The IBM WebSphere DataPower XC10 Appliance 2.0.0.0 through 2.0.0.3 and 2.1.0.0 through 2.1.0.2, when a collective configuration is enabled, has a single secret key that is shared across different customers' installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
| Link | Tags |
|---|---|
| http://www-01.ibm.com/support/docview.wss?uid=swg24033740 | |
| http://www-01.ibm.com/support/docview.wss?uid=swg1PM68926 | vendor advisory |
| http://www.securityfocus.com/bid/56617 | vdb entry |
| https://exchange.xforce.ibmcloud.com/vulnerabilities/79921 | vdb entry |
| http://www.securitytracker.com/id?1027798 | vdb entry |
| http://secunia.com/advisories/51319 | third party advisory |
| http://www-01.ibm.com/support/docview.wss?uid=swg21615783 | vendor advisory |