[VulnWatch] [AppSecInc Advisory WEBSP05-V0098] Remote Buffer overflow in WebSphere Application Server Administrative Console

From: Team SHATTER (shatter_at_appsecinc.com)
Date: 06/07/05

  • Next message: Matthias Andree: "[VulnWatch] leafnode security announcement leafnode-SA-2005-02 (CAN-2005-1911)"
    Date: Tue, 07 Jun 2005 15:31:07 -0400
    To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk, bugs@securitytracker.com, security@lists.seifried.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
     
    Remote Buffer overflow in WebSphere Application Server Administrative
    Console

    AppSecInc Team SHATTER Security Advisory WEBSP05-V0098
    http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html
    June 07, 2005

    Risk level: HIGH

    Credits: This vulnerability was discovered and researched by Esteban
    Martínez Fayó of Argeniss for Application Security Inc.

    Affected Versions:
    IBM WebSphere Application Server 5.0

    Background:
    The Administrative Console is a web-based tool used to manage the IBM
    WebSphere Application Server administrative server. The Administrative
    Console supports a full range of product administrative activities.

    Details:
    There is a Unicode buffer overflow in the WebSphere Application Server
    Administrative Console. The security vulnerability exists in the
    authentication mechanism. The authentication process takes place only
    when the 'global security option' is enabled in the server. The
    vulnerability can not be exploited if the security option is disabled.
    The default TCP ports where this vulnerability can be exploited
    include 9080 (HTTP), 9090 (HTTP) and 9043 (HTTPS).

    Impact:
    Unauthenticated attackers may execute arbitrary code in the context of
    the server process.

    Workaround:
    There is no workaround. The attack surface can be reduced by denying
    access to untrusted users on TCP ports 9080, 9090 and 9043.

    Vendor Status:
    Vendor was contacted and a patch was released.

    Fix:
    Apply the WebSphere Application Server 5.0.2 Cumulative Fix 11. The
    patch can be found here:
    http://www-1.ibm.com/support/docview.wss?rs=180&uid=swg24009775

    Links:
    Application Security, Inc advisory:
    http://www.appsecinc.com/resources/alerts/general/WEBSPHERE-001.html

    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (MingW32)
     
    iD8DBQFCpfX7/0w1dSVRt4URAsACAJoDG9TGi30QNOUFYv2VAdg9GaoVrQCgwBPd
    e03smGG+fj/kGkJ2Ns1d6EE=
    =C3Fq
    -----END PGP SIGNATURE-----


  • Next message: Matthias Andree: "[VulnWatch] leafnode security announcement leafnode-SA-2005-02 (CAN-2005-1911)"

    Relevant Pages

    • SecurityFocus Microsoft Newsletter #171
      ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #174
      ... This issue sponsored by: Tenable Network Security ... the worlds only 100% passive vulnerability ... MICROSOFT VULNERABILITY SUMMARY ... Novell Netware Enterprise Web Server Multiple Vulnerabilitie... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter # 150
      ... - automatically set positive security policies for real-time protection, ... MICROSOFT VULNERABILITY SUMMARY ... Meteor FTP Server USER Memory Corruption Vulnerability ... MDaemon SMTP Server Null Password Authentication Vulnerabili... ...
      (Focus-Microsoft)
    • SecurityFocus Microsoft Newsletter #69
      ... LANguard Security Event Log Monitor: ... MICROSOFT VULNERABILITY SUMMARY ... BrowseFTP Client Buffer Overflow Vulnerability ... Michael Lamont Savant Web Server Long Request DoS Vulnerability ...
      (Focus-Microsoft)
    • [NEWS] ePolicy Orchestrator Multiple Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... and use a Thawte Digital Certificate on your MSIIS web server. ... To attack a machine running ePO, an attacker would typically need to be ... MSDE SA account compromise - This vulnerability applies to ePO 2.X and 3.0 ...
      (Securiteam)