You are here

V-031: IBM WebSphere DataPower XC10 Appliance Bugs Let Remote Authenticated Users Gain Elevated Privileges and Remote Users Deny Service

November 22, 2012 - 3:00am

Addthis

PROBLEM:

IBM WebSphere DataPower XC10 Appliance Bugs Let Remote Authenticated Users Gain Elevated Privileges and Remote Users Deny Service

PLATFORM:

Version(s): XC10 2.0.0.0 - 2.0.0.3, 2.1.0.0 - 2.1.0.2

ABSTRACT:

Several vulnerabilities were reported in IBM WebSphere DataPower.

REFERENCE LINKS:

IBM Security Bulletin
SecurityTracker Alert ID:  1027798
CVE-2012-5758
CVE-2012-5759
CVE-2012-5756

IMPACT ASSESSMENT:

High

DISCUSSION:

Several vulnerabilities were reported in IBM WebSphere DataPower. A remote authenticated user can gain administrative privileges. A remote user can cause denial of service conditions.

A remote authenticated user can send specially crafted data to execute arbitrary JMX operations on the target system [CVE-2012-5759]. The vendor has assigned APAR IC85748 to this vulnerability.

A remote user can send specially crafted data to stop server processes [CVE-2012-5758]. The vendor has assigned APAR IC86908 to this vulnerability.

The product uses a common secret key for device-to-device communications. A remote user with knowledge of the key can impersonate appliance collective members [CVE-2012-5756]. The vendor has assigned APAR PM68926 to this vulnerability.

IMPACT:

A remote authenticated user can gain administrative privileges.

A remote user can cause server processes to stop.

A remote user can impersonate appliance collective members.

SOLUTION:

Security fixes for IBM WebSphere DataPower XC10 Appliance

 

 

Addthis