Lucene search

K
ibmIBME0261AEC1D4A4B1C98C575C64B1E363C155B347B8683D8DBEB3B7DDC16AD8D30
HistoryJun 16, 2018 - 9:16 p.m.

Security Bulletin: Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway can be affected by two vulnerabilities in the IBM WebSphere Application Server component (CVE-2014-0423, CVE-2014-0411)

2018-06-1621:16:39
www.ibm.com
3

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:N/A:P

Summary

The IBM WebSphere Application Server component provided with IBM Tivoli Federated Identity Manager (FIM) and IBM Tivoli Federated Identity Manager Business Gateway (FIMBG) is vulnerable to a denial of service attack and a transport layer security (TLS) timing attack.

Vulnerability Details

CVE-ID:CVE-2014-0423

DESCRIPTION:
The XML parser used by FIM and FIMBG is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against the FIM or FIMBG server.

The attack does not require local network access but does it require authentication and some degree of specialized knowledge and techniques. An exploit would not impact the integrity of data, but the availability of the system and the confidentiality of information could be compromised.

CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)

CVE-ID: CVE-2014-0411

DESCRIPTION:
The implementation of TLS used by FIM and FIMBG is subject to a timing attack that could be exploited by a man in the middle attack to decrypt the encrypted communication.

The attack does not require local network access nor does it require authentication, but a high degree of specialized knowledge and techniques are required. An exploit would not affect the availability of the system, but it could impact the confidentiality of information and the integrity of data.

CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)

Affected Products and Versions

IBM Tivoli Federated Identity Manager (FIM) versions 6.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
IBM Tivoli Federated Identity Manager Business Gateway (FIMBG) versions 6.1.1, 6.2.0, 6.2.1, 6.2.2

Remediation/Fixes

The IBM SDK for Java is obtained through the WebSphere Application Server distribution used by FIM and FIMBG. Patch instructions for WebSphere Application Server versions are available through this Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU

Supported WebSphere Application Server versions for TFIM and TFIMBG

TFIM/TFIMBG Version WebSphere Application Server (WAS) Version
TFIM 6.0 WAS 6.1
TFIM 6.1 WAS 6.1
TFIM 6.2.0 WAS 6.1
TFIM 6.2.1 WAS 6.1
WAS 7.0
TFIM 6.2.2 WAS 7.0
WAS 8.0
WAS 8.5
WAS 8.5.5
TFIMBG 6.1.1 eWAS (Embedded WebSphere Application Server) 6.1
TFIMBG 6.2.0 eWAS 6.1
WAS 6.1
TFIMBG 6.2.1 eWAS 6.1
WAS 6.1
WAS 7.0
TFIMBG 6.2.2 eWAS 6.1
WAS 6.1
WAS 7.0
WAS 8.0
WAS 8.5
WAS 8.5.5

For TFIM version 6.0, IBM recommends upgrading to a fixed, supported version/release/platform of the product.

IMPORTANT: The security bulletin lists all CVEs that affect WebSphere Application Server. FIM and FIMBG are only affected by the CVEs listed in this security bulletin.

Workarounds and Mitigations

None

5.5 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

PARTIAL

AV:N/AC:L/Au:S/C:P/I:N/A:P