There is a possible security exposure when using WS-Security resulting in a user gaining elevated privileges. This impacts applications using either JAX-WS and JAX-RPC.
CVE ID: CVE-2011-1377
WebSphere Application Server could provide weaker than expected security when using web services security (WS-Security). A user could randomly gain elevated privileges on the provider system. This impacts applications using either JAX-WS and JAX-RPC.
CVSS Base Score: 2.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/71319 for the current score
CVSS Environmental Score*: Undefined
CVSS String: (AV:N/AC:H/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS AND VERSIONS:
Tivoli Storage Productivity Center 5.1.0
Note: Tivoli Storage Productivity Center 4.2.2 and earlier versions are not affected.
Upgrade to Tivoli Storage Productivity Center 5.1.1 or later.
|Affected TPC Version||APAR||Fixed TPC Version||Availability|
Apply Interim Fix APAR PM45181 and Interim Fix APAR PM43585 .
Customers that do not want to upgrade at this time can apply Interim Fixes to the WebSphere Application Server 220.127.116.11 instance installed for Tivoli Integrated Portal with Tivoli Storage Productivity Center 5.1.0.
- Ensure you have a backup of the system prior to applying any fixes
- Do not attempt to apply any WebSphere Application Server fix packs outside of the Tivoli Storage Productivity Center upgrade process.
- Additional WebSphere Application Server instances within Tivoli Storage Productivity Center are not affected and do not need to be updated.
- Complete CVSS Guide
- On-line Calculator V2
- X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/71319
- WebSphere Application Server Flash for CVE-2011-1377
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
|Storage Management||Tivoli Storage Productivity Center Advanced||AIX, Linux, Windows||5.1|