Vulnerability CVE-2013-4053 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4053 (CCN-86505)

Assigned:

2013-09-09

Published:

2013-09-09

Updated:

2017-08-29

Summary:

The WS-Security implementation in IBM WebSphere Application Server (WAS) 6.1 before 6.1.0.47, 7.0 before 7.0.0.31, 8.0 before 8.0.0.8, and 8.5 before 8.5.5.1, and WAS Feature Pack for Web Services 6.1 before 6.1.0.47, when a trust store is configured for XML Digital Signatures, does not properly verify X.509 certificates, which allows remote attackers to obtain privileged access via unspecified vectors.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

6.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P)
5.0 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: MITRE
Type: CNA
CVE-2013-4053

Source: AIXAPAR
Type: UNKNOWN
PM90949

Source: AIXAPAR
Type: UNKNOWN
PM91521

Source: CCN
Type: IBM Security Bulletin 1647522
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 6.1.0.47

Source: CCN
Type: IBM Security Bulletin 1661323
Potential Security Vulnerabilities fixed in IBM WebSphere Application Server 7.0.0.31

Source: CCN
Type: IBM Security Bulletin 1661325
Potential Security Vulnerabilites fixed in IBM WebSphere Application Server 8.0.0.8

Source: CONFIRM
Type: Vendor Advisory
http://www.ibm.com/support/docview.wss?uid=swg21647522

Source: CCN
Type: BID-62338
IBM WebSphere Application Server CVE-2013-4053 Remote Privilege Escalation Vulnerability

Source: XF
Type: UNKNOWN
was-cve20134053-priv-escalation(86505)

Source: XF
Type: UNKNOWN
was-cve20134053-priv-escalation(86505)

Vulnerable Configuration:

Configuration 1:

cpe:/a:ibm:websphere_application_server:8.5.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5.5.0:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.8:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.10:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.14:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.16:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.18:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.19:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.21:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.22:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.24:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.25:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.27:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0.0.29:*:*:*:*:*:*:*

Configuration 3:

cpe:/a:ibm:websphere_application_server:8.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0.0.7:*:*:*:*:*:*:*

Configuration 4:

cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.7:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.9:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.12:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.14:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.19:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.21:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.25:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.27:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.29:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.31:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.33:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.35:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.37:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.39:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.41:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.43:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:6.1.0.45:*:*:*:*:*:*:*

Configuration 5:

cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.11:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.13:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.15:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.17:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.19:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.21:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.23:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.25:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.27:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.29:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.31:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.33:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.35:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.37:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.39:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.41:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.43:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.45:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server_feature_pack_for_web_services:6.1.0.47:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:ibm:websphere_application_server:6.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:8.5:*:*:*:*:*:*:*

Denotes that component is vulnerable