CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
EPSS
Percentile
95.2%
Several vulnerabilities have been resolved in the Basic Services component of IBM Tivoli Monitoring. These vulnerabilities could have potentially caused a denial of service or Cross Site Scripting (XSS) exposure.
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0548
DESCRIPTION: Security scan reported several Cross Site Scripting (XSS) vulnerabilities.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/82767> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
CVEID: CVE-2013-0551
DESCRIPTION: Specially crafted URLs could result in an abend for an IBM Tivoli Monitoring process.
CVSS:
CVSS Base Score: 5.0
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82768>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
__CVE ID: CVE-2013-0576 __
DESCRIPTION: Cross site scripting (XSS) vulnerability using Tivoli Enterprise Portal browser client…
CVSS:
CVSS Base Score: 4.3
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83328>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
**__CVE ID: __**CVE-2013-2960
DESCRIPTION: The HTTP processing of specialized URLs could result in a buffer overrun resulting in a segmentation fault in KDSMAIN.
CVSS:
CVSS Base Score: 7.8
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83724>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:C)
CVE ID: CVE-2013-2961
DESCRIPTION: Client security scanners reported potential issues with the Tivoli Monitoring internal web server with certain HTTP requests. CVSS:
CVSS Base Score: 4.3
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/77280>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
__CVE ID: CVE-2012-2190 __
DESCRIPTION: A vulnerability which allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.
CVSS:
CVSS Base Score: 5
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75994>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
__CVE ID: CVE-2012-2191 __
DESCRIPTION: A vulnerability which does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack.
CVSS:
CVSS Base Score: 5
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75996>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
**__CVE ID: __**CVE-2012-2203
DESCRIPTION: A vulnerability regarding the use of PKCS #12 file format for certificate objects without enforcing file integrity. CVSS:
CVSS Base Score: 5.8
_CVSS Temporal Score: See __<https://exchange.xforce.ibmcloud.com/vulnerabilities/77280>___ for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:N)
__CVE ID: ( All Java vulnerabilities Mentioned under : __http://www-01.ibm.com/support/docview.wss?uid=swg21616490
AFFECTED PRODUCTS:
IBM Application Manager For Smart Business 1.2.1 (earlier known as : Tivoli Foundations Application Manager 1.2 ) having ITM base at 6.2.2 FP7 level OR at 6.2.2 FP2 level.
REMEDIATION:
Apply the Fix pack 1.2.1.0-TIV-IAMSB-FP0004.tar.gz to IBM Application Manager For Smart Business 1.2.1
Vendor Fix(es):
_Fix_* | VRMF | TDS Remote Code Vulnerability APAR | Download |
---|
1.2.1.0-TIV-IAMSB-FP0004 | N/A| _ N/A_| Fix Central
_
_
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
_REFERENCES: _
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-2960
· CVE-2013-2961
· CVE-2013-0548
· CVE-2013-0551
· CVE-2013-0576
· CVE-2012-2190
· CVE-2013-2191
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83724>_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/83725>_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82767>_
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/82768>_
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/77280>
• X-Force Vulnerability Database <https://exchange.xforce.ibmcloud.com/vulnerabilities/75996>
• _X-Force Vulnerability Database __<https://exchange.xforce.ibmcloud.com/vulnerabilities/75994>_
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21622585
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21634920
• _Security bulletin: _http://www-01.ibm.com/support/docview.wss?uid=swg21616490
RELATED INFORMATION:
_IBM Secure Engineering Web Portal _
ACKNOWLEDGEMENT
The vulnerabilities described in CVE-2013-0548 andCVE-2013-0551 were discovered by Ewerson Guimarães of DCLABs Security Team (DCA-2013-0001 and DCA-2013-0002 ).
[{“Product”:{“code”:“SS9KZM”,“label”:“IBM Application Manager for Smart Business”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“–”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“Version Independent”,“Edition”:“All Editions”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]
Vendor | Product | Version | CPE |
---|---|---|---|
ibm | application_manager_for_smart_business | any | cpe:2.3:a:ibm:application_manager_for_smart_business:any:*:*:*:*:*:*:* |