IBM WebSphere DataPower XC10 Denial of Service and Security Bypass Vulnerabilities
The original article can be found at: http://www-01.ibm.com/support/docview.wss?uid=swg21615783
* IBM WebSphere DataPower XC10 188.8.131.52 and prior
Attackers can exploit these issues to perform denial-of-service attacks, bypass certain security restrictions, man-in-the-middle attacks, or impersonate trusted servers; this will aid in further attacks.
The IBM WebSphere DataPower XC10 Appliance does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. It also allows remote authenticated users to bypass intended administrative-role requirements and perform arbitrary JMX operations via unspecified vectors.
When a collective configuration is enabled, has a single secret key that is shared across different customers’ installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation.
Published: November 21 2012