Skip to main content


Fix Available: Security vulnerability in XML Access (versions 6.0, 6.1)

 Flash (Alert)
 
Abstract
IBM® has identified a serious vulnerability in IBM WebSphere® Portal in the XmlAccess component that makes it possible for remote attackers over the network to bypass normal Portal server security. Through this attack, an intruder might be able to execute administrative commands without proper authority. With the client's permission, IBM acknowledges the assistance of the Security Assurance Team of the National Australia Bank, who discovered the problem and assisted with the testing of the resolution.
 
Content
National Australia Bank's Security Assurance Team contacted IBM Lotus to report a potential security vulnerability in WebSphere Portal and Lotus® Quickr™ services for WebSphere Portal.

Cause
The Authentication code of WebSphere Portal can under certain circumstances be bypassed and grant access to an administrative account without knowledge of the credentials of this account.

Solution
This issue was reported to IBM Remote Technical Support and is already addressed in the following release:

  • WebSphere Portal 6.0.1 Fix Pack 4 (6.0.1.4) and higher service release levels.

Customers on versions 6.0.0.0, 6.0.0.1, 6.0.1.0, 6.0.1.1 and 6.0.1.3 must apply the fix for APAR PK67104. Customers on version 6.1.0.0 must also apply the fix for APAR PK67104.

Security Rating using Common Vulnerability Scoring System (CVSS) v2
CVSS Base Score: < 9.0 >
---- Impact Subscore: < 9.5 >
---- Exploitability Subscore: < 8.6 >
CVSS Temporal Score: < 7.0 >
CVSS Environmental Score: < Undefined* >
Overall CVSS Score: < 7.0 >
Base Score Metrics:
  • Related exploit range/Attack Vector: < Network >
  • Access Complexity: < Medium >
  • Authentication < None >
  • Confidentiality Impact: < Partial >
  • Integrity Impact: < Complete >
  • Availability Impact: < Complete >
Temporal Score Metrics:
  • Exploitability: < Proof of Concept Code>
  • Remediation Level: < Official Fix >
  • Report Confidence: < Confirmed >
References:

*The CVSS Environment Score is customer environment-specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the referenced links.


References:
Complete CVSS Guide:
http://www.first.org/cvss/cvss-guide.html

Online Calculator:
http://nvd.nist.gov/cvss.cfm?calculator
 
Related information
APAR PK67104
Interim Fix for PK67104
 
 
Cross Reference information
Segment Product Component Platform Version Edition
Enterprise Content ManagementLotus Web Content ManagementSecurity & User ManagementAIX, HP-UX, i5/OS, Linux, Solaris, Windows6.1Java edition
Enterprise Content ManagementWorkplace Web Content ManagementSecurity & User ManagementAIX, HP-UX, i5/OS, Linux, Solaris, Windows6.0Java edition
 
 

Copyright and trademark information

IBM, the IBM logo and ibm.com are trademarks of International Business Machines Corp., registered in many jurisdictions worldwide. Other product and service names might be trademarks of IBM or other companies. A current list of IBM trademarks is available on the Web at "Copyright and trademark information" at www.ibm.com/legal/copytrade.shtml.

Rate this page

Please take a moment to complete this form to help us better serve you.

This material provides me with the information I need.






This material is clear and easy to understand.






Did the information help you to achieve your goal?

What updates, improvements, or related information would you like to see in this document?

Your response will be used to improve our document content. Requests for assistance, if applicable, should be submitted through your normal support channel as we cannot respond from this site.

Input the verification number to submit feedback:


Close [x]

Maintenance Window

  • The IBM Technical support pages, including the Downloads and Drivers Finders will be temporarily unavailable for up to 4 hours due to planned maintenance. This will take place between Saturday November 14, 2009 9:00 PM ET and Sunday, November 15, 2009 7:00 AM ET. During the maintenance, you will not be able to search or download from these pages.

Close [x]

Unscheduled Maintenance Window

There is no unscheduled maintenance scheduled at this time.

Document information

Product categories:

Software

Organizational Productivity, Portals & Collaboration

Portals

WebSphere Portal

Security

Operating system(s):

AIX, HP-UX, Linux, Solaris, Windows, i5/OS, z/OS

Software version:

6.0, 6.1

Software edition:

Enable, Express, Extend, Server

Reference #:

1318491

IBM Group:

Software Group

Modified date:

2008-11-24

Translate my page

Rate this page

Availability Notices