Security Bulletin: Multiple vulnerabilities in Product IBM Application Manager For Smart Business 1.2.1 (CVE-2013-0548, CVE-2013-0551, CVE-2013-0576 , CVE-2013-2960, CVE-2013-2961, CVE-2012-2190, CVE-2012-2191, CVE-2012-2203)

Flash (Alert)


Abstract

Several vulnerabilities have been resolved in the Basic Services component of IBM Tivoli Monitoring. These vulnerabilities could have potentially caused a denial of service or Cross Site Scripting (XSS) exposure.

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2013-0548

DESCRIPTION: Security scan reported several Cross Site Scripting (XSS) vulnerabilities.

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82767 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVEID: CVE-2013-0551

DESCRIPTION: Specially crafted URLs could result in an abend for an IBM Tivoli Monitoring process.

CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82768 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE ID: CVE-2013-0576

DESCRIPTION: Cross site scripting (XSS) vulnerability using Tivoli Enterprise Portal browser client..

CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83328 for the current score
CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVE ID: CVE-2013-2960

DESCRIPTION: The HTTP processing of specialized URLs could result in a buffer overrun resulting in a segmentation fault in KDSMAIN.

CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:C)

CVE ID: CVE-2013-2961

DESCRIPTION: Client security scanners reported potential issues with the Tivoli Monitoring internal web server with certain HTTP requests.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)

CVE ID: CVE-2012-2190

DESCRIPTION: A vulnerability which allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)


CVE ID: CVE-2012-2191

DESCRIPTION: A vulnerability which does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack.

CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)

CVE ID: CVE-2012-2203

DESCRIPTION: A vulnerability regarding the use of PKCS #12 file format for certificate objects without enforcing file integrity.
CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:N)


CVE ID: ( All Java vulnerabilities Mentioned under : http://www-01.ibm.com/support/docview.wss?uid=swg21616490

AFFECTED PRODUCTS:

IBM Application Manager For Smart Business 1.2.1 (earlier known as : Tivoli Foundations Application Manager 1.2 ) having ITM base at 6.2.2 FP7 level OR at 6.2.2 FP2 level.

REMEDIATION:

Apply the Fix pack 1.2.1.0-TIV-IAMSB-FP0004.tar.gz to IBM Application Manager For Smart Business 1.2.1

Vendor Fix(es):

Fix* VRMF TDS Remote Code Vulnerability APAR Download
      1.2.1.0-TIV-IAMSB-FP0004
N/A N/A Fix Central


Workaround(s):

None known, apply fixes

Mitigation(s):

None known

REFERENCES:

· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-2960
· CVE-2013-2961
· CVE-2013-0548
· CVE-2013-0551
· CVE-2013-0576
· CVE-2012-2190
· CVE-2013-2191

X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/83724
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/83725
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82767
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/82768
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/77280
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/75996
X-Force Vulnerability Database http://xforce.iss.net/xforce/xfdb/75994
Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21622585
Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21634920
Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21616490

RELATED INFORMATION:

IBM Secure Engineering Web Portal

ACKNOWLEDGEMENT

The vulnerabilities described in CVE-2013-0548 and CVE-2013-0551 were discovered by Ewerson Guimarães of  DCLABs Security Team (DCA-2013-0001 and DCA-2013-0002 ).

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

IBM Application Manager for Smart Business

Software version:

Version Independent

Operating system(s):

Platform Independent

Software edition:

All Editions

Reference #:

1640752

Modified date:

2014-07-17

Translate my page

Machine Translation

Content navigation