CVE-2008-4679

Name of the Vulnerable Software and Affected Versions IBM WebSphere Application Server versions 6.0.2 through 6.0.2.30 IBM WebSphere Application Server versions 6.1 through 6.1.0.18

Description The issue concerns the Web Services Security component in IBM WebSphere Application Server. When Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), the component fails to check the revocation status of X.509 certificates. This allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked certificate.

Recommendations For IBM WebSphere Application Server versions 6.0.2 through 6.0.2.30, update to version 6.0.2.31 or later. For IBM WebSphere Application Server versions 6.1 through 6.1.0.18, update to version 6.1.0.19 or later.