Security Bulletin: Multiple Vulnerabilities Have Been Identified In IBM Security Secret Server

Summary

Multiple vulnerabilities identified on IBM Security Secret Server have been addressed in the release 10.7.000059.

Vulnerability Details

CVEID:CVE-2012-5662
**DESCRIPTION:**x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject’s Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/82984 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID:CVE-2014-4861
**DESCRIPTION:**The Remote Desktop Launcher in Thycotic Secret Server before 8.6.000010 does not properly cleanup a temporary file that contains an encrypted password once a session has ended.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/140555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

CVEID:CVE-2017-11725
**DESCRIPTION:**The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Upgrade to the fixpack available here.

Workarounds and Mitigations

None