IBM WebSphere Application Server 7.0 < 7.0.0.39 (FP39) / 8.0 < 8.0.0.11 (FP11) / 8.5 < 8.5.5.6 (FP6) Multiple Vulnerabilities (Bar Mitzvah) (FREAK)

high Nessus Plugin ID 84639

Synopsis

The remote application server is affected by multiple vulnerabilities.

Description

The IBM WebSphere Application Server running on the remote host is version 7.0 prior to 7.0.0.39, 8.0 prior to 8.0.0.11, or 8.5 prior to 8.5.5.6. It is, therefore, potentially affected by multiple vulnerabilities :

- A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists in the IBM Global Security Kit (GSKit) due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic. (CVE-2015-0138)

- An information disclosure vulnerability exists due to a flaw in the Bleichenbacher countermeasure implementation in Apache WSS4J. A remote attacker can exploit this, via a crafted message, to determine where an encryption failure to place, allowing the attacker to gain access to the plaintext symmetric key. (CVE-2015-0226)

- An XML External Entity (XXE) vulnerability exists due to an incorrectly configured XML parser that accepts XML external entities from an untrusted source. A remote attacker can exploit this, via specially crafted XML data, to gain access to arbitrary files. (CVE-2015-0250)

- A privilege escalation vulnerability exists due to a flaw that occurs in 'full' profile and 'liberty' profile when using an OAuth grant password. A remote attacker can exploit this to gain elevated privileges.
(CVE-2015-1885)

- A privilege escalation vulnerability exists due to incorrect settings in the serveServletsbyClassname functionality. A remote attacker can exploit this to gain elevated privileges. (CVE-2015-1927)

- An information disclosure vulnerability exists that allows an unauthenticated, remote attacker to identify the proxy server software by reading the HTTP 'Via' header. (CVE-2015-1932)

- An unspecified flaw exists in the administrative console that allows a remote attacker, via the 'JSESSIONID' parameter, to hijack a user's session. (CVE-2015-1936)

- A privilege escalation vulnerability exists due to an unspecified flaw that occurs when handling user roles.
A local attacker can exploit this to gain elevated privileges. (CVE-2015-1946)
- A security feature bypass vulnerability exists, known as Bar Mitzvah, due to improper combination of state data with key data by the RC4 cipher algorithm during the initialization phase. A man-in-the-middle attacker can exploit this, via a brute-force attack using LSB values, to decrypt the traffic. (CVE-2015-2808)

- An unspecified flaw exists that allows an unauthenticated, remote attacker to spoof servlets or disclose sensitive information. (CVE-2015-4938)

Solution

Apply IBM 7.0 Fix Pack 39 (7.0.0.39) / 8.0 Fix Pack 11 (8.0.0.11) / 8.5 Fix Pack 6 (8.5.5.6) or later. Alternatively, apply the Interim Fixes as recommended in the vendor advisory.

See Also

http://www-01.ibm.com/support/docview.wss?uid=swg21698613

http://www-01.ibm.com/support/docview.wss?uid=swg21959083

http://www-304.ibm.com/support/docview.wss?uid=swg27004980

http://www-01.ibm.com/support/docview.wss?uid=swg21963275

https://www.smacktls.com/#freak

http://www.nessus.org/u?4bbf45ac

Plugin Details

Severity: High

ID: 84639

File Name: websphere_8_5_5_6.nasl

Version: 1.11

Type: remote

Family: Web Servers

Published: 7/9/2015

Updated: 8/6/2018

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9.3

Temporal Score: 6.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/a:ibm:websphere_application_server

Required KB Items: www/WebSphere, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 6/26/2015

Vulnerability Publication Date: 1/19/2015

Reference Information

CVE: CVE-2015-0138, CVE-2015-0226, CVE-2015-0250, CVE-2015-1885, CVE-2015-1927, CVE-2015-1932, CVE-2015-1936, CVE-2015-1946, CVE-2015-2808, CVE-2015-4938

BID: 72553, 73326, 73684, 74219, 75480, 75486, 75496, 76463, 76466

CERT: 243585