Security Bulletin: Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator

Summary

Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator

Vulnerability Details

CVEID: CVE-2008-0732 DESCRIPTION: Apache Geronimo could allow a local attacker to obtain sensitive information, caused by the init script following symlinks during a chown operation. A location attacker could exploit this vulnerability and gain unauthorized access to files and directories to obtain sensitive information.
CVSS Base Score: 2.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/40562&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-5034 DESCRIPTION: Apache Geronimo is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/72047&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2006-0254 DESCRIPTION: Apache Geronimo is vulnerable to cross-site scripting, caused by improper validation of HTML tags by the Web-Access-Log Viewer. A remote attacker could exploit this vulnerability using a specially-crafted HTTP request to embed malicious script within the log file which, once the log file is viewed, would be executed in the administrator’‘s Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim’'s cookie-based authentication credentials.
CVSS Base Score: 2.8
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/24159&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2007-5797 DESCRIPTION: Apache Geronimo could alllow a remote attacker to bypass security restrictions, caused by an error in the SQLLoginModule during the authentication process. By logging into the database with a non-existent username, a remote attacker could exploit this vulnerability to bypass authentication and gain unauthorized access to the vulnerable system. Note: The IBM WebSphere Application Server Community Edition is also affected by this vulnerability.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/38211&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2007-4548 DESCRIPTION: Apache Geronimo could allow a remote attacker to bypass security restrictions, caused by the login method in LoginModule implementations failing to throw an exception for failed logins. A remote attacker could exploit this vulnerability to bypass authentication and send a null username and password in the command line deployer of the deployment module to gain unauthorized access to the vulnerable system.
CVSS Base Score: 7
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/36468&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

5.2.0.1 - 5.2.6.3

Remediation/Fixes

PRODUCT & Version

|

Remediation/Fix

—|—

IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3

|

Apply IBM Sterling B2B Integrator version 6.0.0.0 or 5.2.6.4 available on Fix Central

Workarounds and Mitigations

None