Potential security vulnerability with IBM WebSphere Application Server

Abstract

Security Bulletin: Asset and Service Management Products - Potential security exposure with IBM WebSphere application server after installing fix for APAR PM44303 (CVE-2012-3325)

Content

VULNERABILITY DETAILS:
**
CVE ID: CVE-2012-3325**

DESCRIPTION:
Customers that have installed a Websphere Application Server fix for APAR PM44303 or a fix pack containing PM44303, have the potential for an authenticated user to gain access to unauthorized resources.

CVSS:

CVSS Base Score: 6
CVSS Temporal Score: See _<https://exchange.xforce.ibmcloud.com/vulnerabilities/77959&gt;_ for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

VERSIONS AFFECTED:

The problem affects the following IBM WebSphere Application Server versions:
Version 6.1.0.43
Version 7.0.0.21 - 7.0.0.23
Version 8.0.0.2 - 8.0.0.4
Version 8.5.0.0

The problem does not occur on the following IBM WebSphere Application Server versions:
Version 6.1.0.0 - 6.1.0.41
Version 7.0.0.0 - 7.0.0.19
Version 8.0.0.0 - 8.0.0.1

IBM supplied Websphere Application Server with the following products. The versions that were bundled are not affected, but may have been upgraded to an affected version in your environment.

Maximo Asset Management, Maximo Industry Solutions, and Tivoli Asset Management for IT 6.2 bundled Websphere Application Server 6.0.

Maximo Asset Management, Maximo Industry Solutions, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Tivoli Change and Configuration Management Database 7.1 and 7.2 bundled Websphere Application Server 6.1.

Maximo Asset Management and Maximo Industry Solutions 7.5 bundled Websphere Application Server 7.0.

SmartCloud Control Desk 7.5 bundled Websphere Application Server 7.0.

Intelligent Building Management 1.1 bundled Websphere Application Server 7.0.

TRIRIGA Application Platform 3.2 bundled Websphere Application Server 8.0.

REMEDIATION:

Determine the specific version of WebSphere that you have installed, then go to the Websphere Security Flash for PM71296 to download the appropriate Interim Fix or a Fix Pack containing this APAR. On this page the various Interim Fixes and Fix Packs are separated by the specific WebSphere version. Locate the version of WebSphere that matches your installed version and click the appropriate link to take you to the download page for the fix.

To Determine your WebSphere Version:

1. Access the Administrative Console for WebSphere. Sign into Console.

2. Locate the Welcome Page contains the WebSphere Application Server Version (in this example the version is 6.1.0.35):

(in this example the version is 6.0.2.43)

(in this example the version is 7.0.0.13)

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
X-Force Vulnerability Database_ _
CVE-2012-3325

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
**
Note: _**According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Change History

05 Sep 2012| Flash published

CROSS REFERENCE INFORMATION:

Maximo Service Desk| All| 7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.1.4
6.2.0 – 6.2.8
Systems and Asset Management| Tivoli Asset Management for IT | All| 6.2.0 – 6.2.8
7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.2.1
Systems and Asset Management| Change and Configuration Management Database| All| 7.1.0.0 – 7.1.1.11
7.2.0.0 – 7.2.1.3
Systems and Asset Management| SmartCloud Control Desk| All| 7.5.0.0 – 7.5.0.1
Systems and Asset Management| TRIRIGA Application Platform| All| 3.2

[{“Product”:{“code”:“SSLKT6”,“label”:“IBM Maximo Asset Management”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:“–”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“6.2;6.2.1;6.2.2;6.2.3;6.2.4;6.2.5;6.2.6;6.2.7;6.2.8;7.1;7.1.1;7.1.2;7.2;7.2.1;7.5”,“Edition”:“”,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSWK4A”,“label”:“Maximo Asset Management Essentials”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:" “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSU3T4”,“label”:“Maximo Asset Management for Energy Optimization”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSMQTP”,“label”:“Maximo for Government”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSLL8M”,“label”:“Maximo for Nuclear Power”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSLL9Z”,“label”:“Maximo for Transportation”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSLL84”,“label”:“Maximo for Life Sciences”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSLL9G”,“label”:“Maximo for Oil and Gas”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSLLAM”,“label”:“Maximo for Utilities”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SS6HJK”,“label”:“Tivoli Service Request Manager”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB36”,“label”:“IBM Automation”}},{“Product”:{“code”:“SSLKTY”,“label”:“Maximo Asset Management for IT”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}},{“Product”:{“code”:“SSKTXT”,“label”:“Tivoli Change and Configuration Management Database”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSWT9A”,“label”:“IBM Control Desk”},“Business Unit”:{“code”:“BU053”,“label”:“Cloud & Data Platform”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:”“,“Edition”:”“,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}},{“Product”:{“code”:“SSHEB3”,“label”:“IBM TRIRIGA Application Platform”},“Business Unit”:{“code”:“BU055”,“label”:“Cognitive Applications”},“Component”:” “,“Platform”:[{“code”:”“,“label”:”“}],“Version”:“3.2”,“Edition”:”",“Line of Business”:{“code”:“LOB02”,“label”:“AI Applications”}}]