Security Bulletin: IBM Service Delivery Manager security exposure after installing PM44303 for WebSphere Application Server (CVE-2012-3325)

VULNERABILITY DETAILS:

CVE ID: CVE-2012-3325 (PM71296)

DESCRIPTION: If you have installed an Interim Fix for PM44303, or a fix pack containing PM44303, you have the potential for an authenticated attacker to bypass security restrictions, caused by an error when validating user credentials. This could allow a user to gain unauthorized administrative access to an application and potentially gain access to confidential and critical customer data.

CVSS:
CVSS Base Score: 6.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77959 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:M/Au:S/C:P/I:P/A:P)

AFFECTED VERSIONS
IBM WebSphere Application Server is a part of the TivSAM image of IBM Service Delivery Manager. The versions of IBM WebSphere Application Server which have been shipped with IBM Service Delivery Manager releases are not affected by the issue.
Your IBM Service Delivery Manager installation is affected only if you have upgraded IBM WebSphere Application Server to the version 6.1.0.43. For more details see the reference [1].

REMEDIATION:
Apply IBM WebSphere Application Server Fix pack 45 (6.1.0.45) or later.

Workaround(s): None

Mitigation(s): none

REFERENCES:

[1] IBM WebSphere Application Server flash
https://www-304.ibm.com/support/docview.wss?uid=swg21609067
CVSS Guide http://www.first.org/cvss/cvss-guide.html
[3] CVSS calculator http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2