Security Bulletin: Tivoli Federated Identity Manager - Unprotected Management Console Servlets (CVE-2012-3315)
The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM.
CVE ID: CVE-2012-3315
The Tivoli Federated Identity Manager (TFIM) management console contains Java servlets which allow downloading of certain resources from within TFIM. Two such resources are federation metadata and a web plugin configuration template. Authentication should be required by the TFIM management console in order to access to these resources, but it is not.
In order to access these resources, an attacker must have network access to the Federated Identity Manager's management console interface and know the Federated Identity Manager's domain name and the URLs for the servlets they wish to access. In the case of accessing federation metadata, an attacker must also know the unique identifier (uuid) of a federation. An attacker could then build up the appropriate URL parameters and make a request without an authenticated session to retrieve the resource.
The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the integrity of information, but the confidentiality of some of the data used by TFIM could be compromised.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
All versions of TFIM before 6.2.2 are affected, including those no longer supported..
TFIM versions 6.1.1, 6.2.0, 6.2.1
Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.
For versions of TFIM that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Federated Identity Manager
Software version: 6.1.1, 6.2, 6.2.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #: 1615770
Modified date: 04 January 2013