WebSphere Vulnerabilities

Created 9/26/02
CVE 2001-0962
CAN 2002-1153

Impact

Multiple vulnerabilities could allow a malicious user to crash the server or obtain unauthorized access.

Background

IBM WebSphere is e-business infrastructure software. One component of the WebSphere product line, WebSphere Application Server (WAS) is a Java-based environment for building e-business applications.

The Problems

Possible Buffer Overflow

9/26/02
CAN 2002-1153
The WebSphere webserver plugin did not perform a bounds check on the size of POST data that could be sent to the application server. A malicious user can thereby issue a malformed HTTP request and cause the webserver to crash. IBM WebSphere 4.0.3 is vulnerable. Earlier versions may also be vulnerable.

Predictable session IDs for cookies

9/28/01
CVE 2001-0962
This vulnerability involves the session IDs which WebSphere Application Server generates to identify authenticated users. Normally, a cookie containing the session ID is placed on each client's computer. Due to the predictability of the session IDs, it is possible for a remote attacker to hijack an existing user's session by guessing the session ID, thus gaining unauthorized access. WebSphere Application Server 3.x is affected by this vulnerability.

Resolution

Install PQ62144 (supercedes PQ62249) for WebSphere 4.0.3 to remove the buffer overflow vulnerability.

The predictable session ID vulnerability has been fixed in WebSphere Application Server 4.0 (and later). If you cannot upgrade, then install the eFix PQ47663V302 for your current (pre 4.0) WAS version to prevent hijacking of user sessions due to predictability of session IDs.

Where can I read more about this?

The buffer overflow in the WebSphere web server plugin was reported in Bugtraq.

See Bugtraq for information on the predictable session IDs and the vendor response.