ID

VAR-201002-0744


CVE

CVE-2010-0563


TITLE

IBM WebSphere Application Server of Single Sign-on Vulnerabilities that capture important information on functions

Trust: 0.8

sources: JVNDB: JVNDB-2010-001085

DESCRIPTION

The Single Sign-on (SSO) functionality in IBM WebSphere Application Server (WAS) 7.0.0.0 through 7.0.0.8 does not recognize the Requires SSL configuration option, which might allow remote attackers to obtain sensitive information by sniffing network sessions that were expected to be encrypted. Based on the Java and Servlet engines, the IBM Websphere Application Server supports a variety of HTTP services to help users with everything from development and release to maintaining interactive, dynamic websites. IBM WebSphere Application Server (WAS) is prone to a security-bypass vulnerability. Successful exploits may allow attackers to bypass certain security restrictions, which may lead to other attacks. This issue affects WAS 7.0 through 7.0.0.8. SOLUTION: Apply Interim Fix APAR PM00610 (please see the vendor's advisory for more information). PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: IBM (PM00610): http://www-01.ibm.com/support/docview.wss?uid=swg21417839 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help private users keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.52

sources: NVD: CVE-2010-0563 // JVNDB: JVNDB-2010-001085 // CNVD: CNVD-2010-0217 // BID: 38122 // PACKETSTORM: 85967

IOT TAXONOMY

category:['Network device']sub_category: -

Trust: 0.6

sources: CNVD: CNVD-2010-0217

AFFECTED PRODUCTS

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.7

Trust: 1.9

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.5

Trust: 1.9

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.1

Trust: 1.9

vendor:ibmmodel:websphere application serverscope:eqversion:7.0

Trust: 1.9

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.8

Trust: 1.6

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.3

Trust: 1.6

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.0 to 7.0.0.8

Trust: 0.8

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.0.0-7.0.0.8

Trust: 0.6

vendor:ibmmodel:websphere application serverscope:eqversion:7.03

Trust: 0.3

vendor:ibmmodel:websphere application serverscope:eqversion:7.0.8

Trust: 0.3

sources: CNVD: CNVD-2010-0217 // BID: 38122 // JVNDB: JVNDB-2010-001085 // CNNVD: CNNVD-201002-068 // NVD: CVE-2010-0563

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2010-0563
value: MEDIUM

Trust: 1.0

NVD: CVE-2010-0563
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201002-068
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2010-0563
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2010-001085 // CNNVD: CNNVD-201002-068 // NVD: CVE-2010-0563

PROBLEMTYPE DATA

problemtype:CWE-200

Trust: 1.8

sources: JVNDB: JVNDB-2010-001085 // NVD: CVE-2010-0563

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201002-068

TYPE

information disclosure

Trust: 0.6

sources: CNNVD: CNNVD-201002-068

CONFIGURATIONS

sources: JVNDB: JVNDB-2010-001085

PATCH

title:1417839url:http://www-01.ibm.com/support/docview.wss?uid=swg21417839

Trust: 0.8

title:IBM WebSphere Application Server Requires SSL option bypasses security-restricted vulnerability patchesurl:https://www.cnvd.org.cn/patchInfo/show/2381

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for ibm iurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2938

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2942

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2946

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2950

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2954

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2958

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2962

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2966

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2970

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for ibm iurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2937

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2941

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2945

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2949

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2953

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2957

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2961

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2965

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2969

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for ibm iurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2936

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2940

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2944

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2948

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2952

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2956

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2960

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2964

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2968

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for ibm iurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2935

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2939

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2943

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for AIXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2947

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2951

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2955

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for HP-UXurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2959

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2963

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2967

Trust: 0.6

title:7.0.0.11: WebSphere Application Server V7.0 Fix Pack 11 for Windowsurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=2971

Trust: 0.6

sources: CNVD: CNVD-2010-0217 // JVNDB: JVNDB-2010-001085 // CNNVD: CNNVD-201002-068

EXTERNAL IDS

db:NVDid:CVE-2010-0563

Trust: 3.3

db:SECUNIAid:38425

Trust: 3.1

db:BIDid:38122

Trust: 2.7

db:OSVDBid:62140

Trust: 2.4

db:SECTRACKid:1023551

Trust: 2.4

db:VUPENid:ADV-2010-0316

Trust: 0.8

db:JVNDBid:JVNDB-2010-001085

Trust: 0.8

db:CNVDid:CNVD-2010-0217

Trust: 0.6

db:NSFOCUSid:14472

Trust: 0.6

db:AIXAPARid:PM00610

Trust: 0.6

db:CNNVDid:CNNVD-201002-068

Trust: 0.6

db:PACKETSTORMid:85967

Trust: 0.1

sources: CNVD: CNVD-2010-0217 // BID: 38122 // JVNDB: JVNDB-2010-001085 // PACKETSTORM: 85967 // CNNVD: CNNVD-201002-068 // NVD: CVE-2010-0563

REFERENCES

url:http://www.securityfocus.com/bid/38122

Trust: 2.4

url:http://securitytracker.com/id?1023551

Trust: 2.4

url:http://www-01.ibm.com/support/docview.wss?uid=swg21417839

Trust: 2.0

url:http://www.osvdb.org/62140

Trust: 1.6

url:http://www-1.ibm.com/support/docview.wss?uid=swg1pm00610

Trust: 1.6

url:http://secunia.com/advisories/38425

Trust: 1.6

url:http://secunia.com/advisories/38425/

Trust: 1.5

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2010-0563

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2010-0563

Trust: 0.8

url:http://osvdb.org/62140

Trust: 0.8

url:http://www.vupen.com/english/advisories/2010/0316

Trust: 0.8

url:http://www.nsfocus.net/vulndb/14472

Trust: 0.6

url:http://www-01.ibm.com/software/websphere/

Trust: 0.3

url:http://secunia.com/advisories/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/blog/71/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/about_secunia_advisories/

Trust: 0.1

sources: CNVD: CNVD-2010-0217 // BID: 38122 // JVNDB: JVNDB-2010-001085 // PACKETSTORM: 85967 // CNNVD: CNNVD-201002-068 // NVD: CVE-2010-0563

CREDITS

IBM ncsupp@ca.ibm.com

Trust: 0.6

sources: CNNVD: CNNVD-201002-068

SOURCES

db:CNVDid:CNVD-2010-0217
db:BIDid:38122
db:JVNDBid:JVNDB-2010-001085
db:PACKETSTORMid:85967
db:CNNVDid:CNNVD-201002-068
db:NVDid:CVE-2010-0563

LAST UPDATE DATE

2024-08-14T15:30:37.147000+00:00


SOURCES UPDATE DATE

db:CNVDid:CNVD-2010-0217date:2010-02-08T00:00:00
db:BIDid:38122date:2015-04-13T21:02:00
db:JVNDBid:JVNDB-2010-001085date:2010-02-25T00:00:00
db:CNNVDid:CNNVD-201002-068date:2010-02-09T00:00:00
db:NVDid:CVE-2010-0563date:2010-11-03T04:00:00

SOURCES RELEASE DATE

db:CNVDid:CNVD-2010-0217date:2010-02-08T00:00:00
db:BIDid:38122date:2010-02-05T00:00:00
db:JVNDBid:JVNDB-2010-001085date:2010-02-25T00:00:00
db:PACKETSTORMid:85967date:2010-02-05T14:55:31
db:CNNVDid:CNNVD-201002-068date:2010-02-08T00:00:00
db:NVDid:CVE-2010-0563date:2010-02-08T21:30:00.530