logo
DATABASE RESOURCES PRICING ABOUT US

Security Bulletin: Security vulnerabilities have been fixed in the IBM Security Access Manager and IBM Security Verify Access products

Description

## Summary Fixes for security vulnerabilities identified in IBM Security Access Manager and IBM Security Verify Access are available. ## Vulnerability Details ** CVEID: **[CVE-2020-11868](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11868>) ** DESCRIPTION: **NTP is vulnerable to a denial of service, caused by a flaw in ntpd. By sending a server mode packet with a spoofed source IP address, a remote attacker could exploit this vulnerability to block unauthenticated synchronization resulting in a denial of service condition. CVSS Base score: 5.9 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/180011](<https://exchange.xforce.ibmcloud.com/vulnerabilities/180011>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H) ** CVEID: **[CVE-2020-13817](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13817>) ** DESCRIPTION: **NTP is vulnerable to a denial of service, caused by an issue when relying on unauthenticated IPv4 time sources in ntpd. By predicting transmit timestamps for use in spoofed packets, a remote attacker could exploit this vulnerability to cause the daemon to crash or system time change. CVSS Base score: 7.4 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183494](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183494>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:H) ** CVEID: **[CVE-2020-13692](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13692>) ** DESCRIPTION: **PostgreSQL JDBC Driver could allow a remote authenticated attacker to obtain sensitive information, caused by an XML external entity (XXE) error when processing XML data. By sending specially crafted XML data, a remote attacker could exploit this vulnerability to obtain sensitive information. CVSS Base score: 6.5 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/183018](<https://exchange.xforce.ibmcloud.com/vulnerabilities/183018>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) ** CVEID: **[CVE-2020-7656](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7656>) ** DESCRIPTION: **jQuery is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the load method. A remote attacker could exploit this vulnerability to inject malicious script into a Web page which would be executed in a victim's Web browser within the security context of the hosting Web site, once the page is viewed. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182264](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182264>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2018-1311](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1311>) ** DESCRIPTION: **Apache Xerces-C could allow a remote attacker to execute arbitrary code on the system, caused by an use-after-free error during the scanning of external DTDs. By sending a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service condition on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/173437](<https://exchange.xforce.ibmcloud.com/vulnerabilities/173437>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-4552](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-4552>) ** DESCRIPTION: **IBM Security Access Manager Appliance is vulnerable to HTTP response splitting attacks. A remote attacker could exploit this vulnerability using specially-crafted URL to cause the server to return a split response, once the URL is clicked. This would allow the attacker to perform further attacks, such as Web cache poisoning, cross-site scripting, and possibly obtain sensitive information. CVSS Base score: 6.1 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/165960](<https://exchange.xforce.ibmcloud.com/vulnerabilities/165960>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) ** CVEID: **[CVE-2020-9547](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177103](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177103>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9548](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177104](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177104>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-9546](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by the mishandling of interaction between serialization gadgets and typing in org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config). By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/177102](<https://exchange.xforce.ibmcloud.com/vulnerabilities/177102>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2019-13734](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13734>) ** DESCRIPTION: **Google Chrome could allow a remote attacker to execute arbitrary code on the system, caused by an out-of-bounds write in SQLite. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 8.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/172917](<https://exchange.xforce.ibmcloud.com/vulnerabilities/172917>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2020-4499](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-4499>) ** DESCRIPTION: **IBM Security Access Manager Appliance could allow an unauthorized public Oauth client to bypass some or all of the authentication checks and gain access to applications. CVSS Base score: 7.