IBM has identified a serious vulnerability in IBM WebSphere Portal in an authentication component that makes it possible for remote attackers over the network to bypass normal WebSphere Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority.
** Note: This is a republish of an older flash. It does not affect WebSphere Portal 18.104.22.168 or later releases. **
The Authentication code of WebSphere Portal can be bypassed under certain circumstances and grant access to an administrative account without knowledge of the credentials of this account.
This issue was reported to IBM Remote Technical Support and is corrected in the following releases:
Customers on versions 6.0.1, 22.214.171.124 ,126.96.36.199, 188.8.131.52 and 184.108.40.206 must apply the fix for APAR PK75304.
Customers on version 220.127.116.11 (6.1) on non-z/OS platforms must also apply the fix for APAR PK75304.
Versions not listed above are not affected by this issue, or already have the fix integrated.
|Enterprise Content Management||Workplace Web Content Management||Portal Integration||AIX, HP-UX, i5/OS, Linux, Solaris, Windows, z/OS||18.104.22.168, 22.214.171.124, 126.96.36.199, 188.8.131.52, 184.108.40.206, 6.0.1||Java edition|
|Enterprise Content Management||IBM Web Content Manager||Portal Integration||AIX, HP-UX, i5/OS, Linux, Solaris, Windows||6.1||Java edition|
|Organizational Productivity- Portals & Collaboration||Lotus Quickr||Security||Linux, Windows||8.1.1, 8.1, 220.127.116.11, 8.0||All Editions|