Security Bulletin: Tivoli Key Lifecycle Manager can be affected by multiple vulnerabilities in Tivoli Integrated Portal (CVE-2013-0464, CVE-2012-3325, CVE-2011-4858)

Abstract

Multiple vulnerabilities in IBM Tivoli Integrated Portal can affect IBM Tivoli Key Lifecycle Manager

Content

VULNERABILITY DETAILS:

DESCRIPTION:

CVE-2013-0464

The IBM Eclipse Help System (contained within the Tivoli Integrated Portal component provided with Tivoli Key Lifecycle Manager), as used in multiple IBM products, is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

The attack requires some specialized knowledge or techniques and network access, but does not require authentication. An exploit could impact the integrity of data, but the confidentiality of information and the availability of the system are not compromised.

CVEID:
CVE-2013-0464

CVSS Base Score: 4.3
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS AND VERSIONS:
IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)

REMEDIATION:

Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:

• 1.0.0-ISS-TKLM-IF0006
• 2.0.0-ISS-TKLM-IF0007
• 2.0.1-ISS-TKLM-IF0004

Contact IBM Technical Support to obtain these fixes

Workaround(s):
None

Mitigation(s):
None

CVE-2012-3325

The WebSphere Application Server (contained within the Tivoli Integrated Portal component of Tivoli Key Lifecycle Manager), could allow a remote authenticated attacker to bypass security restrictions, caused by an error when validating user credentials following application of APAR PM44303. An attacker could exploit this vulnerability to gain unauthorized administrative access to the application and potentially gain access to confidential and critical customer data.

The attack requires some specialized knowledge or techniques and network access, and requires single authentication. An exploit could impact the integrity of data, the confidentiality of information and the availability of the system.

CVEID:
CVE-2012-3325

CVSS Base Score: 6
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/77959 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS AND VERSIONS:
IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)

REMEDIATION:

Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:

• 1.0.0-ISS-TKLM-IF0006
• 2.0.0-ISS-TKLM-IF0007
• 2.0.1-ISS-TKLM-IF0004

Contact IBM Technical Support to obtain these fixes

Workaround(s):
None

Mitigation(s):
None

CVE-2011-4858

Apache Tomcat (contained within the Tivoli Integrated Portal component of Tivoli Key Lifecycle Manager), is vulnerable to a denial of service, caused by the improper handling of an overly large number of parameter and parameter values. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume an overly large amount of CPU resources.

The attack does not require specialized knowledge or techniques, nor does it require authentication, and network access required. An exploit could impact the availability of the system, but the confidentiality of information and the integrity of data are not compromised.

CVEID:
CVE-2011-4858

CVSS Base Score: 5
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/72425 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

AFFECTED PRODUCTS AND VERSIONS:
IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)

REMEDIATION:

Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:

• 1.0.0-ISS-TKLM-IF0006
• 2.0.0-ISS-TKLM-IF0007
• 2.0.1-ISS-TKLM-IF0004

Contact IBM Technical Support to obtain these fixes

Workaround(s):
None

Mitigation(s):
None

REFERENCES:

• On-line Calculator V2_ _
• CVE-2013-0464
• CVE-2012-3325
• CVE-2011-4858
• IBM Security Alerts
• https://exchange.xforce.ibmcloud.com/vulnerabilities/81060
• https://exchange.xforce.ibmcloud.com/vulnerabilities/77959
• https://exchange.xforce.ibmcloud.com/vulnerabilities/72425

RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the References section of this Flash. _

_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSWPVP”,“label”:“IBM Security Key Lifecycle Manager”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Distributed”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”}],“Version”:“1.0;2.0;2.0.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]