IBM WebSphere Application Server Axis2 Flaw Lets Remote Users View Arbitrary Files
|
|
SecurityTracker Alert ID: 1024133 |
|
SecurityTracker URL: http://securitytracker.com/id/1024133
|
|
CVE Reference:
CVE-2010-1632
(Links to External Site)
|
Date: Jun 21 2010
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): Application Server Versions 7.0 through 7.0.0.12, Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.32, and Feature Pack for Web 2.0 Version 1.0.1.0
|
Description:
A vulnerability was reported in IBM WebSphere Application Server. A remote user can view files on the target system.
A remote user can supply a specially crafted XML message to exploit a flaw in the web services run-time and view arbitrary files on the target system.
Systems with the disableREST parameter (in axis2.xml) set to false are affected.
The vulnerability is due to an underlying vulnerability in Apache Axis2, which is also affected.
|
Impact:
A remote user can view arbitrary files on the target system.
|
Solution:
The vendor has issued a fix (PM14844, PM14847, PM14765).
The vendor's advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21433581 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Mon, 21 Jun 2010 18:02:03 +0000
Subject: IBM WebSphere
|
http://www-01.ibm.com/support/docview.wss?uid=swg21433581
CVE-2010-1632
|
|
