WebSphere Application Server traditional 9.0.0.4 added a new feature using the PasswordUtil command to enable AES password encryption. If you used this feature, then you have a potential for weaker than expected security since some passwords did not get encrypted as you might have expected. If you didn’t use this new feature, then you are not affected by this vulnerability. This does not affect passwords with the default XOR encoding, or passwords with custom encryption.
Consult the security bulletin: Weaker than expected security in WebSphere Application Server for vulnerability details and information about fixes.
This vulnerability affects the following versions and releases of IBM WebSphere Application Server:
CPE | Name | Operator | Version |
---|---|---|---|
websphere application server patterns | eq | any |