* IBM WebSphere DataPower XC10 18.104.22.168 and prior
Attackers can exploit these issues to perform denial-of-service attacks, bypass certain security restrictions, man-in-the-middle attacks, or impersonate trusted servers; this will aid in further attacks.
The IBM WebSphere DataPower XC10 Appliance does not require authentication for an unspecified interface, which allows remote attackers to cause a denial of service (process exit) via unknown vectors. It also allows remote authenticated users to bypass intended administrative-role requirements and perform arbitrary JMX operations via unspecified vectors.
When a collective configuration is enabled, has a single secret key that is shared across different customers' installations, which allows remote attackers to spoof a container server by (1) sniffing the network to locate a cleartext transmission of this key or (2) leveraging knowledge of this key from another installation.