Security Bulletin: IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise Edition is affected by ASoC vulnerability (CVE-2012-5351)

Summary

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise has addressed the ASoC vulnerability.

Vulnerability Details

CVEID: CVE-2012-5351 DESCRIPTION: Apache Axis2 could allow a remote attacker to bypass security restrictions. An attacker could exploit this vulnerability using a SAML assertion that lacks a Signature element to bypass the authentication process to forge messages.
CVSS Base Score: 5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/79487&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)

Affected Products and Versions

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise 2.5, 2.5.0.1, 2.5.0.2, 2.5.0.3, 2.5.0.4, 2.5.0.5, 2.5.0.6, 2.5.0.7, 2.5.0.8, 2.5.0.9, 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5

Remediation/Fixes

The recommended solution is to apply the fixes as soon as practical.

For 2.5 versions, IBM recommends upgrading to Fix Pack 10 (2.5.0.10) of IBM Cloud Orchestrator:

<https://www.ibm.com/support/pages/ibm-cloud-orchestrator-fix-pack-10-25010-25&gt;

IBM Cloud Orchestrator and IBM Cloud Orchestrator Enterprise | 2.4, 2.4.0.1, 2.4.0.2, 2.4.0.3, 2.4.0.4, 2.4.0.5 |

Contact IBM Cloud Orchestrator support.

Workarounds and Mitigations

None