Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2008-4679

Overview

Vulnerability Score 6.8 6.8
CVE Id CVE-2008-4679
Last Modified 07 Mar 2011 10:12:52
Published 22 Oct 2008 02:00:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact PARTIAL PARTIAL
Availability Impact PARTIAL PARTIAL
Access Vector NETWORK
Access Complexity MEDIUM
Authentication NONE

CVE-2008-4679

Summary

The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), does not call the setRevocationEnabled method on the PKIXBuilderParameters object, which prevents the "Java security method" from checking the revocation status of X.509 certificates and allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked certificate.

Vulnerable Systems

Application

  • Ibm Websphere Application Server 6.0.1.1

  • Ibm Websphere Application Server 6.0.1.11

  • Ibm Websphere Application Server 6.0.1.13

  • Ibm Websphere Application Server 6.0.1.15

  • Ibm Websphere Application Server 6.0.1.17

  • Ibm Websphere Application Server 6.0.1.2

  • Ibm Websphere Application Server 6.0.1.3

  • Ibm Websphere Application Server 6.0.1.5

  • Ibm Websphere Application Server 6.0.1.7

  • Ibm Websphere Application Server 6.0.1.9

  • Ibm Websphere Application Server 6.0.2

  • Ibm Websphere Application Server 6.0.2.1

  • Ibm Websphere Application Server 6.0.2.11

  • Ibm Websphere Application Server 6.0.2.13

  • Ibm Websphere Application Server 6.0.2.15

  • Ibm Websphere Application Server 6.0.2.17

  • Ibm Websphere Application Server 6.0.2.19

  • Ibm Websphere Application Server 6.0.2.2

  • Ibm Websphere Application Server 6.0.2.23

  • Ibm Websphere Application Server 6.0.2.25

  • Ibm Websphere Application Server 6.0.2.27

  • Ibm Websphere Application Server 6.0.2.3

  • Ibm Websphere Application Server 6.0.2.4

  • Ibm Websphere Application Server 6.0.2.5

  • Ibm Websphere Application Server 6.0.2.6

  • Ibm Websphere Application Server 6.0.2.9


References

AIXAPAR - PK61258

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27007951

CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27006876

XF - websphere-crl-weak-security(46002)

VUPEN - ADV-2008-2871

BID - 31839

SECUNIA - 32296


Last Updated: 27 May 2016 10:48:35