search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

IBM WebSphere Portal Server input validation vulnerability

Vulnerability Note VU#375127

Original Release Date: 2011-02-23 | Last Revised: 2011-02-23

Overview

IBM WebSphere Portal Server does not validate entry path inputted data.

Description

From the IBM Portal website: "IBM WebSphere Portal software provides a composite application or business mashup framework and the advanced tooling needed to build flexible, SOA-based solutions, as well as the unmatched scalability required by any size organization." IBM WebSphere Portal Server is vulnerable to data leakage caused by missing input validation on inputted entry path transmitted via XML.

Impact

An attacker with valid login credentials could leverage this vulnerability to retrieve system information, such as /etc/passwd.

Solution

Apply an update

According to IBM's website patches have been issued to address this vulnerability.

Restrict access

Restrict network access to the IBM WebSphere Portal software and other devices using open protocols like HTTP.

Vendor Information

375127
 
Expand all

IBM Corporation Affected

Notified:  November 01, 2010 Updated: January 21, 2011

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to Peter Brauchle from Daimler TSS Technical Security for reporting this vulnerability.

This document was written by Michael Orlando.

Other Information

CVE IDs: None
Severity Metric: 3.60
Date Public: 2011-01-20
Date First Published: 2011-02-23
Date Last Updated: 2011-02-23 16:15 UTC
Document Revision: 28

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis