IBM WebSphere Application Server Components Multiple Vulnerabilities

Number: AV10-044
Date: 26 October 2010

Purpose

The purpose of this advisory is to raise awareness of multiple vulnerabilities in IBM WebSphere Application Server, for which patches are now available.

Assessment

Multiple vulnerabilities have been reported in IBM WebSphere Application Server. Exploitation of these vulnerabilities could result in cross-site scripting attacks, cross-site request forgery attacks or URL injection attacks.

These issues are caused by input validation errors in the integrated solution console, an unspecified/unknown input validation error in the administrative console and unspecified errors in the security component.

CVE Reference: none

Affected Versions

IBM WebSphere Application Server versions prior to 7.0 Fix Pack 13 (7.0.0.13)

Suggested action

CCIRC recommends that systems administrators identify affected products in their environment and follow their patch management process accordingly to upgrade to IBM WebSphere Application Server version 7.0 Fix Pack 13 (7.0.0.13).

References
http://www-01.ibm.com/support/docview.wss?rs=180&uid=swg24027977
http://www.vupen.com/english/advisories/2010/2775

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca