342 matches found
Security Bulletin: A vulnerability in net-snmp affects IBM DataPower Gateways (CVE-2015-5621)
Summary IBM DataPower gateways has addressed a vulnerability in SNMP parsing routines that could cause the SNMP daemon to crash or execute arbitrary code. Vulnerability Details CVEID: CVE-2015-5621 DESCRIPTION: Net-SNMP is vulnerable to a denial of service, caused by incompletely parsed varBind...
Security Bulletin: A vulnerability in the GSKit component of IBM DataPower Gateways (CVE-2016-0201)
Summary IBM DataPower Gateways uses GSKit in certain modules - namely MQ, ISAM/TAM, JMS. A vulnerability has been addressed in the GSKit component of IBM DataPower Gateways. Vulnerability Details CVEID: CVE-2016-0201 DESCRIPTION: IBM GSKit could allow a remote attacker to obtain sensitive...
Security Bulletin: Vulnerability in MD5 Signature and Hash Algorithm affects IBM DataPower Gateways (CVE-2015-7575)
Summary The MD5 “SLOTH” vulnerability on TLS 1.2 affects IBM DataPower Gateways. Vulnerability Details CVEID: CVE-2015-7575 DESCRIPTION: The TLS protocol could allow weaker than expected security caused by a collision attack when using the MD5 hash function for signing a ServerKeyExchange message...
Security Bulletin: Vulnerabilities in SSL affect IBM DataPower Gateways (CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792)
Summary SSL vulnerabilities were disclosed on June 11, 2015 by the OpenSSL Project. IBM DataPower Gateways has addressed the applicable CVEs. Vulnerability Details CVEID: CVE-2015-1788 DESCRIPTION: OpenSSL is vulnerable to a denial of service, caused by an error when processing an ECParameters...
Security Bulletin: Vulnerabilities in unzip affect IBM DataPower Gateways (CVE-2014-8141)
Summary IBM DataPower Gateways has addressed a vulnerability in 'unzip utility' that it uses to list, test, or extract files from a zip archive. Vulnerability Details CVEID: CVE-2014-8141 DESCRIPTION: Info-ZIP UnZip is vulnerable to a buffer overflow, caused by improper bounds checking by the...
Security Bulletin: Padding Oracle Protection in IBM DataPower Gateways GatewayScript modules (CVE-2015-7412)
Summary IBM DataPower Gateways has addressed a Padding Oracle Protection vulnerability in GatewayScript decryption. Vulnerability Details CVEID: CVE-2015-7412 DESCRIPTION: IBM DataPower Gateways GatewayScript modules may be vulnerable to Padding Oracle attacks in some scenarios, which could allow...
Security Bulletin: GNU C library (glibc) vulnerability affect IBM DataPower Gateway appliances (CVE-2014-6040)
Summary GNU C library glibc vulnerability in iconv function affects IBM DataPower Gateway appliances. Vulnerability Details CVEID: CVE-2014-6040 DESCRIPTION: The GNU C Library glibc is vulnerable to a denial of service, caused by the improper validation of input by the iconv function when...
Security Bulletin: GNU C library (glibc) vulnerability affects IBM DataPower Gateway appliances (CVE-2015-0235)
Summary GNU C library glibc vulnerability that has been referred to as GHOST affects IBM DataPower Gateway appliances. Vulnerability Details CVEID:CVE-2015-0235 DESCRIPTION: The gethostbyname functions of the GNU C Library glibc are vulnerable to a buffer overflow. By sending a specially crafted,...
IBM DataPower Gateways Man-in-the-Middle Attack Vulnerability
IBM DataPower Gateways is a suite of security and integration platforms from IBM USA designed specifically for mobile, cloud, application programming interfaces APIs, web, service-oriented architecture SOA, B2B, and cloud workloads that protects, integrates, and optimizes access across channels...
IBM DataPower Gateway < 7.5.2.2 Default Admin Password Security Bypass
According to its self-reported version, the IBM DataPower Gateway running on the remote host is prior to 7.5.2.2. It is, therefore, affected by a security bypass vulnerability due to the default password still being accepted as valid if the administrator logs in before the startup configuration i...
Identify Web Application Firewall: WAFW00F
WAFW00F Fingerprints and Identify Web Application Firewall WAF products WAFW00F is a Python tool to help you fingerprint and identify Web Application Firewall WAF products. It is an active reconnaissance tool as it actually connects to the web server, but it starts out with a normal HTTP response...
IBM DataPower Gateways GatewayScript模块信息泄露漏洞
No description provided by source...
CVE-2015-7427
IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these...
Session fixation
IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these...
CVE-2015-7427
IBM DataPower Gateway appliances with firmware 6.x before 6.0.0.17, 6.0.1.x before 6.0.1.17, 7.x before 7.0.0.10, 7.1.0.x before 7.1.0.7, and 7.2.x before 7.2.0.1 do not set the secure flag for unspecified cookies in an https session, which makes it easier for remote attackers to capture these...
CVE-2015-7412
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attac...
Code injection
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attac...
CVE-2015-7412
The GatewayScript modules on IBM DataPower Gateways with software 7.2.0.x before 7.2.0.1, when the GatewayScript decryption API or a JWE decrypt action is enabled, do not require signed ciphertext data, which makes it easier for remote attackers to obtain plaintext data via a padding-oracle attac...
Design/Logic Flaw
The IBM WebSphere DataPower XML Accelerator XA35, Low Latency Appliance XM70, Integration Appliance XI50, B2B Appliance XB60, and XML Security Gateway XS40 SOA Appliances before 3.8.0.0, when a QLOGIC Ethernet interface is used, allow remote attackers to cause a denial of service interface outage...
[IBM Datapower XS40] Denial of Service
It appears it is possible to disable the IBM DataPower XS40 Security Gateway device by sending a malformed packet to the network interface. The device will hang up itself without being able to recover from it no auto-reboot. Tested vulnerable firmware is 3.7.2.1 Issue fixed according to vendor in...