IBM0CAD1891CF9367E971884A5A58F6C5BB17750D547CE0499FC71EF6C9C7305A2FSecurity Bulletin: IBM Tivoli Federated Identity Manager is affected by an XML External Entity vulnerability (CVE-2016-2908)
EPSS
Percentile
74.0%
Summary
IBM Tivoli Federated Identity Manager could allow a remote attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data by the XML parser.
Vulnerability Details
CVEID: CVE-2016-2908**
DESCRIPTION:** IBM Security Access Manager could allow a remote attacker to obtain sensitive information, caused by a XML external entity (XXE) error when processing XML data by the XML parser. A remote attacker could exploit this vulnerability to read arbitrary files on the system or cause a denial of service.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/113235> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L)
Affected Products and Versions
IBM Tivoli Federated Identity Manager 6.2.0
IBM Tivoli Federated Identity Manager 6.2.1
IBM Tivoli Federated Identity Manager 6.2.2
Remediation/Fixes
IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.
| Product | VRMF | APAR | Remediation |
|---|---|---|---|
| IBM Tivoli Federated Identity Manager | 6.2.2 | IV95727 | Apply fixpack 6.2.2-TIV-TFIM-FP0017. |
| IBM Tivoli Federated Identity Manager | 6.2.1 | N/A | Customers will need to upgrade to Tivoli Federated Identity Manager 6.2.2.17. |
| IBM Tivoli Federated Identity Manager | 6.2.0 | N/A | Customers will need to upgrade to Tivoli Federated Identity Manager 6.2.2.17. |
Workarounds and Mitigations
None.
Related
EPSS
Percentile
74.0%