漏洞类别:Local
漏洞等级: 
漏洞信息
IBM WebSphere Application Server is designed to facilitate the creation of various enterprise Web applications.
The PasswordUtil command (introduced in v9.0.04) used to enable AES encryption leads to weaker than exprected security since some passwords did not get encrypted as expected.
Affected Versions:
IBM WebSphere Application Server :
Version 9.0.0.4
QID Detection Logic (Unauthenticated):
This QID matches vulnerable versions in the response it receives by sending a HTTP GET request to target or retrieving by the banner information via the GIOP protocol.
QID Detection Logic (Authenticated):
Operating Systems: Windows
The QID checks if the file %ProgramFiles%\IBM\WebSphere\AppServer\bin\WASService.exe exists on the target or not.
The QID checks the file %programfiles%\IBM\WebSphere\AppServer\properties\version\WAS.product to get the version of IBM WebSphere Application Server
The QID checks if Interim fix PI82602 is applied on the vulnerable versions of IBM WebSphere Application Server -
This QID checks for the file
The following Versions and Interim Fixes checked swg22006803:
WebSphere Application Server version 9.0.0.4
Interim Fix -PI82602
漏洞危害
Successful exploitation of the vulnerability will affect the confidentiality of the system.
解决方案
The vendor has released a fix to resolve the issue, please refer to Recommended fixes for WebSphere Application Serverfor more information.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0daybank
文章评论