IBM Support

Potential Security Exposure: IBM WebSphere Commerce using Tivoli Directory Server

Technote (troubleshooting)


There is a potential security exposure in Tivoli Directory Server (TDS) that could affect WebSphere Commerce users.

A malicious LDAP request might cause a buffer overrun in the server, potentially allowing a remote attacker to execute arbitrary code within Tivoli Directory Server's server process. Authentication is
not required to exploit this vulnerability. The vulnerability could affect WebSphere Commerce V6.0 or V7.0 environments using TDS V5.x and V6.x for LDAP.

Resolving the problem

WebSphere Commerce environments using Tivoli Directory Server V5.x or V6.x for LDAP might be vulnerable.

The following versions are at risk:

WebSphere Commerce V6.0 which supports the use of TDS V5.1, V5.2, V6.0, and V6.1.

WebSphere Commerce V7.0 which supports the use of TDS V6.0, V6.1, and V6.2.

For full details on the problem and the available solutions, see the following Tivoli Directory Server document:

Security Vulnerability - CVE-2011-1206 - TDS Remote Code Execution

Related information

Security Vulnerability - CVE-2011-1206

Document information

More support for: WebSphere Commerce Enterprise

Software version: 6.0, 7.0

Operating system(s): AIX, IBM i, Linux, Solaris, Windows

Software edition: All Editions

Reference #: 1496972

Modified date: 18 February 2015

Translate this page: