IBM51FB035DE5C891BCA69312BA44A23B916435C9456B0087D72C0290E05BB5749CSecurity Bulletin: IBM Tivoli Monitoring TEP Server vulnerabilities
7.5 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.4 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P
Summary
By default, communications between the Tivoli Enterprise Portal client and server are not encrypted which can cause the following vulnerabilities.
Vulnerability Details
CVEID: CVE-2017-1181**
DESCRIPTION:** IBM Tivoli Monitoring Portal client could allow a local attacker to gain elevated privileges for IBM Tivoli Monitoring, caused by default console connection not being encrypted.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123487> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID: CVE-2017-1183**
DESCRIPTION:** IBM Tivoli Monitoring Portal could allow a local (network adjacent) attacker to modify SQL commands to the Portal Server, when default client-server communications, HTTP, are being used.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123494> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CVEID: CVE-2017-1182**
DESCRIPTION:** IBM Tivoli Monitoring Portal could allow a local (network adjacent) attacker to execute arbitrary commands on the system, when default client-server default communications, HTTP, are being used.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123493> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Tivoli Portal Server (KCQ component) versions 6.2.2 Fix Pack 9, 6.2.3 through 6.2.3 Fix Pack 5 and 6.3.0 through 6.3.0 Fix Pack 7
Remediation/Fixes
The patches below update the default configuration for the Tivoli Enterprise Portal Server (kcq component)
| Fix | VRMF | How to acquire fix |
|---|---|---|
| 6.3.0-TIV-ITM-FP0007-IV96017 | 6.3.0 | <http://www.ibm.com/support/docview.wss?uid=swg24043856> |
| 6.2.3-TIV-ITM-FP0005-IV96017 | 6.2.3 | |
| 6.2.2-TIV-ITM-FP0009-IV96017 | 6.2.2 |
Workarounds and Mitigations
The Tivoli Enterprise Portal server can be secured using existing product configuration settings as documented at the links below (Note: the documentation applies to all affected releases):
<https://www.ibm.com/support/knowledgecenter/SSTFXA_6.3.0/com.ibm.itm.doc_6.3/install/ed_ssl.htm>
| CPE | Name | Operator | Version |
|---|---|---|---|
| tivoli monitoring | eq | 6.3.0.7 | |
| tivoli monitoring | eq | 6.2.3.5 | |
| tivoli monitoring | eq | 6.2.2.9 |
Related
7.5 High
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
5.4 Medium
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:A/AC:M/Au:N/C:P/I:P/A:P