      # CVE-2015-1283 / PI45596
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21964428");
      # CVE-2015-1932 / PI38403  and  CVE-2015-4938 / PI37396
      script_set_attribute(attribute:"see_also", value:"http://www-01.ibm.com/support/docview.wss?uid=swg21963275");
      script_set_attribute(attribute:"solution", value:
    "Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 12 (8.0.0.12) /
    8.5 Fix Pack 7 (8.5.5.7) or later. Alternatively, apply the Interim
    Fixes as recommended in the vendor advisory.
    
    In the case of the 6.1 branch, apply IBM 6.1 Fix Pack 47 (6.1.0.47)
    and then apply Interim Fixes PI39833 and PI45596.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2015/04/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2015/09/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2015/09/18");
    
      script_set_attribute(attribute:"potential_vulnerability", value:"true");
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:websphere_application_server");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:ibm:http_server");
    
      script_set_attribute(attribute:"stig_severity", value:"I");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2015-2018 Tenable Network Security, Inc.");
    
      script_dependencies("websphere_detect.nasl");
      script_require_ports("Services/www", 8880, 8881);
      script_require_keys("www/WebSphere", "Settings/ParanoidReport");
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_http_port(default:8880, embedded:0);
    
    version = get_kb_item_or_exit("www/WebSphere/"+port+"/version");
    source = get_kb_item_or_exit("www/WebSphere/"+port+"/source");
    
    app_name = "IBM WebSphere Application Server";
    
    if (version =~ "^[0-9]+(\.[0-9]+)?$")
      audit(AUDIT_VER_NOT_GRANULAR, app_name, port, version);
    
    fix  = FALSE; # Fixed version for compare
    min  = FALSE; # Min version for branch
    pck  = FALSE; # Fix pack name (tacked onto fix in report)
    itr  = "PI42928, PI44793, PI44809 and PI45596"; # Required interim fixes
    vuln = FALSE; # Flag for branches requiring <= checks
    
    if (version =~ "^8\.5\.")
    {
      fix = '8.5.5.7';
      min = '8.5.0.0';
      itr = 'PI37396, PI38403, ' + itr;
      pck = " (Fix Pack 7)";
    }
    else if (version =~ "^8\.0\.")
    {
      fix = '8.0.0.12';
      min = '8.0.0.0';
      pck = " (Fix Pack 12) Available 2016/01/18";
    }
    else if (version =~ "^7\.0\.")
    {
      fix = '7.0.0.39';
      min = '7.0.0.0';
      itr = 'PI37396, PI38403, ' + itr;
      pck = " (Fix Pack 39)";
    }
    
    # V6.1.0.0 through 6.1.0.47 (without PI45596)
    else if (version =~ "^6\.1\.")
    {
      if (ver_compare(ver:version, fix:'6.1.0.47', strict:FALSE) <= 0)
      {
        fix = '6.1.0.47';
        min = '6.1.0.0';
        pck = " (Fix Pack 47) plus PI45596";
        vuln = TRUE;
      }
    }
    
    if (
        (
          fix && min &&
          ver_compare(ver:version, fix:fix, strict:FALSE) <  0 &&
          ver_compare(ver:version, fix:min, strict:FALSE) >= 0
        )
        ||
        vuln
    )
    {
      if (report_verbosity > 0)
      {
        report =
          '\n  Version source    : ' + source  +
          '\n  Installed version : ' + version +
          '\n  Fixed version     : ' + fix + pck +
          '\n  Interim fixes     : ' + itr +
          '\n';
        security_hole(port:port, extra:report);
      }
      else security_hole(port);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, app_name, port, version);