Skip to main content

Fix Available: Security vulnerability in XML Access (version 5.1)


Technote (FAQ)


Question

IBM has identified a serious vulnerability in IBM® WebSphere® Portal in the XmlAccess component that makes it possible for remote attackers over the network to bypass normal Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority. With the client's permission, IBM acknowledges the assistance of the Security Assurance Team of the National Australia Bank, who discovered the problem and assisted with the testing of the resolution.

Answer

National Australia Bank's Security Assurance Team contacted IBM Lotus to report a potential security vulnerability in WebSphere Portal and Lotus® Quickr™ services for WebSphere Portal.

Cause
The Authentication code of WebSphere Portal can under certain circumstances be bypassed and grant access to an administrative account without knowledge of the credentials of this account.

Solution
This issue was reported to IBM Remote Technical Support and customers on versions 5.1.0.2, 5.1.0.3, 5.1.0.4 and 5.1.0.5 must apply the fix for APAR PK67104 in order to avoid the risk. This vulnerability does not affect version 5.0 or before.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.0 >
---- Impact Subscore: < 9.5 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.0 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.0 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Partial >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator

Related information

APAR PK67104
Interim Fix for PK67104


    Cross Reference information
    Segment Product Component Platform Version Edition
    Enterprise Content Management Workplace Web Content Management Security & User Management AIX, HP-UX, i5/OS, Linux, Solaris, Windows 5.1.0.5, 5.1.0.4, 5.1.0.3 Java edition

Rate this page:

(0 users)Average rating

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Rate this page:


(0 users)Average rating

Add comments

Document information

WebSphere Portal End of Support Products

Security

Software version:
5.1

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software edition:
Enable, Extend

Reference #:
1318500

Modified date:
2008-09-24

Translate my page

Content navigation