Security Bulletin: Financial Transaction Manager for ACH Services, Check Services and Corporate Payment Services session identifier vulnerability (CVE-2017-1152)

Summary

Financial Transaction Manager (FTM) for ACH Services, Check Services and Corporate Payment Services are vulnerable to a session identifier vulnerability. This could allow a user to obtain the ID in further attacks against the system… IBM has addressed CVE-2017-1152.

Vulnerability Details

CVEID: CVE-2017-1152**
DESCRIPTION:** IBM Sterling Global Integration On-Demand Environment does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/122293 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

- FTM for ACH Services v3.0.1.0, 3.0.2.0

- FTM for Check Services v3.0.1.0, 3.0.2.0

- FTM for CPS v3.0.1.0, 3.0.2.0

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
FTM for ACH Services| 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-ACH-MP-iFix0007 or later.
Apply 3.0.2-FTM-ACH-MP-fp0001 or later.
FTM for Check Services| 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-Check-MP-iFix0007 or later.
Apply 3.0.2-FTM-Check-MP-fp0001 or later.
FTM for CPS | 3.0.1.0, 3.0.2.0| PI79372| Apply 3.0.1.0-FTM-CPS-MP-iFix007 or later.
Apply 3.0.2-FTM-CPS-MP-fp0001 or later.

Workarounds and Mitigations

None