Security Bulletin: IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities (CVE-2014-0830, CVE-2014-0831, CVE-2014-0832 , CVE-2014-0833)

Summary

IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities

Vulnerability Details

CVE ID:CVE-2014-0830

SUMMARY: FTM 2.0 and 2.1 Table export function exposes a path traversal vulnerability

DESCRIPTION: Search results in the FTM console can be exported as CSV format text files. As part of this function the server side code provides access to temporary files on the WAS server. It is possible for a rogue user, once logged in, to use client side tools to alter the file name to be read. Alteration can also include path traversal outside of the temporary file location. This potentially allows download of unauthorized files from the file system hosting the application server. This exposure is limited to authenticated users.

_CVSS Base Score: 4
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90584_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)_

AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0 & 2.1

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1 FTM 2.1 customers may apply PTF/fixpack 2.1.0.1 or upgrade to FTM 2.1.1

WORKAROUND(s):
None

MITIGATIONS(s) Ensure the application server user account does not have privileges to read files outside of its directories.

CVE ID:CVE-2014-0831

SUMMARY: FTM 2.0 OAC is not protected from cross site request forgery vulnerabilities.

DESCRIPTION:
A hand crafted link could be used to trick a user to initiate a function of the FTM OAC. If the user is authorized the request could cause edit of configuration data. The user must be logged in. Detailed knowledge of FTM http request format is required to exploit. Also in the case of any request to edit configuration data the request would need knowledge of the data being edited. In the case of edit, the request would be audited and the edit history would be recorded.

_CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90585_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)_

AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

WORKAROUND(s):
None

MITIGATIONS(s) None

CVE ID:CVE-2014-0832

SUMMARY: FTM 2.0 Configuration details screens are exposed to cross site scripting vulnerabilities.

DESCRIPTION: **It is possible to create and edit configuration data that includes javascript in the text values. A subsequent user viewing these records would inadvertently execute the javascript in their browser. ** This exposure is limited to authenticated users. The creation and/or edit of the data to contain potentially malicious javascript if fully audited and traceable back to the user.

_CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90586_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)_

AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

WORKAROUND(s):
None

MITIGATIONS(s) Restrict access to these screens to the minimum group of personnel to minimize risk.

CVE ID:CVE-2014-0833

SUMMARY: FTM 2.0 OAC could accept a request to execute a resolution action where the user is not authorized.

DESCRIPTION: It is possible for an authenticated user to initiate unauthorized process steps for data that is in a state that supports operator intervention. The impact of this depends on the customer process model and the action requested.

_CVSS Base Score: 3.5
CVSS Temporal Score: See _https://exchange.xforce.ibmcloud.com/vulnerabilities/90612_ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)_ _ _

AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

WORKAROUND(s):
None

MITIGATIONS(s) Use of IE8 or Firefox instead of IE6 or IE7 will prevent accidental exposure but does not prevent deliberate exploitation.

RELATED INFORMATION:

https://www-304.ibm.com/jct03001c/security/secure-engineering/process.html

ACKNOWLEDGEMENT:

None

Affected Products and Versions

Financial Transaction manager v2.0 and v2.1

Remediation/Fixes

CVE ID

| Product|VRMF|APAR|Remediation
—|—|—|—|—
CVE-2014-0830| FTM| v2.0.0.0
V2.0.0.1
v2.0.0.2| None.| Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0830| FTM| V2.1.0.0| None.| Upgrade to v2.1.0.1 or v2.1.1
CVE-2014-0831| FTM| v2.0.0.0
V2.0.0.1
v2.0.0.2| None.| Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0832| FTM| v2.0.0.0
V2.0.0.1
v2.0.0.2| None.| Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0833| FTM| v2.0.0.0
V2.0.0.1
v2.0.0.2| None.| Upgrade to v2.0.0.3 or v2.1.1