IBM WebSphere administration console weak password
Description
The IBM WebSphere Application Server administration console is protected by weak or default credentials that can be easily guessed through automated attacks. Invicti successfully authenticated to the console using common username and password combinations, indicating that the system is using credentials vulnerable to dictionary attacks or brute force enumeration. This represents a critical authentication weakness that exposes administrative functionality to unauthorized access.
Remediation
Immediately change the WebSphere administration console credentials to strong, unique passwords that meet the following criteria:
1. Change Default Credentials: Access the WebSphere Integrated Solutions Console, navigate to Security > Global Security > Configure, and update all administrative user accounts with strong passwords. Never use default credentials like 'admin/admin' or 'websphere/websphere'.
2. Implement Strong Password Policy: Enforce passwords that are at least 12 characters long, contain a mix of uppercase and lowercase letters, numbers, and special characters. Avoid dictionary words, common patterns, and personally identifiable information.
3. Enable Account Lockout: Configure account lockout policies to prevent brute force attacks by limiting failed login attempts (recommended: 5 attempts with a 30-minute lockout period).
4. Implement Multi-Factor Authentication: Where possible, enable MFA for administrative console access to add an additional layer of security beyond passwords.
5. Restrict Network Access: Limit administration console access to specific IP addresses or network segments using firewall rules or WebSphere security constraints. Consider using a VPN for remote administrative access.
6. Regular Credential Rotation: Establish a policy for periodic password changes for all administrative accounts (recommended: every 90 days).