Fix Available: Security vulnerability in XML Access (version 5.1)

Technote (FAQ)


IBM has identified a serious vulnerability in IBM® WebSphere® Portal in the XmlAccess component that makes it possible for remote attackers over the network to bypass normal Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority. With the client's permission, IBM acknowledges the assistance of the Security Assurance Team of the National Australia Bank, who discovered the problem and assisted with the testing of the resolution.


National Australia Bank's Security Assurance Team contacted IBM Lotus to report a potential security vulnerability in WebSphere Portal and Lotus® Quickr™ services for WebSphere Portal.

The Authentication code of WebSphere Portal can under certain circumstances be bypassed and grant access to an administrative account without knowledge of the credentials of this account.

This issue was reported to IBM Remote Technical Support and customers on versions,, and must apply the fix for APAR PK67104 in order to avoid the risk. This vulnerability does not affect version 5.0 or before.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.0 >
---- Impact Subscore: < 9.5 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.0 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.0 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Partial >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


Complete CVSS Guide:

Online Calculator:

Related information

APAR PK67104
Interim Fix for PK67104

    Cross Reference information
    Segment Product Component Platform Version Edition
    Enterprise Content Management Workplace Web Content Management Security & User Management AIX, HP-UX, i5/OS, Linux, Solaris, Windows,, Java edition

Rate this page:

(0 users)Average rating

Add comments

Document information

More support for:

WebSphere Portal End of Support Products

Software version:


Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:

Enable, Extend

Reference #:


Modified date:


Translate my page

Machine Translation

Content navigation