Sign-up

ID

VAR-200902-0004


CVE

CVE-2009-0440


TITLE

IBM WebSphere Partner Gateway Illegal in RosettaNet document ( alias RNIF document ) Vulnerability sent to

Trust: 0.8

sources: JVNDB: JVNDB-2009-001372

DESCRIPTION

IBM WebSphere Partner Gateway (WPG) 6.0.0 through 6.0.0.7 does not properly handle failures of signature verification, which might allow remote authenticated users to submit a crafted RosettaNet (aka RNIF) document to a backend application, related to (1) "altered service content" and (2) "digital signature foot-print.". IBM WebSphere Partner Gateway is prone to a security-bypass vulnerability. Successful exploits may allow attackers to pass malicious RosettaNet Implementation Framework (RNIF) documents to a back-end application. ---------------------------------------------------------------------- Did you know? Our assessment and impact rating along with detailed information such as exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more about our commercial solutions: http://secunia.com/advisories/business_solutions/ Click here to trial our solutions: http://secunia.com/advisories/try_vi/ ---------------------------------------------------------------------- TITLE: IBM WebSphere Partner Gateway RNIF Signature Verification Bypass SECUNIA ADVISORY ID: SA33994 VERIFY ADVISORY: http://secunia.com/advisories/33994/ DESCRIPTION: A vulnerability has been reported in IBM WebSphere Partner Gateway, which can be exploited by malicious users to bypass certain security restrictions. SOLUTION: Update to version 6.0.0.7 and apply APAR JR31231. PROVIDED AND/OR DISCOVERED BY: Reported by the vendor. ORIGINAL ADVISORY: http://www-01.ibm.com/support/docview.wss?uid=swg21330341 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2009-0440 // JVNDB: JVNDB-2009-001372 // BID: 33839 // VULHUB: VHN-37886 // PACKETSTORM: 75089

AFFECTED PRODUCTS

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.3

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.5

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.1

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.2

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.4

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.6

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0.7

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0

Trust: 1.6

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.0 - 6.0.0.7

Trust: 0.8

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.7

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.6

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.5

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.4

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.3

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.2

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0.1

Trust: 0.3

vendor:ibmmodel:websphere partner gatewayscope:eqversion:6.0

Trust: 0.3

sources: BID: 33839 // JVNDB: JVNDB-2009-001372 // CNNVD: CNNVD-200902-489 // NVD: CVE-2009-0440

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-0440
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-0440
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200902-489
value: MEDIUM

Trust: 0.6

VULHUB: VHN-37886
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2009-0440
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-37886
severity: MEDIUM
baseScore: 6.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: PARTIAL
exploitabilityScore: 8.0
impactScore: 6.4
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-37886 // JVNDB: JVNDB-2009-001372 // CNNVD: CNNVD-200902-489 // NVD: CVE-2009-0440

PROBLEMTYPE DATA

problemtype:CWE-287

Trust: 1.9

sources: VULHUB: VHN-37886 // JVNDB: JVNDB-2009-001372 // NVD: CVE-2009-0440

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200902-489

TYPE

authorization issue

Trust: 0.6

sources: CNNVD: CNNVD-200902-489

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001372

PATCH
title:1330341url:http://www-01.ibm.com/support/docview.wss?uid=swg21330341
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001372

EXTERNAL IDS
db:NVDid:CVE-2009-0440
Trust: 2.5
db:BIDid:33839
Trust: 2.0
db:SECUNIAid:33994
Trust: 1.8
db:JVNDBid:JVNDB-2009-001372
Trust: 0.8
db:CNNVDid:CNNVD-200902-489
Trust: 0.7
db:XFid:48530
Trust: 0.6
db:AIXAPARid:JR31231
Trust: 0.6
db:VULHUBid:VHN-37886
Trust: 0.1
db:PACKETSTORMid:75089
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37886 // 
            
            
            
            BID: 33839 // 
            
            
            
            JVNDB: JVNDB-2009-001372 // 
            
            
            
            PACKETSTORM: 75089 // 
            
            
            
            CNNVD: CNNVD-200902-489 // 
            
            
            
            NVD: CVE-2009-0440

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg21330341
Trust: 2.1
url:http://www-1.ibm.com/support/docview.wss?uid=swg1jr31231
Trust: 1.7
url:http://www.securityfocus.com/bid/33839
Trust: 1.7
url:http://secunia.com/advisories/33994
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/48530
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0440
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0440
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/48530
Trust: 0.6
url:http://www-01.ibm.com/software/integration/wspartnergateway/
Trust: 0.3
url:http://secunia.com/advisories/secunia_security_advisories/
Trust: 0.1
url:http://secunia.com/advisories/33994/
Trust: 0.1
url:http://secunia.com/advisories/business_solutions/
Trust: 0.1
url:http://secunia.com/advisories/try_vi/
Trust: 0.1
url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
Trust: 0.1
url:http://secunia.com/advisories/about_secunia_advisories/
Trust: 0.1
sources:
            
            
            VULHUB: VHN-37886 // 
            
            
            
            BID: 33839 // 
            
            
            
            JVNDB: JVNDB-2009-001372 // 
            
            
            
            PACKETSTORM: 75089 // 
            
            
            
            CNNVD: CNNVD-200902-489 // 
            
            
            
            NVD: CVE-2009-0440

CREDITS
IBM ncsupp@ca.ibm.com
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200902-489

SOURCES
db:VULHUBid:VHN-37886
db:BIDid:33839
db:JVNDBid:JVNDB-2009-001372
db:PACKETSTORMid:75089
db:CNNVDid:CNNVD-200902-489
db:NVDid:CVE-2009-0440

LAST UPDATE DATE
2025-04-10T23:24:13.481000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-37886date:2017-08-08T00:00:00
db:BIDid:33839date:2009-02-20T15:47:00
db:JVNDBid:JVNDB-2009-001372date:2009-06-30T00:00:00
db:CNNVDid:CNNVD-200902-489date:2009-02-23T00:00:00
db:NVDid:CVE-2009-0440date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-37886date:2009-02-22T00:00:00
db:BIDid:33839date:2009-01-12T00:00:00
db:JVNDBid:JVNDB-2009-001372date:2009-06-30T00:00:00
db:PACKETSTORMid:75089date:2009-02-21T11:31:28
db:CNNVDid:CNNVD-200902-489date:2009-01-12T00:00:00
db:NVDid:CVE-2009-0440date:2009-02-22T22:30:00.843