Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM7A620C08101F69412D73937CECEF6E5E96841030AF47D0F8F1E798C330F5DAAC
HistoryJun 16, 2018 - 2:07 p.m.

Security Bulletin: Multiple vulnerabilities in Open Source Apache WSS4J affect IBM InfoSphere DataStage Web services pack (CVE-2015-0226 CVE-2015-0227)

2018-06-1614:07:40
www.ibm.com
10

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON

Summary

There are multiple vulnerabilities in Open Source Apache WSS4J that is used by IBM InfoSphere DataStage Web services pack.

Vulnerability Details

CVE-ID: CVE-2015-0226 DESCRIPTION: Apache WSS4J could allow a remote attacker to obtain sensitive information, caused by Bleichenbacher’s attack on XML Encryption. By sending a specially-crafted message, an attacker could exploit this vulnerability to decrypt the key and obtain sensitive information.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100836 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE-ID: CVE-2015-0227 DESCRIPTION: Apache WSS4J could allow a remote attacker to bypass security restrictions, caused by the failure to properly enforce the requireSignedEncryptedDataElements property. An attacker could exploit this vulnerability using various types of wrapping attacks to bypass security restrictions and perform unauthorized actions.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100837 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

The following product, running on all supported platforms, are affected:
IBM InfoSphere DataStage Web services Pack: versions 9.1 and 11.3

Remediation/Fixes

Product

| VRMF|APAR|Remediation/First Fix
β€”|β€”|β€”|β€”
InfoSphere DataStage Web services Pack| 11.3| JR52755| --Apply IBM InfoSphere DataStage Web services Pack Security Patch
InfoSphere DataStage Web services Pack| 9.1| JR52755| --Apply IBM InfoSphere DataStage Web services Pack Security Patch

Note: The same fix may be listed under multiple vulnerabilities. Installing the fix addresses all vulnerabilities to which the fix applies. Also, some fixes require installing both a fix pack and a subsequent patch. While the fix pack must be installed first, any additional patches required may be installed in any order.

Workarounds and Mitigations

None

Related

ibm 7
osv 2
prion 2
ubuntucve 2
github 2
debiancve 2
cve 2
redhat 8
nessus 7
oracle 1
ibm
ibm
Security Bulletin: Vulnerabilities in WSS4J affects IBM CΓΊram (CVE-2015-0226 & CVE-2015-0227 )
2018-06-17 13:05:59
Security Bulletin: Apache WSS4J Vulnerabilities Affect IBM Sterling B2B Integrator
2022-05-13 14:58:22
Security Bulletin: A security vulnerability has been identified in IBM WebSphere Application Server shipped with IBM Integrated Information Core (CVE-2015-0226)
2022-09-26 03:37:05
osv
osv
Improper Access Control in Apache WSS4J
2022-05-14 02:57:28
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-05-14 00:55:57
prion
prion
Design/Logic Flaw
2015-02-12 16:59:00
Design/Logic Flaw
2017-10-30 14:29:00
ubuntucve
ubuntucve
CVE-2015-0227
2015-02-12 00:00:00
CVE-2015-0226
2017-10-30 00:00:00
github
github
Improper Access Control in Apache WSS4J
2022-05-14 02:57:28
Use of a Broken or Risky Cryptographic Algorithm in Apache WSS4J
2022-05-14 00:55:57
debiancve
debiancve
CVE-2015-0227
2015-02-12 16:59:00
CVE-2015-0226
2017-10-30 14:29:00
cve
cve
CVE-2015-0227
2015-02-12 16:59:00
CVE-2015-0226
2017-10-30 14:29:00
redhat
redhat
(RHSA-2015:0773) Important: Red Hat JBoss Data Grid 6.4.1 update
2015-04-01 14:38:06
(RHSA-2015:1177) Important: Red Hat JBoss A-MQ 6.2.0 update
2015-06-23 16:46:14
(RHSA-2015:0848) Important: Red Hat JBoss Enterprise Application Platform 6.4.0 update
2015-04-16 00:00:00
nessus
nessus
RHEL 6 : JBoss EAP (RHSA-2015:0847)
2015-04-20 00:00:00
RHEL 5 : JBoss EAP (RHSA-2015:0846)
2015-04-20 00:00:00
RHEL 7 : JBoss EAP (RHSA-2015:0848)
2018-09-04 00:00:00
oracle
oracle
Oracle Critical Patch Update Advisory - July 2019
2019-07-16 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:N/C:P/I:N/A:N

JSON
Related for 7A620C08101F69412D73937CECEF6E5E96841030AF47D0F8F1E798C330F5DAAC
ibm7osv2prion2ubuntucve2github2debiancve2cve2redhat8nessus7oracle1