IBM WebSphere Portal Multiple Vulnerabilities (PI37356, PI37661)

medium Nessus Plugin ID 83055

Synopsis

The web portal software installed on the remote Windows host is affected by multiple vulnerabilities.

Description

The IBM WebSphere Portal installed on the remote host is version 6.1.0.x prior to 6.1.0.6 CF27, 6.1.5.x prior to 6.1.5.3 CF27, 7.0.0.x prior to 7.0.0.2 CF29, 8.0.0.x prior to 8.0.0.1 CF16, or 8.5.0.0 prior to 8.5.0.0 CF05. It is, therefore, affected by multiple vulnerabilities :

- An unspecified flaw exists due to improper validation of user-supplied input. A remote attacker, using specially crafted requests, can exploit this to cause a denial of service by consuming all memory resources. Note that this only affects hosts in which the 'Remote Document Conversion Service' is enabled. (CVE-2015-1886, PI37356)

- An unspecified cross-site scripting vulnerability exists due to improper validation of user-supplied input. A remote attacker, using a specially crafted URL, can exploit this to execute code in a victim's web browser within the security context of the hosted site, possibly resulting in access to the cookie-based authentication credentials. (CVE-2015-1908, PI37661)

Solution

Upgrade IBM WebSphere Portal as noted in the referenced IBM advisory.

- Versions 6.1.0.x should upgrade to 6.1.0.6 CF27 and then apply interim fixes PI37356 and PI37661.

- Versions 6.1.5.x should upgrade to 6.1.5.3 CF27 and then apply interim fixes PI37356 and PI37661.

- Versions 7.0.0.x should upgrade to 7.0.0.2 CF29 and then apply interim fixes PI37356 and PI37661.

- Versions 8.0.0.x should upgrade to 8.0.0.1 CF16.

- Versions 8.5.0.x should upgrade to 8.5.0.0 CF05 and then apply interim fixes PI37356 and PI37661.

See Also

https://www-304.ibm.com/support/docview.wss?uid=swg21701566

Plugin Details

Severity: Medium

ID: 83055

File Name: websphere_portal_swg21701566.nasl

Version: 1.8

Type: local

Family: CGI abuses

Published: 4/24/2015

Updated: 1/19/2021

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.0

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N

Vulnerability Information

CPE: cpe:/a:ibm:websphere_portal

Required KB Items: installed_sw/IBM WebSphere Portal

Exploit Ease: No exploit is required

Patch Publication Date: 4/20/2015

Vulnerability Publication Date: 4/20/2015

Reference Information

CVE: CVE-2015-1886, CVE-2015-1908

BID: 74216, 74218