Lucene search

IBM489591F27A6AD11BFBC8919ADD2FBA33AA28757CC73D60A608A2D8D7A64097F5

HistoryJul 04, 2024 - 3:49 p.m.

Security Bulletin: Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

2024-07-0415:49:36

www.ibm.com

ibm sterling

b2b integrator

file gateway

vulnerabilities

sql injection

path traversal

file upload

cross-site scripting

command injection

session hijacking

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

69.3%

JSON

Summary

IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities. These vulnerabilities include:
- SQL Injection
- Path Traversal
- Unrestricted File Upload
- Cross-Site Scripting (XSS)
- Insufficient Session-ID Length
- Information Disclosure
- Command Injection
- File Type Manipulation
- Session Hijacking

Vulnerability Details

SQL Injection(CVE-2013-0560)

**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE ID: CVE-2013-0560
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83012 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0

IBM Sterling File Gateway 2.2, 2.1 and 2.0

Path Traversal (CVE-2013-2984)

**DESCRIPTION:**Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.

CVE ID: CVE-2013-2984
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1

IBM Sterling File Gateway 2.2 and 2.1

Unrestricted File Upload (CVE-2013-2982)

**DESCRIPTION:**Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.

CVE ID: CVE-2013-2982
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1

IBM Sterling File Gateway 2.2 and 2.1

Command Injection (CVE-2013-0476)

**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.

CVE ID: CVE-2013-0476
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81405 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0

IBM Sterling File Gateway 2.2, 2.1 and 2.0

Insufficient Session-ID Length (CVE-2013-0539)

**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a user’s session if the user’s session identifier is guessed.

CVE ID: CVE-2013-0539
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0

Cross-Site Scripting (XSS) (CVE-2013-0455, CVE-2013-0468, CVE-2013-2983, CVE-2013-0559)

**DESCRIPTION:**Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVE ID: CVE-2013-0455
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0468
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2983
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-0559

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83011> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0

Information Disclosure (CVE-2013-0558 CVE-2013-0463 CVE-2013-2985 CVE-2013-2987 CVE-2013-3020 CVE-2013-0568 CVE-2013-0475)

**DESCRIPTION:**Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0558
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE ID: CVE-2013-0463
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81017 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2985
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2987
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84009 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-3020
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0568
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83165 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0475
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0

IBM Sterling File Gateway 2.2, 2.1 and 5.0

File Type Manipulation(CVE-2013-0479)

**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.

CVE ID: CVE-2013-0479
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0

IBM Sterling File Gateway 2.2, 2.1 and 2.0

Information Disclosure (CVE-2013-0567)

**DESCRIPTION:**Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0567
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83164 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling File Gateway 2.2 and 2.1

Session Hijacking (CVE-2013-0456)

**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to session hijacking through cookie path manipulation.

CVE ID: CVE-2013-0456
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0

Remediation/Fixes

Product

APAR

Remediated Fixes

—|—|—
IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0 | IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259 | For the APAR fixes listed, apply Fix Pack 5010 available on IWM
IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1. | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply generic iFix 5104_1 available on IWM
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | IC95996, IC88973 | Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively

To acquire the fix from IWM, login to IWM.
See FAQs on downloading an iFix from the IWM site.

To acquire the fix from Fix Central, login to IBM Fix Central.

More details and release notes can be found here:
IBM Sterling B2B Integrator 5.2 Knowledge Center

To acquire the fix from Passport Advantage, login here.

ADDITIONAL INFORMATION:

The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.

* * Title	CVE ID	Link
Improper validation of user supplied input on select IBM Sterling B2B Integrator screens	CVE-2012-5766	_<https://www.ibm.com/support/pages/apar/IC84082>_
IBM Sterling B2B Integrator’s session or sensitive cookies do not have the secure attribute enabled	CVE-2012-5936	http://www.ibm.com/support/docview.wss?uid=swg21627985
Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response	CVE-2013-0481	http://www.ibm.com/support/docview.wss?uid=swg21627986
A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway.	Mutliple CVEs	http://www.ibm.com/support/docview.wss?uid=swg21640831

Workarounds and Mitigations

None Known.

Affected configurations

Vulners

Node

ibmsterling_b2b_integratorMatch5.2

ibmsterling_b2b_integratorMatch5.1

ibmsterling_b2b_integratorMatch5.0

ibmsterling_file_gatewayMatch2.2

ibmsterling_file_gatewayMatch2.1

VendorProductVersionCPE
ibmsterling_b2b_integrator5.2cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*
ibmsterling_b2b_integrator5.1cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*
ibmsterling_b2b_integrator5.0cpe:2.3:a:ibm:sterling_b2b_integrator:5.0:*:*:*:*:*:*:*
ibmsterling_file_gateway2.2cpe:2.3:a:ibm:sterling_file_gateway:2.2:*:*:*:*:*:*:*
ibmsterling_file_gateway2.1cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
ibm	sterling_b2b_integrator	5.2	cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:::::::*
ibm	sterling_b2b_integrator	5.1	cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:::::::*
ibm	sterling_b2b_integrator	5.0	cpe:2.3:a:ibm:sterling_b2b_integrator:5.0:::::::*
ibm	sterling_file_gateway	2.2	cpe:2.3:a:ibm:sterling_file_gateway:2.2:::::::*
ibm	sterling_file_gateway	2.1	cpe:2.3:a:ibm:sterling_file_gateway:2.1:::::::*

CVSS2

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:P/A:P

AI Score

7.8

Confidence

High

EPSS

0.003

Percentile

69.3%

JSON

Related for 489591F27A6AD11BFBC8919ADD2FBA33AA28757CC73D60A608A2D8D7A64097F5