Security Bulletin: Information Disclosure Security Vulnerability Affects IBM Sterling File Gateway (CVE-2018-1470, CVE-2017-1544, CVE-2017-1575)

Summary

Information disclosure security vulnerability affects IBM Sterling Filegateway.

Vulnerability Details

CVEID: CVE-2018-1470 DESCRIPTION: IBM Sterling File Gateway could allow a remote authenticated attacker to obtain sensitive information displayed in the URL that could lead to further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/140688&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-1544 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition caches usernames and passwords in browsers that could be used by a local attacker to obtain sensitive information.
CVSS Base Score: 2.4
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/130812&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID: CVE-2017-1575 DESCRIPTION: IBM Sterling B2B Integrator Standard Edition uses weaker than expected cryptographic algorithms that could allow a local attacker to decrypt highly sensitive information.
CVSS Base Score: 5.1
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/132032&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Sterling File Gateway 2.2.0 - 2.2.6

Remediation/Fixes

PRODUCT & Version

|

APAR

|

Remediation/Fix

—|—|—

IBM Sterling File Gateway 2.2.0 - 2.2.6

| IIT24279, IT25642, IT24705 |

Apply Fix Pack 5020603_6 available on Fix Central

Workarounds and Mitigations

None