Lucene search

IBMC7B286938FB13ABBEC607CE7D0F82FD0DB0F7CD20A358C97909012A6E30067AF

HistorySep 22, 2022 - 3:02 a.m.

Security Bulletin: IBM Maximo Asset Management contains a misconfiguration that could allow an authenticated user to view backup and debug application files which could contain sensitive information (CVE-2015-4965)

2022-09-2203:02:31

www.ibm.com

ibm maximo asset management

misconfiguration

authenticated user

sensitive information

backup files

debug files

cve-2015-4965

smartcloud control desk

tivoli asset management

fix central

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

34.4%

JSON

Summary

IBM Maximo Asset Management configuration allows an authenticated user to view backup and debug application files. This vulnerability could allow a local attacker to obtain sensitive information.

The vulnerability affects Maximo Asset Management, Maximo Asset Management Essentials, Maximo Industry Solutions (including Maximo for Energy Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo for Utilities), SmartCloud Control Desk, Tivoli Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database.

Vulnerability Details

CVEID: CVE-2015-4965 DESCRIPTION: IBM Maximo Asset Management contains a misconfiguration that could allow an authenticated user to view backup and debug application files which could contain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105641 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

1. Maximo Asset Management 7.6, 7.5, 7.1
2. Maximo Asset Management Essentials 7.5, 7.1
3. Maximo for Energy Optimization 7.1
4. Maximo for Government 7.5, 7.1
5. Maximo for Nuclear Power 7.5, 7.1
6. Maximo for Transportation 7.5, 7.1
7. Maximo for Life Sciences 7.6, 7.5, 7.1
8. Maximo for Oil and Gas 7.5, 7.1
9. Maximo for Utilities 7.5, 7.1
10. SmartCloud Control Desk 7.6, 7.5
11. Tivoli Asset Management for IT 7.2, 7.1
12. Tivoli Service Request Manager 7.2, 7.1
13. Change and Configuration Management Database 7.2, 7.1
14. Maximo for Aviation 7.6, 7.6.1, 7.6.2, 7.6.3

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix Pack from Fix Central (What is Fix Central?) and apply for each affected product as soon as possible. Please see below for information on the fixes available for each product, version, and release. Follow the installation instructions in the ‘readme’ documentation provided with each fix pack or interim fix.

For Maximo Asset Management, Maximo Asset Management Essentials and Maximo Industry Solutions 7.6, 7.5, 7.1:

VRM	Fix Pack or Interim Fix	Download
7.6.0	Maximo 7.6.0.1 Interim Fix:
7.6.0.1-TIV-MBS-IFIX002 or latest Interim Fix available	FixCentral
7.5.0	Maximo 7.5.0.8 Interim Fix:
7.5.0.8-TIV-MBS-IFIX004 or latest Interim Fix available	FixCentral
7.1.1	7.1.1.13 Interim Fix:
Latest Interim Fix available	Contact IBM Support

For SmartCloud Control Desk 7.6, 7.5:

VRM	Fix Pack or Interim Fix	Download
7.6.0	Maximo 7.6.0.1 Interim Fix:
7.6.0.1-TIV-MBS-IFIX002 or latest Interim Fix available	FixCentral
7.5.1	Maximo 7.5.0.8 Interim Fix:
7.5.0.8-TIV-MBS-IFIX004 or latest Interim Fix available	FixCentral
7.5.0	Maximo 7.5.0.8 Interim Fix:
7.5.0.8-TIV-MBS-IFIX004 or latest Interim Fix available	FixCentral

For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and Change and Configuration Management Database 7.2, 7.1:

VRM	Fix Pack or Interim Fix	Download
7.1 - 7.2	7.1.1.13 Interim Fix:
Latest Interim Fix available	Contact IBM Support

Workarounds and Mitigations

As an alternative to the Fix Pack or Interim Fix install above, customers may manually apply an equivalent fix by completing the following steps:

1. Navigate to the following file location: <maximo_root>\applications\maximo\maximouiweb\webmodule\webclient\utility
2. Delete the file: merlin.jsp
3. Delete the Maximo ear files, delete browser and app server caches, rebuild the Maximo ear files, and redeploy.

