Lucene search

K
ibmIBMC5741045DC35D614C5F27457EA978674909AB0F02D0C1FDD00E51CB9F62CD1A7
HistorySep 26, 2022 - 3:29 a.m.

Security Bulletin: Tivoli Workload Dynamic Console Vulnerability exposure in Tivoli Integrated Portal component

2022-09-2603:29:56
www.ibm.com
13
tivoli integrated portal
ibm websphere
security advisories

CVSS2

6

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

AI Score

4.7

Confidence

High

EPSS

0.651

Percentile

97.9%

Abstract

New versions of Tivoli Integrated Portal are available (versions TIP 1.1.1.19 and/or TIP 2.2.0.9) containing security fixes for the following security Advisories.
“653: IEHS - XSS issue on Search control box”,
“474: Potential security exposure with IBM WebSphere application server after installing PM44303”,
“216: Apache Tomcat hash denial of service - apache-tomcat-hash-dos (72016)”

Content

VULNERABILITY DETAILS:

Advisory: 653
CVEID: CVE-2013-0464
CVSS: 4.3
X-Force: https://exchange.xforce.ibmcloud.com/vulnerabilities/81060
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

Advisory: 216
CVEID: CVE-2011-4858
CVSS: 5.0
X-Force: https://exchange.xforce.ibmcloud.com/vulnerabilities/72016
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

Advisory: 474
CVEID: CVE-2012-3325
CVSS: 6.0
X-Force: https://exchange.xforce.ibmcloud.com/vulnerabilities/77959
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

DESCRIPTION: Tivoli Dynamic Workload Console as consumer of Tivoli Integrated Portal should pickup the newest version versions TIP 1.1.1.19 and/or TIP 2.2.0.9.
These TIP versions contain security fixes for the following security advisories:
“653: IEHS - XSS issue on Search control box”
“474: Potential security exposure with IBM WebSphere application server after installing PM44303”
“216: Apache Tomcat hash denial of service - apache-tomcat-hash-dos (72016)”

The Tivoli Integrated Portal security exposures apply to Tivoli Dynamic Workload Console because Tivoli Integrated Portal is part of TDWC starting from 8.6.0.0 release.

AFFECTED PRODUCTS AND VERSIONS:
Tivoli Dynamic Workload Console 8.6.0.0
Tivoli Dynamic Workload Console 8.6.0.1

REMEDIATION:
New version of Tivoli Integrated Portal has been included in
Tivoli Dynamic Workload Console 8.6.0.2.
Tivoli Dynamic Workload Console 8.6.0.2 is available on FixCentral for download starting from December 2012.

Workaround(s):
None

Mitigation(s):
None

REFERENCES:
· On-line Calculator V2 __
· _CVE-2013-0464 (__https://vulners.com/cve/CVE-2013-0464_ )
· _CVE-2012-3325 (__https://vulners.com/cve/CVE-2012-3325_ )
· _CVE-2011-4858 (__https://vulners.com/cve/CVE-2011-4858_ )
· _X-Force:__https://exchange.xforce.ibmcloud.com/vulnerabilities/81060_
· _X-Force:__https://exchange.xforce.ibmcloud.com/vulnerabilities/77959_
· _X-Force:__https://exchange.xforce.ibmcloud.com/vulnerabilities/72016_

RELATED INFORMATION:
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

ACKNOWLEDGEMENT
None

CHANGE HISTORY
20 September, 2013: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note:According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY

[{“Product”:{“code”:“SSGSPN”,“label”:“IBM Workload Scheduler”},“Business Unit”:{“code”:“BU059”,“label”:“IBM Software w/o TPS”},“Component”:“Tivoli Dynamic Workload Console”,“Platform”:[{“code”:“PF025”,“label”:“Platform Independent”}],“Version”:“8.6”,“Edition”:“”,“Line of Business”:{“code”:“LOB45”,“label”:“Automation”}}]

Affected configurations

Vulners
Node
ibmworkload_schedulerMatch8.6
VendorProductVersionCPE
ibmworkload_scheduler8.6cpe:2.3:a:ibm:workload_scheduler:8.6:*:*:*:*:*:*:*

CVSS2

6

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:S/C:P/I:P/A:P

AI Score

4.7

Confidence

High

EPSS

0.651

Percentile

97.9%