Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract

SUMMARY
The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM.

Content

VULNERABILITY DETAILS

CVE ID: CVE-2012-3315

DESCRIPTION:
The Tivoli Federated Identity Manager (TFIM) management console contains Java servlets which allow downloading of certain resources from within TFIM. Two such resources are federation metadata and a web plugin configuration template. Authentication should be required by the TFIM management console in order to access to these resources, but it is not.

In order to access these resources, an attacker must have network access to the Federated Identity Manager’s management console interface and know the Federated Identity Manager’s domain name and the URLs for the servlets they wish to access. In the case of accessing federation metadata, an attacker must also know the unique identifier (uuid) of a federation. An attacker could then build up the appropriate URL parameters and make a request without an authenticated session to retrieve the resource.
The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the integrity of information, but the confidentiality of some of the data used by TFIM could be compromised.

CVSS:
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Details: <https://exchange.xforce.ibmcloud.com/vulnerabilities/77796&gt;

AFFECTED PLATFORMS
All versions of TFIM before 6.2.2 are affected, including those no longer supported…

TFIM versions 6.1.1, 6.2.0, 6.2.1

REMEDIATION:

Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.

WORKAROUNDS:
None

RELATED INFORMATION:

 Complete CVSS Guide
 IBM Secure Engineering Web Portal
 IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an “industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.” IBM PROVIDES THE CVSS SCORES “AS IS” WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{“Product”:{“code”:“SSZSXU”,“label”:“Tivoli Federated Identity Manager”},“Business Unit”:{“code”:“BU008”,“label”:“Security”},“Component”:“–”,“Platform”:[{“code”:“PF002”,“label”:“AIX”},{“code”:“PF016”,“label”:“Linux”},{“code”:“PF027”,“label”:“Solaris”},{“code”:“PF033”,“label”:“Windows”},{“code”:“PF035”,“label”:“z/OS”},{“code”:“PF010”,“label”:“HP-UX”}],“Version”:“6.1.1;6.2;6.2.1”,“Edition”:“”,“Line of Business”:{“code”:“LOB24”,“label”:“Security Software”}}]