Security Bulletin: Tivoli Federated Identity Manager Business Gateway - Unprotected Management Console Servlets (CVE-2012-3315)

Abstract SUMMARY The management console used to administer Tivoli Federated Identity Manager Business Gateway contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIMBG. Content...

Security Bulletin: IBM Tivoli Federated Identity Manager and Tivoli Federated Identity Manager Business Gateway can be affected by a vulnerability in the IBM GSKit library (CVE-2013-0169)

Abstract CVE-2013-0169 - The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky...

CVE-2013-5429

The Risk Based Access functionality in IBM Tivoli Federated Identity Manager TFIM 6.2.2 before FP9 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.2 before FP9 does not prevent reuse of One Time Password OTP tokens, which makes it easier for remote authenticated users to complet...

CVE-2013-5429

The CVE-2013-5429 issue affects IBM Tivoli Federated Identity Manager (TFIM) 6.2.2 before FP9 and TFIMBG 6.2.2 before FP9. Vulnerability: Risk Based Access allows reuse of One Time Password (OTP) tokens under certain conditions, enabling a remote authenticated user to complete transactions by lev...

Open redirect

Open redirect vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, and 6.2.2 before IF 8 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, and 6.2.2 before IF 8 allows remote attackers...

CVE-2013-5431

CVE-2013-5431 describes an open redirect vulnerability in IBM Tivoli Federated Identity Manager (TFIM) and TFIMBG . Affected TFIM versions: 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, 6.2.2 before IF 8; TFIMBG: 6.1.1 before IF 15, 6.2.0 before IF 14, 6.2.1, 6.2.2 before IF 8. The flaw allows a...

Cross site scripting

Cross-site scripting XSS vulnerability in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.12, 6.2.1 before 6.2.1.5, and 6.2.2 before 6.2.2.4 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.12 and 6.2.1 before 6.2.1.5 allows remote attackers to inject...

CVE-2012-6359

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed i...

CVE-2012-6359

IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not check whether an OpenID attribute is signed i...

CVE-2012-6359

IBM TFIM and TFIMBG are affected by CVE-2012-6359: versions 6.2.0 before 6.2.0.11, 6.2.1 before 6.2.1.3, and 6.2.2 before 6.2.2.2 do not verify that OpenID attributes are signed in SREG/AX, allowing unsigned attributes to be inserted and potentially spoofed by an attacker. The issue can be exploi...

CVE-2012-3315

CVE-2012-3315 affects the IBM Tivoli Federated Identity Manager (TFIM) and TFIM Business Gateway management consoles. Java servlets allow downloading federation metadata and a web plugin configuration template without authentication, exposing sensitive information. Impact is limited to confidenti...

CVE-2012-3314

IBM Tivoli Federated Identity Manager TFIM and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.1.1, 6.2.0, 6.2.1, and 6.2.2 allow remote attackers to establish sessions via a crafted message that leverages 1 a signature-validation bypass for SAML messages containing unsigned elements,...

CVE-2012-3314

CVE-2012-3314 affects IBM Tivoli Federated Identity Manager (TFIM) and TFIM Business Gateway (TFIMBG) versions 6.1.1, 6.2.0, 6.2.1, and 6.2.2. The IBM advisories describe three related issues that can lead to a crafted message being accepted and a session created, enabling an attacker to imperson...

CVE-2012-3314

IBM Tivoli Federated Identity Manager TFIM and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.1.1, 6.2.0, 6.2.1, and 6.2.2 allow remote attackers to establish sessions via a crafted message that leverages 1 a signature-validation bypass for SAML messages containing unsigned elements,...

CVE-2011-1386

IBM Tivoli Federated Identity Manager TFIM and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.1.1, 6.2.0, and 6.2.1 do not properly handle signature validations based on SAML 1.0, 1.1, and 2.0, which allows remote attackers to bypass intended authentication or authorization...

CVE-2011-1386

The CVE concerns IBM Tivoli Federated Identity Manager (TFIM) and TFIMBG versions 6.1.1, 6.2.0, and 6.2.1, where signature validation for SAML 1.0/1.1/2.0 is not performed correctly. This allows remote attackers to bypass authentication or authorization by submitting a non-conforming SAML signatu...

Design/Logic Flaw

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit JDK class, which might allow attackers to bypass...

CVE-2011-3136

CVE-2011-3136 affects IBM Tivoli Federated Identity Manager (TFIM) and TFIMBG with versions prior to 6.2.0.9. The description indicates an unspecified vulnerability with unknown impact and attack vectors (APAR IV03048); no concrete root cause, affected component specifics, exploit details, or rem...

CVE-2011-3137

Unspecified vulnerability in the Management Console of IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and TFIM Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 with unknown impact and attack vectors, per APAR IV03050. No exploitation details or remediation provided in the connect...

CVE-2011-3138

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager TFIM 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway TFIMBG 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit JDK class, which might allow attackers to bypass...