IBM WebSphere Application Server 7.0 < 7.0.0.33 Multiple Vulnerabilities

The remote host appears to be running IBM WebSphere Application Server 7.0 prior to 7.0.0.33. Such versions are potentially affected by multiple vulnerabilities :

• A cross-site scripting (XSS) flaw exists within the Administration Console, where user input is improperly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser/server trust relationship. (CVE-2013-6323, PI04777, PI04880)
• A denial of service flaw exists within the Global Security Kit when handling SSLv2 resumption during the SSL/TLS handshake. This could allow a remote attacker to crash the program. (CVE-2013-6329, PI05309)
• A buffer overflow flaw exists in the HTTP server with the ‘mod_dav’ module when using add-ons. This could allow a remote attacker to cause a buffer overflow and a denial of service. (CVE-2013-6438, PI09345)
• An XSS flaw exists within ‘OAuth’ where user input is not properly validated. This could allow a remote attacker, with a specially crafted request, to execute arbitrary script code within the browser/server trust relationship. (CVE-2013-6738, PI05661)
• A denial of service (DoS) flaw exists within the Global Security Kit when handling the X.509 certificate chain during the initiation of an SSL/TLS connection. A remote attacker, using a malformed certificate chain, could cause the client or server to crash by hanging the Global Security Kit. (CVE-2013-6747, PI09443)
• A DoS flaw exists within the Apache Commons ‘FileUpload’ when parsing a content-type header for a multipart request. A remote attacker, using a specially crafted request, could crash the program. (CVE-2014-0050, PI12648, PI12926 and PI13162)
• A DoS flaw exists in the ‘mod_log_config’ when logging a cookie with an unassigned value. A remote attacker, using a specially crafted request, can cause the program to crash. (CVE-2014-0098, PI13028)
• A remote code execution flaw exists with Apache Struts. The failure to restrict setting of class loader attributes could allow a remote attacker to execute arbitrary script code. (CVE-2014-0114, PI17190)
• An information disclosure flaw exists in the ‘sun.security.rsa.RSAPadding’ with ‘PKCS#1’ unpadding. This many allow a remote attacker to gain timing information intended to be protected by encryption. (CVE-2014-0453)
• A flaw exists within ‘com.sun.jndi.dns.DnsClient’ related to the randomization of query IDs. This could allow a remote attacker to conduct spoofing attacks. (CVE-2014-0460)
• A DoS flaw exists in a web server plugin on servers configured to retry failed POST requests. This could allow a remote attacker to crash the application. (CVE-2014-0859, PI08892)
• A flaw exists with the ‘IBMJCE’ and ‘IBMSecureRandom’ cryptographic providers by generating numbers in a predictable manner. This could allow a remote attacker to easily guess the output of the random number generator. (CVE-2014-0878)
• An information disclosure flaw exists within Proxy and ODR servers. This could allow a remote attacker, using a specially crafted request, to gain access to potentially sensitive information. (CVE-2014-0891, PI09786)
• A DoS flaw exists within the IBM Security Access Manager for Web with the Reverse Proxy component. This could allow a remote attacker, using specially crafted TLS traffic, to cause the application on the system to become unresponsive. (CVE-2014-0963, PI17025)
• An information disclosure flaw exists when handling SOAP responses. This could allow a remote attacker to potentially gain access to sensitive information. (CVE-2014-0965, PI11434)
• An information disclosure flaw exists. A remote attacker, using a specially crafted URL, could gain access to potentially sensitive information. (CVE-2014-3022, PI09594)
• An unspecified flaw exists that may allow an attacker to gain elevated privileges. No further details have been provided.