Security Bulletin: Tivoli Storage Productivity Center 5.1.0 clients affected by vulnerabilities in WebSphere Application Server (CVE-2011-1377)

Flash (Alert)


Abstract

There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.

Content

VULNERABILITY DETAILS:

CVE ID: CVE-2011-1377

DESCRIPTION:
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. This impacts applications using either JAX-WS and JAX-RPC.

CVSS:
CVSS Base Score: 2.1
CVSS Temporal Score: See
http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)


AFFECTED PRODUCTS AND VERSIONS:
Tivoli Storage Productivity Center 5.1.0

Note: Tivoli Storage Productivity Center 4.2.2 and earlier versions are not affected.

REMEDIATION:
Upgrade to Tivoli Storage Productivity Center 5.1.1 or later.
https://www-304.ibm.com/support/docview.wss?uid=swg21320822

Affected TPC Version APAR Fixed TPC Version Availability
5.1.0 IC91889 5.1.1 December 2012

-OR-
Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585 .

Customers that do not want to upgrade at this time can apply Interim Fixes to the WebSphere Application Server 7.0.0.15 instance installed for Tivoli Integrated Portal with Tivoli Storage Productivity Center 5.1.0.

Notes:
  • Ensure you have a backup of the system prior to applying any fixes
  • Do not attempt to apply any WebSphere Application Server fix packs outside of the Tivoli Storage Productivity Center upgrade process.
  • Additional WebSphere Application Server instances within Tivoli Storage Productivity Center are not affected and do not need to be updated.

Workaround (s):
None

Mitigation(s) :
None


REFERENCES:
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note:
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment Product Component Platform Version Edition
Storage Management Tivoli Storage Productivity Center Advanced AIX, Linux, Windows 5.1

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Tivoli Storage Productivity Center

Software version:

5.1

Operating system(s):

AIX, Linux, Windows

Reference #:

1635958

Modified date:

2013-04-30

Translate my page

Machine Translation

Content navigation