Affected configurations

Vulners

Node

ibmmaximo_asset_managementMatch7.1

ibmmaximo_asset_managementMatch7.1.1

ibmmaximo_asset_managementMatch7.5

ibmmaximo_asset_managementMatch7.6

ibmcontrol_deskMatch7.5

ibmcontrol_deskMatch7.5.1

ibmcontrol_deskMatch7.5.1.1

ibmcontrol_deskMatch7.5.1.2

ibmcontrol_deskMatch7.5.3

ibmcontrol_deskMatch7.6.0

ibmmaximo_for_energy_optimizationMatchany

ibmmaximo_asset_management_essentialsMatch7.5

ibmmaximo_asset_management_essentialsMatch7.1.1

ibmmaximo_for_energy_optimizationMatch7.1

ibmmaximo_for_energy_optimizationMatch7.1.1

ibmmaximo_for_governmentMatch7.1

ibmmaximo_for_governmentMatch7.1.1

ibmmaximo_for_governmentMatch7.5

ibmmaximo_for_life_sciencesMatch7.1.2

ibmmaximo_for_life_sciencesMatch7.5

ibmmaximo_for_life_sciencesMatch7.1.0

ibmmaximo_for_life_sciencesMatch7.6

ibmmaximo_for_nuclear_powerMatch7.1

ibmmaximo_for_nuclear_powerMatch7.5

ibmmaximo_for_nuclear_powerMatch7.5.1

ibmmaximo_for_nuclear_powerMatch7.1.1

ibmmaximo_for_oil_and_gasMatch7.1.2

ibmmaximo_for_oil_and_gasMatch7.5

ibmmaximo_for_oil_and_gasMatch7.5.1

ibmmaximo_for_oil_and_gasMatch7.1.0

ibmmaximo_for_transportationMatch7.1.1

ibmmaximo_for_transportationMatch7.5

ibmmaximo_for_transportationMatch7.5.1

ibmmaximo_for_transportationMatch7.1.0

ibmmaximo_for_utilitiesMatch7.1.1

ibmmaximo_for_utilitiesMatch7.1.2

ibmmaximo_for_utilitiesMatch7.5

ibmmaximo_for_utilitiesMatch7.1.0

ibmmaximo_asset_managementMatch7.1

ibmmaximo_asset_managementMatch7.1.1

ibmmaximo_asset_managementMatch7.2

ibmmaximo_asset_managementMatch7.2.1

ibmmaximo_asset_managementMatch7.2.2

ibmtivoli_change_and_configuration_management_databaseMatch7.1

ibmtivoli_change_and_configuration_management_databaseMatch7.1.1

ibmtivoli_change_and_configuration_management_databaseMatch7.2

ibmtivoli_change_and_configuration_management_databaseMatch7.2.1

ibmtivoli_service_request_managerMatch7.1

ibmtivoli_service_request_managerMatch7.2

ibmtivoli_service_request_managerMatch7.2.1

ibmmaximo_for_aviationMatch7.6

ibmmaximo_for_aviationMatch7.6.1

ibmmaximo_for_aviationMatch7.6.2

ibmmaximo_for_aviationMatch7.6.2.1

ibmmaximo_for_aviationMatch7.6.3

CPENameOperatorVersion
ibm maximo asset managementeq7.1
ibm maximo asset managementeq7.1.1
ibm maximo asset managementeq7.5
ibm maximo asset managementeq7.6
ibm control deskeq7.5
ibm control deskeq7.5.1
ibm control deskeq7.5.1.1
ibm control deskeq7.5.1.2
ibm control deskeq7.5.3
ibm control deskeq7.6.0

Name	Operator	Version
ibm maximo asset management	eq	7.1
ibm maximo asset management	eq	7.1.1
ibm maximo asset management	eq	7.5
ibm maximo asset management	eq	7.6
ibm control desk	eq	7.5
ibm control desk	eq	7.5.1
ibm control desk	eq	7.5.1.1
ibm control desk	eq	7.5.1.2
ibm control desk	eq	7.5.3
ibm control desk	eq	7.6.0

Rows per page:

1-10 of 551

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

34.4%

JSON

Related for C7B286938FB13ABBEC607CE7D0F82FD0DB0F7CD20A358C97909012A6E30067AF