Release date:
Updated on: 2012-06-04
Affected Systems:
IBM Websphere Application Server 8.0
IBM Websphere Application Server 7.0
IBM Websphere Application Server 6.1
Unaffected system:
IBM Websphere Application Server 8.0.0.4
IBM Websphere Application Server 7.0.0.23
IBM Websphere Application Server 6.1.0.45
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53755
Cve id: CVE-2012-2170
IBM WebSphere Application Server (WAS) is an Application Server developed and released by IBM following open standards such as Java EE, XML, and Web Services. Compatible Web servers include Apache HTTP Server, Netscape Enterprise Server, Microsoft Internet Information Services (IIS), and ibm http Server.
When the Default Application Snoop Servlet is enabled in WAS 6.1, 7.0, and 8.0, access control is missing. This vulnerability allows attackers to access sensitive information through direct requests.
<* Source: vendor
Link: http://xforce.iss.net/xforce/xfdb/75234
*>
Suggestion:
--------------------------------------------------------------------------------
Vendor patch:
IBM
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Http://www.ers.ibm.com/