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/182216](<https://exchange.xforce.ibmcloud.com/vulnerabilities/182216>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) ** CVEID: **[CVE-2020-24616](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-24616>) ** DESCRIPTION: **FasterXML jackson-databind could allow a remote attacker to execute arbitrary code on the system, caused by an unsafe deserialization between gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP). By sending specially-crafted input, an attacker could exploit this vulnerability to execute arbitrary code on the system. CVSS Base score: 9.8 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/187229](<https://exchange.xforce.ibmcloud.com/vulnerabilities/187229>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) ** CVEID: **[CVE-2012-5783](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5783>) ** DESCRIPTION: **Apache Commons HttpClient, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, could allow a remote attacker to conduct spoofing attacks, caused by the failure to verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/79984](<https://exchange.xforce.ibmcloud.com/vulnerabilities/79984>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2012-6153](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6153>) ** DESCRIPTION: **Apache HttpComponents could allow a remote attacker to conduct spoofing attacks, caused by an incomplete fix related to the failure to verify that the server hostname matches a domain name in the Subject's Common Name (CN) or SubjectAltName field of certificates. By persuading a victim to visit a Web site containing a specially-crafted certificate, an attacker could exploit this vulnerability using man-in-the-middle techniques to spoof an SSL server. CVSS Base score: 4.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/95328](<https://exchange.xforce.ibmcloud.com/vulnerabilities/95328>) for the current score. CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) ** CVEID: **[CVE-2018-14404](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14404>) ** DESCRIPTION: **libxml2 is vulnerable to a denial of service, caused by a NULL pointer dereference in the xpath.c:xmlXPathCompOpEval() function. By persuading a victim to open a specially-crafted file, a remote attacker could exploit this vulnerability to cause the application to crash. CVSS Base score: 3.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/147260](<https://exchange.xforce.ibmcloud.com/vulnerabilities/147260>) for the current score. CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) ** CVEID: **[CVE-2018-20852](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20852>) ** DESCRIPTION: **Python could allow a remote attacker to obtain sensitive information, caused by the failure to correctly validate the domain by http.cookiejar.DefaultPolicy.domain_return_ok in Lib/http/cookiejar.py. By using a server with a hostname that has another valid hostname as a suffix, an attacker could exploit this vulnerability to obtain leaked existing cookies. CVSS Base score: 5.3 CVSS Temporal Score: See: [ https://exchange.xforce.ibmcloud.com/vulnerabilities/169515](<https://exchange.xforce.ibmcloud.com/vulnerabilities/169515>) for the current score. CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) ## Affected Products and Versions Affected Product(s) | Version(s) ---|--- ISAM | 9.0.7 IBM Security Verify Access | 10.0.0 ## Remediation/Fixes Fix Central Product Name | Fixed in VRMF | Fix availability ---|---|--- IBM Security Access Manager | 9.0.7.2 | [fix pack: 9.0.7-ISS-ISAM-FP0002](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=9.0.7.0&platform=Linux&function=fixId&fixids=9.0.7-ISS-ISAM-FP0002&includeRequisites=1&includeSupersedes=0&downloadMethod=http&login=true> "fix pack: 9.0.7-ISS-ISAM-FP0002" ) IBM Security Verify Access | 10.0.0.1 | [fix pack: 10.0.0-ISS-ISVA-FP0001](<https://www.ibm.com/support/fixcentral/swg/downloadFixes?parent=IBM%20Security&product=ibm/Tivoli/IBM+Security+Verify+Access&release=10.0.0&platform=Linux&function=fixId&fixids=10.0.0-ISS-ISVA-FP0001&includeRequisites=1&includeSupersedes=0&downloadMethod=http> "fix pack: 10.0.0-ISS-ISVA-FP0001" ) Docker Log into docker.com and then execute the corresponding command for the release ISAM 9.0.7.2 - docker pull ibmcom/isam:9.0.7.2 ISVA 10.0.0.1 - docker pull ibmcom/verify-access:10.0.0.1 AWS Marketplace Product | First Fix availability ---|--- ISAM | [IBM Security Access Manager v9](<https://aws.amazon.com/marketplace/pp/B08KW6WQFT/> "IBM Security Access Manager v9" ) ISVA | [IBM Security Verify Access v10](<https://aws.amazon.com/marketplace/pp/IBM-IBM-Security-Verify-Access/B07L53BKF8> "IBM Security Verify Access v10" ) ## Workarounds and Mitigations None ## Get Notified about Future Security Bulletins Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this. ### References [Complete CVSS v3 Guide](<http://www.first.org/cvss/user-guide> "Link resides outside of ibm.com" ) [On-line Calculator v3](<http://www.first.org/cvss/calculator/3.0> "Link resides outside of ibm.com" ) Off ## Related Information [IBM Secure Engineering Web Portal](<http://www.ibm.com/security/secure-engineering/bulletins.html>) [IBM Product Security Incident Response Blog](<http://www.ibm.com/blogs/psirt>) ## Change History 08 Oct 2020: Initial Publication *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. ## Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions. ## Document Location Worldwide [{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSRGTL","label":"IBM Security Verify Access"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Business Unit":{"code":"BU008","label":"Security"},"Product":{"code":"SSQRZH","label":"IBM Security Access Manager Appliance"},"Component":"","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]


Affected Software


CPE Name Name Version
isam 9.0.7
ibm security verify access 10.0.0

Related