10 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
Security Bulletin: Asset and Service Management Products - Potential security exposure when using WS-Security, with either JAX-WS or JAX-RPC, resulting in a user gaining elevated privileges (CVE-2011-1377).
VULNERABILITY DETAILS:
**
CVE ID: CVE-2011-1377**
DESCRIPTION:
Websphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. WS-Security may assign the identiy of a previously processed LTPA token to a new inbound LTPA token after authentication. This impacts applications using either JAX-WS or JAX-RPC.
CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/71319>_ for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
VERSIONS AFFECTED:
ยท Websphere Application Server, all platforms, Versions 8.0 through 8.0.0.2, 7.0 through 7.0.0.21, and 6.1 through 6.1.0.41, 6.0.2 through 6.0.2.43.
ยท Websphere Application Server Feature Pack for Web Services Versions 6.1.0.9 through 6.1.0.39.
IBM supplied Websphere Application Server versions with the following:
Maximo Asset Management, Maximo Industry Solutions, and Tivoli Asset Management for IT 6.x bundled Websphere Application Server 6.0.
Maximo Asset Management, Maximo Industry Solutions, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database 7.1 and 7.2 bundled Websphere Application Server 6.1.
Maximo Asset Management and Maximo Industry Solutions 7.5 bundled Websphere Application Server 7.0.
Smart Cloud Control Desk 7.5 bundled Websphere Application Server 7.0.
Intelligent Building Management 1.1 bundled Websphere Application Server 7.0.
TRIRIGA Energy Optimization 1.1 bundled Websphere Application Server 7.0.
REMEDIATION:
Determine the specific version of WebSphere that you have installed, then go to the Websphere Security Flash for PM43585/PM43792/PM451681 to download the appropriate Interim Fix or a Fix Pack containing this APAR. On this page the various Interim Fixes and Fix Packs are separated by the specific WebSphere version. Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the fix.
To Determine your WebSphere Version:
1. Access the Administrative Console for WebSphere. Sign into Console.
2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 6.1.0.35):
(in this example the version is 6.0.2.43)
(in this example the version is 7.0.0.13)
REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database
CVE-2011-1377
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
**
Note: _**According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an โindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.โ IBM PROVIDES THE CVSS SCORES โAS ISโ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
27 Jul 2012| Flash published.
CROSS REFERENCE INFORMATION:
Segment | Product | Component/Platform | Version |
---|---|---|---|
Systems and Asset Management | Maximo Asset Management | All | 6.2.0 โ 6.2.8 |
7.1.1.0 โ 7.1.1.10
7.5.0.0 โ 7.5.0.3
Systems and Asset Management| Maximo Asset Management Essentials| All| 7.1.1.0 โ 7.1.1.10
7.5.0.0 โ 7.5.0.3
Systems and Asset Management| Maximo Asset Management for Energy Optimization| All| 7.1.0.0 โ 7.1.1.0
Systems and Asset Management| Maximo for Government| All| 6.1.0.0
7.1.0.0
7.5.0.0
Systems and Asset Management| Maximo for Nuclear Power| All| 6.3.0
7.1.0.0 โ 7.1.1.0
Systems and Asset Management| Maximo for Transportation| All| 6.3.0
7.1.0.0 โ 7.1.1.0
7.5.0.0
Systems and Asset Management| Maximo for Life Sciences| All| 6.4.0 โ 6.5.0
7.1.0.0 โ 7.1.2.0
7.5.00
Systems and Asset Management| Maximo for Oil and Gas| All| 6.3.0 โ 6.4.0
7.1.0.0 โ 7.1.2.0
7.5.0.0
Systems and Asset Management| Maximo for Utilities| All| 6.3.0
7.1.0.0 โ 7.1.2.0
7.5.0.0
Systems and Asset Management| Tivoli Service Request Manager| All| 7.1.0.0 โ 7.1.1.10
7.2.0.0 โ 7.2.1.3
Systems and Asset Management| Tivoli Asset Management for IT | All| 6.2.0 โ 6.2.8
7.1.0.0 โ 7.1.1.10
7.2.0.0 โ 7.2.2.1
Systems and Asset Management| Change and Configuration Management Database| All| 7.1.0.0 โ 7.1.1.10
7.2.0.0 โ 7.2.1.2
Systems and Asset Management| Smart Cloud Control Desk| All| 7.5.0.0
Systems and Asset Management| Intelligent Building Management| All| 1.1
Systems and Asset Management| TRIRIGA Energy Optimization| All| 1.1
[{โProductโ:{โcodeโ:โSSLKT6โ,โlabelโ:โIBM Maximo Asset Managementโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โโโ,โPlatformโ:[{โcodeโ:โPF025โ,โlabelโ:โPlatform Independentโ}],โVersionโ:โ6.2;6.2.1;6.2.2;6.2.3;6.2.4;6.2.5;6.2.6;6.2.7;6.2.8;7.1;7.1.1;7.2;7.2.1;7.5โ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSWK4Aโ,โlabelโ:โMaximo Asset Management Essentialsโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:" โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSU3T4โ,โlabelโ:โMaximo Asset Management for Energy Optimizationโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSMQTPโ,โlabelโ:โMaximo for Governmentโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSLL8Mโ,โlabelโ:โMaximo for Nuclear Powerโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSLL9Zโ,โlabelโ:โMaximo for Transportationโ},โBusiness Unitโ:{โcodeโ:โBU059โ,โlabelโ:โIBM Software w/o TPSโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSLL84โ,โlabelโ:โMaximo for Life Sciencesโ},โBusiness Unitโ:{โcodeโ:โBU059โ,โlabelโ:โIBM Software w/o TPSโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSLL9Gโ,โlabelโ:โMaximo for Oil and Gasโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSLLAMโ,โlabelโ:โMaximo for Utilitiesโ},โBusiness Unitโ:{โcodeโ:โBU059โ,โlabelโ:โIBM Software w/o TPSโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSS6HJKโ,โlabelโ:โTivoli Service Request Managerโ},โBusiness Unitโ:{โcodeโ:โBU053โ,โlabelโ:โCloud & Data Platformโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB36โ,โlabelโ:โIBM Automationโ}},{โProductโ:{โcodeโ:โSSLKTYโ,โlabelโ:โMaximo Asset Management for ITโ},โBusiness Unitโ:{โcodeโ:โBU053โ,โlabelโ:โCloud & Data Platformโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}},{โProductโ:{โcodeโ:โSSKTXTโ,โlabelโ:โTivoli Change and Configuration Management Databaseโ},โBusiness Unitโ:{โcodeโ:โBU053โ,โlabelโ:โCloud & Data Platformโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB45โ,โlabelโ:โAutomationโ}},{โProductโ:{โcodeโ:โSSWT9Aโ,โlabelโ:โIBM Control Deskโ},โBusiness Unitโ:{โcodeโ:โBU053โ,โlabelโ:โCloud & Data Platformโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB45โ,โlabelโ:โAutomationโ}},{โProductโ:{โcodeโ:โSSWDVUโ,โlabelโ:โIBM TRIRIGA Energy Optimizationโ},โBusiness Unitโ:{โcodeโ:โBU055โ,โlabelโ:โCognitive Applicationsโ},โComponentโ:โ โ,โPlatformโ:[{โcodeโ:โโ,โlabelโ:โโ}],โVersionโ:โโ,โEditionโ:โ",โLine of Businessโ:{โcodeโ:โLOB02โ,โlabelโ:โAI Applicationsโ}}]