IBM has identified a serious vulnerability in IBM® WebSphere® Portal in the XmlAccess component that makes it possible for remote attackers over the network to bypass normal Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority. With the client's permission, IBM acknowledges the assistance of the Security Assurance Team of the National Australia Bank, who discovered the problem and assisted with the testing of the resolution.
National Australia Bank's Security Assurance Team contacted IBM Lotus to report a potential security vulnerability in WebSphere Portal and Lotus® Quickr™ services for WebSphere Portal.
The Authentication code of WebSphere Portal can under certain circumstances be bypassed and grant access to an administrative account without knowledge of the credentials of this account.
This issue was reported to IBM Remote Technical Support and customers on versions 184.108.40.206, 220.127.116.11, 18.104.22.168 and 22.214.171.124 must apply the fix for APAR PK67104 in order to avoid the risk. This vulnerability does not affect version 5.0 or before.
|Security Rating using Common Vulnerability Scoring System (CVSS) v2|
|CVSS Base Score: < 9.0 >
---- Impact Subscore: < 9.5 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.0 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.0 >
|Base Score Metrics:
|Temporal Score Metrics:
*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.
Complete CVSS Guide:
|Enterprise Content Management||Workplace Web Content Management||Security & User Management||AIX, HP-UX, i5/OS, Linux, Solaris, Windows||126.96.36.199, 188.8.131.52, 184.108.40.206||Java edition|
Rate this page:
Copyright and trademark information
IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.