9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
cURL libcURL vulnerabilities were disclosed on April 22, 2015 by the cURL Project. cURL is used by IBM Tivoli Composite Application Manager for Transactions has addressed the applicable CVEs.
CVE-ID: CVE-2015-3143
DESCRIPTION: libcurl could allow a remote attacker from within the local network to bypass security restrictions, caused by the re-use of recently authenticated connections. By sending a new NTLM-authenticated request, an attacker could exploit this vulnerability to perform unauthorized actions with the privileges of the victim.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102888 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2015-3144
DESCRIPTION: libcurl and cURL are vulnerable to a denial of service, caused by improper calculation of index by the fix_hostname function. By using a zero-length host name, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102886 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-ID: CVE-2015-3145
DESCRIPTION: libcurl and cURL are vulnerable to a denial of service, caused by improper calculation of index by the sanitize_cookie_path function. By using a double-quote character in a cookie path, an remote attacker could exploit this vulnerability to cause the system to crash.
CVSS Base Score: 5.000
CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/102884 for current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)
IBM Tivoli Composite Application Manager (ITCAM) for Transactions is affected. ITCAM for Transactions contains multiple sub components (Agents). Only the Internet Service Monitor (ISM β Agent code βISβ) is affected.
Versions:
Β· 7.4 β Affected by CVE (CVE-2015-3143, CVE-2015-3144 and CVE-2015-3145)
Β· 7.3 β Affected by CVE (CVE-2015-3143, CVE-2015-3144 and CVE-2015-3145)
Product
| VRMF| APAR| Remediation/First Fix
β|β|β|β
7.4.0.0-TIV-CAMIS-FP0001| 7.4.0.1| None| http://www.ibm.com/support/docview.wss?uid=isg400002269
7.3.0.1-TIV-CAMIS-IF0036| 7.3.0.1| None| http://www-01.ibm.com/support/docview.wss?rs=0&uid=isg400002358
7
For ISM 7.1 and 7.2 IBM recommends upgrading to a fixed, supported version/release/platform of the product.
None known
CPE | Name | Operator | Version |
---|---|---|---|
tivoli composite application manager for transactions | eq | 7.4 |