-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1052
            IBM WebSphere Application Server Service Component
              Architecture (SCA) feature pack security bypass
                              18 August 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              IBM WebSphere Application Server SCA 1.0
Operating System:     Windows
                      Linux variants
                      AIX
                      HP-UX
                      Solaris
Impact/Access:        Increased Privileges -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2009-0906  
Member content until: Thursday, September 17 2009

OVERVIEW

        IBM has released a fix pack correcting a vulnerability in WebSphere 
        which allows security measures to be bypassed. [1]


DETAILS

        "IBM WebSphere Application Server could allow a remote authenticated
        attacker to bypass security restrictions, caused by an error in the
        Service Component Architecture (SCA) feature pack. An attacker that
        has not been assigned to the scaAllAuthorizedUsers role could 
        exploit this vulnerability to bypass the authentication.transport 
        intent and gain unauthorized access to the system." [2]


MITIGATION

        Apply the fix pack to correct the vulnerability.


REFERENCES

        [1] IBM - Fix list for SCA Feature Pack for WebSphere Application
            Server V7.0
            http://www-01.ibm.com/support/docview.wss?uid=swg27015429

        [2] ISS X-Force Database:
            was-sca-scaallauthorizedusers-sec-bypass(52074): IBM WebSphere
            Application Server Service Component Architecture (SCA) feature
            pack security bypass
            http://xforce.iss.net/xforce/xfdb/52074

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967

iD8DBQFKijwqNVH5XJJInbgRAq0PAJ9V9UeyK+F5JWbCFYYX8jDD1Ts+jgCfaF3v
RP4UJtAWAjrSvj8HD5TjLPM=
=j5Th
-----END PGP SIGNATURE-----