IBM WebSphere DataPower XC10 Denial of Service and Security Bypass Vulnerabilities


IBM WebSphere DataPower XC10 is prone to a denial-of-service vulnerability, a security-bypass weakness, and a security-bypass vulnerability.


The original article can be found at:


Vulnerable Systems:
 * IBM WebSphere DataPower XC10 and prior

Attackers can exploit these issues to perform denial-of-service attacks, bypass certain security restrictions, man-in-the-middle attacks, or impersonate trusted servers; this will aid in further attacks.

The IBM WebSphere DataPower XC10 Appliance does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. It also allows remote authenticated users to bypass intended administrative-role requirements and perform arbitrary JMX operations via unspecified vectors.

When a collective configuration is enabled, has a single secret key that is shared across different customers’ installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation.

CVE Information:

Disclosure Timeline:
Published: November 21 2012

Categories: News