Security Bulletin: IBM Security Access Manager appliances are affected by a cross-site request forgery (CSRF) vulnerability (CVE-2016-3029)

Summary

IBM Security Access Manager appliances are vulnerable to cross-site request forgery, which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.

Vulnerability Details

CVEID: CVE-2016-3029**
DESCRIPTION:** IBM Security Access Manager for Web is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/114513&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)

Affected Products and Versions

IBM Security Access Manager for Web 8.0 appliances, all firmware versions.

IBM Security Access Manager for Mobile 8.0 appliances, all firmware versions.

IBM Security Access Manager 9.0 appliances, all firmware versions.

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.

Workarounds and Mitigations

None.