Lucene search

K
ibmIBM025F46D70BF12E5E7A17B0B9163D46438945859C3636C38FE34BA49936F47B5C
HistorySep 21, 2021 - 8:25 p.m.

Security Bulletin: Multiple security vulnerabilities have been fixed in IBM Security Verify Governance, Identity Manager virtual appliance component (ISVG IMVA)

2021-09-2120:25:02
www.ibm.com
14
ibm security verify governance
identity manager
apache httpcomponents
ssl connections
sensitive data disclosure
virtual appliance
fix.

EPSS

0.033

Percentile

91.5%

Summary

IBM Security Verify Governance, Identity Manager virtual appliance component has addressed the following vulnerabilities.

Vulnerability Details

CVEID:CVE-2015-5262
**DESCRIPTION:**Apache Commons is vulnerable to a denial of service, caused by the failure to apply a configured connection during the initial handshake of an HTTPS connection by the HttpClient component. An attacker could exploit this vulnerability to accumulate multiple connections and exhaust all available resources.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/106932 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CVEID:CVE-2014-3577
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95327 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2012-6153
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject’s Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/95328 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2011-1498
**DESCRIPTION:**Apache HttpComponents could allow a remote attacker to obtain sensitive information, caused by an unspecified error in HttpClient. An attacker could exploit this vulnerability to send the Proxy-Authorization header to the host and disclose the user’s password.
CVSS Base score: 5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/66241 for the current score.
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Security Verify Governance, Identity Manager virtual appliance component All

Remediation/Fixes

Affected Product(s) Version(s) Fix Availability
IBM Security Verify Governance, Identity Manager virtual appliance component 10.0.0.0
10.0.0.0-ISS-ISVG-IMVA-FP0001

Workarounds and Mitigations

None