Lucene search

IBM1C634DF250BABDA624C165E02BBC0C05640C944B05C98468342145296F6EE347

HistoryOct 17, 2018 - 2:55 p.m.

Security Bulletin: IBM Tivoli Access Manager for e-business and IBM Security Access Manager releases are affected by a Kerberos vulnerability (CVE-2017-11462)

2018-10-1714:55:02

www.ibm.com

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

JSON

Summary

IBM Tivoli Access Manager for e-business and IBM Security Access Manager have addressed the following vulnerability.

Vulnerability Details

CVEID: CVE-2017-11462 DESCRIPTION: A double free vulnerability in MIT Kerberos 5 (aka krb5) has an unknown impact and attack vector involving automatic deletion of security contexts on error.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/132060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)

Affected Products and Versions

Software releases

Affected****product

Affected Versions

—|—
IBM Tivoli Access Manager for e-business | 6.1 - 6.1.0.35
IBM Tivoli Access Manager for e-business | 6.1.1 - 6.1.1.34
IBM Security Access Manager (software) | 7.0-7.0.0.34

Appliance releases

Affected IBM Security Access Manager Appliance

Affected Versions

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README file included with the patch.

Product	VRMF	APAR	Remediation
IBM Tivoli Access Manager for e-business	6.1 - 6.1.0.35	IJ03462	Apply Interim Fix 36:
6.1.0-ISS-TAM-IF0036
IBM Tivoli Access Manager for e-business	6.1.1 - 6.1.1.34	IJ03462	Apply Interim Fix 35:
6.1.1-ISS-TAM-IF0035
IBM Security Access Manager for Web (software)	7.0 - 7.0.0.34 (software)	IJ03462	Apply Interim Fix 35:
7.0.0-ISS-SAM-IF0035
IBM Security Access Manager for Web (appliance)	7.0 - 7.0.0.34 (appliance)	IJ03469

Apply Interim Fix 35:

7.0.0-ISS-WGA-IF0035

IBM Security Access Manager for Web (appliance) | 8.0 - 8.0.1.7 | IJ03467 |

1. For versions prior to 8.0.1.7, upgrade to 8.0.1.7:
8.0.1-ISS-WGA-FP0007_ _

2. Apply 8.0.1.7 IF 1:
8.0.1.7-ISS-WGA-IF0001

IBM Security Access Manager for Mobile (appliance) | 8.0 - 8.0.1.7 | IJ03468 |

1. For versions prior to 8.0.1.7, upgrade to 8.0.1.7:
8.0.1-ISS-ISAM-FP0007

2. Upgrade to 8.0.1.7 IF 1:
8.0.1.7-ISS-ISAM-IF0001

IBM Security Access Manager (appliance) | 9.0 - 9.0.4.0 | IJ03467 |

1. For versions prior to 9.0.4.0, upgrade to 9.0.4.0:

9.0.4-ISS-ISAM-FP0000

2. Upgrade to 9.0.4.0 IF 2:
9.0.4.0-ISS-ISAM-IF0002

For IBM Tivoli Access Manager for e-business 6.0 and earlier, IBM recommends upgrading to a fixed, supported release of the product.

Workarounds and Mitigations

None

CPENameOperatorVersion
ibm security access managereq7.0.0
ibm security access managereq8.0.0
ibm security access managereq8.0.0.1
ibm security access managereq8.0.0.2
ibm security access managereq8.0.0.3
ibm security access managereq8.0.0.4
ibm security access managereq8.0.0.5
ibm security access managereq8.0.1
ibm security access managereq8.0.1.2
ibm security access managereq8.0.1.3

Name	Operator	Version
ibm security access manager	eq	7.0.0
ibm security access manager	eq	8.0.0
ibm security access manager	eq	8.0.0.1
ibm security access manager	eq	8.0.0.2
ibm security access manager	eq	8.0.0.3
ibm security access manager	eq	8.0.0.4
ibm security access manager	eq	8.0.0.5
ibm security access manager	eq	8.0.1
ibm security access manager	eq	8.0.1.2
ibm security access manager	eq	8.0.1.3