Vulnerability Name:

CVE-2009-0440 (CCN-48530)

Assigned:2009-02-10
Published:2009-02-10
Updated:2017-08-08
Summary:IBM WebSphere Partner Gateway (WPG) 6.0.0 through 6.0.0.7 does not properly handle failures of signature verification, which might allow remote authenticated users to submit a crafted RosettaNet (aka RNIF) document to a backend application, related to (1) "altered service content" and (2) "digital signature foot-print."
CVSS v3 Severity:3.5 Low (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): Low
User Interaction (UI): Required
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
4.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N)
3.0 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:N/I:P/A:N/E:U/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): None
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-287
Vulnerability Consequences:Bypass Security
References:Source: MITRE
Type: CNA
CVE-2009-0440

Source: CCN
Type: SA33994
IBM WebSphere Partner Gateway RNIF Signature Verification Bypass

Source: SECUNIA
Type: Vendor Advisory
33994

Source: CCN
Type: SECTRACK ID: 1021740
IBM WebSphere Partner Gateway RNIF Signature Validation Flaw Lets Remote Users Bypass Security Checks

Source: CCN
Type: IBM Web site
WebSphere Partner Gateway

Source: CCN
Type: IBM Support & downloads
Signature Verification Problem with WebSphere Partner Gateway 6.0 RNIF

Source: CONFIRM
Type: Patch, Vendor Advisory
http://www-01.ibm.com/support/docview.wss?uid=swg21330341

Source: AIXAPAR
Type: Vendor Advisory
JR31231

Source: CCN
Type: OSVDB ID: 52607
IBM WebSphere Partner Gateway (WPG) Crafted RosettaNet (aka RNIF) Document Signature Verification Bypass

Source: BID
Type: UNKNOWN
33839

Source: CCN
Type: BID-33839
IBM WebSphere Partner Gateway RNIF Document Security Bypass Vulnerability

Source: XF
Type: UNKNOWN
websphere-pgateway-rnif-signatures(48530)

Source: XF
Type: UNKNOWN
websphere-pgateway-rnif-signatures(48530)

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ibm:websphere_partner_gateway:6.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.5:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.6:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:websphere_partner_gateway:6.0.0.7:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    ibm websphere partner gateway 6.0.0
    ibm websphere partner gateway 6.0.0.1
    ibm websphere partner gateway 6.0.0.2
    ibm websphere partner gateway 6.0.0.3
    ibm websphere partner gateway 6.0.0.4
    ibm websphere partner gateway 6.0.0.5
    ibm websphere partner gateway 6.0.0.6
    ibm websphere partner gateway 6.0.0.7