Financial Transaction Manager (FTM) for ACH Services, Check Services and Corporate Payment Services are vulnerable to a session identifier vulnerability. This could allow a user to obtain the ID in further attacks against the system… IBM has addressed CVE-2017-1152.
CVEID: CVE-2017-1152**
DESCRIPTION:** IBM Sterling Global Integration On-Demand Environment does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122293 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)
- FTM for ACH Services v3.0.1.0, 3.0.2.0
- FTM for Check Services v3.0.1.0, 3.0.2.0
- FTM for CPS v3.0.1.0, 3.0.2.0
Product
| VRMF| APAR| Remediation/First Fix
—|—|—|—
FTM for ACH Services| 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-ACH-MP-iFix0007 or later.
Apply 3.0.2-FTM-ACH-MP-fp0001 or later.
FTM for Check Services| 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-Check-MP-iFix0007 or later.
Apply 3.0.2-FTM-Check-MP-fp0001 or later.
FTM for CPS | 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-CPS-MP-iFix007 or later.
Apply 3.0.2-FTM-CPS-MP-fp0001 or later.
None