Security Bulletin: Tivoli Federated Identity Manager Business Gateway - Unprotected Management Console Servlets (CVE-2012-3315)
The management console used to administer Tivoli Federated Identity Manager Business Gateway contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIMBG.
CVE ID: CVE-2012-3315
The Tivoli Federated Identity Manager Business Gateway (TFIMBG) management console contains Java servlets which allow downloading of certain resources from within TFIMBG. Two such resources are federation metadata and a web plugin configuration template. Authentication should be required by the TFIMBG management console in order to access to these resources, but it is not.
In order to access these resources, an attacker must have network access to the Federated Identity Manager Business Gateway's management console interface and know the Federated Identity Manager Business Gateway's domain name and the URLs for the servlets they wish to access. In the case of accessing federation metadata, an attacker must also know the unique identifier (uuid) of a federation. An attacker could then build up the appropriate URL parameters and make a request without an authenticated session to retrieve the resource.
The attack does not require local network access nor does it require authentication, but specialized knowledge and techniques are required. An exploit will not impact accessibility of system resources or the integrity of information, but the confidentiality of some of the data used by TFIMBG could be compromised.
CVSS Base Score: 4.3
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
All versions of Tivoli Federated Identity Manager Business Gateway before 6.2.2 are affected , including those no longer supported.
Tivoli Federated Identity Manager Business Gateway versions 6.1.1, 6.2.0, 6.2.1
Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.
For versions of Tivoli Federated Identity Manager Business Gateway that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.
Complete CVSS Guide
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Federated Identity Manager Business Gateway
Software version: 6.1.1, 6.2, 6.2.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #: 1615772
Modified date: 05 November 2012