CVE-2008-4679
IBM WebSphere Application Server 6.0.2-6.0.2.30 and 6.1-6.1.0.18 - Improper Certificate Revocation Validation
Title source: llmDescription
The Web Services Security component in IBM WebSphere Application Server (WAS) 6.0.2 before 6.0.2.31 and 6.1 before 6.1.0.19, when Certificate Store Collections is configured to use Certificate Revocation Lists (CRL), does not call the setRevocationEnabled method on the PKIXBuilderParameters object, which prevents the "Java security method" from checking the revocation status of X.509 certificates and allows remote attackers to bypass intended access restrictions via a SOAP message with a revoked certificate.
References (7)
Core 7
Core References
Patch, Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27007951
Third Party Advisory vdb-entry
x_refsource_vupen
http://www.vupen.com/english/advisories/2008/2871
Patch, Vendor Advisory x_refsource_confirm
http://www-01.ibm.com/support/docview.wss?uid=swg27006876
Patch, Vendor Advisory vendor-advisory
x_refsource_aixapar
http://www-1.ibm.com/support/docview.wss?uid=swg1PK61258
Vendor Advisory third-party-advisory
x_refsource_secunia
http://secunia.com/advisories/32296
Third Party Advisory, VDB Entry vdb-entry
x_refsource_bid
http://www.securityfocus.com/bid/31839
Third Party Advisory, VDB Entry vdb-entry
x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/46002
Scores
EPSS
0.0157
EPSS Percentile
72.2%
Details
CWE
CWE-287
Status
published
Products (26)
ibm/websphere_application_server
6.0.1.1
ibm/websphere_application_server
6.0.1.2
ibm/websphere_application_server
6.0.1.3
ibm/websphere_application_server
6.0.1.5
ibm/websphere_application_server
6.0.1.7
ibm/websphere_application_server
6.0.1.9
ibm/websphere_application_server
6.0.1.11
ibm/websphere_application_server
6.0.1.13
ibm/websphere_application_server
6.0.1.15
ibm/websphere_application_server
6.0.1.17
... and 16 more
Published
Oct 22, 2008
Tracked Since
Feb 18, 2026