PROBLEM:
IBM WebSphere DataPower XC10 Appliance Bugs Let Remote Authenticated Users Gain Elevated Privileges and Remote Users Deny Service
PLATFORM:
Version(s): XC10 2.0.0.0 - 2.0.0.3, 2.1.0.0 - 2.1.0.2
ABSTRACT:
Several vulnerabilities were reported in IBM WebSphere DataPower.
REFERENCE LINKS:
IBM Security Bulletin
SecurityTracker Alert ID: 1027798
CVE-2012-5758
CVE-2012-5759
CVE-2012-5756
IMPACT ASSESSMENT:
High
DISCUSSION:
Several vulnerabilities were reported in IBM WebSphere DataPower. A remote authenticated user can gain administrative privileges. A remote user can cause denial of service conditions.
A remote authenticated user can send specially crafted data to execute arbitrary JMX operations on the target system [CVE-2012-5759]. The vendor has assigned APAR IC85748 to this vulnerability.
A remote user can send specially crafted data to stop server processes [CVE-2012-5758]. The vendor has assigned APAR IC86908 to this vulnerability.
The product uses a common secret key for device-to-device communications. A remote user with knowledge of the key can impersonate appliance collective members [CVE-2012-5756]. The vendor has assigned APAR PM68926 to this vulnerability.
IMPACT:
A remote authenticated user can gain administrative privileges.
A remote user can cause server processes to stop.
A remote user can impersonate appliance collective members.
SOLUTION:
Security fixes for IBM WebSphere DataPower XC10 Appliance