Security Bulletin: Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

Flash (Alert)


Abstract

IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities. These vulnerabilities include:
- SQL Injection
- Path Traversal
- Unrestricted File Upload
- Cross-Site Scripting (XSS)
- Insufficient Session-ID Length
- Information Disclosure
- Command Injection
- File Type Manipulation
- Session Hijacking

Content

VULNERABILITY DETAILS

SQL Injection (CVE-2013-0560)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE ID: CVE-2013-0560
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83012 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0




Path Traversal (CVE-2013-2984)

DESCRIPTION: Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.

CVE ID: CVE-2013-2984
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1
IBM Sterling File Gateway 2.2 and 2.1




Unrestricted File Upload (CVE-2013-2982)

DESCRIPTION: Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.

CVE ID: CVE-2013-2982
CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1
IBM Sterling File Gateway 2.2 and 2.1




Command Injection (CVE-2013-0476)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.

CVE ID: CVE-2013-0476
CVSS Base Score: 5.8
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81405 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0




Insufficient Session-ID Length (CVE-2013-0539)


DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a user’s session if the user’s session identifier is guessed.

CVE ID: CVE-2013-0539
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/82916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0



Cross-Site Scripting (XSS) (CVE-2013-0455, CVE-2013-0468, CVE-2013-2983, CVE-2013-0559)

DESCRIPTION: Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victim's web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE ID: CVE-2013-0455
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0468
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2983
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-0559
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83011 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0




Information Disclosure (CVE-2013-0558 CVE-2013-0463 CVE-2013-2985 CVE-2013-2987 CVE-2013-3020 CVE-2013-0568 CVE-2013-0475)

DESCRIPTION: Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0558
CVSS Base Score: 5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE ID: CVE-2013-0463
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81017 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2985
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2987
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84009 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-3020
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/84359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0568
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83165 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0475
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 5.0




File Type Manipulation (CVE-2013-0479)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.

CVE ID: CVE-2013-0479
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/81547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0




Information Disclosure (CVE-2013-0567)

DESCRIPTION: Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0567
CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/83164 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:

IBM Sterling File Gateway 2.2 and 2.1




Session Hijacking (CVE-2013-0456)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to session hijacking through cookie path manipulation.

CVE ID: CVE-2013-0456
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/80972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0




REMEDIATION:
Product
APAR
Remediated Fixes
IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0 IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259 For the APAR fixes listed, apply Fix Pack 5010 available on IWM
IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1. IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 For the APAR fixes listed, apply generic iFix 5104_1 available on IWM
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 IC95996, IC88973 Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively


To acquire the fix please login to IWM.
See FAQs on downloading an iFix from the IWM site.

To acquire the fix please login to IBM Fix Central.
More details and release notes can be found here:
IBM Sterling B2B Integrator 5.2 Information Center

To acquire the fix from Passport Advantage, please login here.

Workaround(s):
None Known.

Mitigation(s):
None Known.

CHANGE HISTORY:
June 30, 2013: Initial Version
July 30, 2013: Changed affected products section to include Sterling B2B Integrator 5.0 and remediation section to include 5010
Oct 7, 2013: Corrected few broken links
Dec 2, 2013: Updated Remediation to include 5020402 Fix Pack as one of the remediated version
Dec 12, 2014: Updated Remediation to include 5020500 Fix Pack as one of the remediated version

ADDITIONAL INFORMATION:

The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.

      Title
CVE ID Link
Improper validation of user supplied input on select IBM Sterling B2B Integrator screens CVE-2012-5766 http://www.ibm.com/support/docview.wss?uid=swg21627982
IBM Sterling B2B Integrator's session or sensitive cookies do not have the secure attribute enabled CVE-2012-5936 http://www.ibm.com/support/docview.wss?uid=swg21627985
Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response CVE-2013-0481 http://www.ibm.com/support/docview.wss?uid=swg21627986
A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Mutliple CVEs http://www.ibm.com/support/docview.wss?uid=swg21640831

REFERENCES:
-Complete CVSS Guide
- On-line Calculator V2
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83012
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/84006
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83997
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/80971
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/81334
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83998
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/82916
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83006
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/81017
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/84008
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/84009
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/84359
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83165
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/81403
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/81405
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/81547
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/83164
-X-Force Vulnerability Database: http://xforce.iss.net/xforce/xfdb/80972
- CVE-2013-0560
- CVE-2013-2984
- CVE-2013-2982
- CVE-2013-0455
- CVE-2013-0468
- CVE-2013-2983
- CVE-2013-0539
- CVE-2013-0558
- CVE-2013-0463
- CVE-2013-2985
- CVE-2013-2987
- CVE-2013-3020
- CVE-2013-0568
- CVE-2013-0475
- CVE-2013-0476
- CVE-2013-0479
- CVE-2013-0456
- CVE-2013-0567


*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.


Cross reference information
Segment Product Component Platform Version Edition
Commerce Sterling File Gateway AIX, HP-UX, i5/OS, Linux, Windows 2.2, 2.1

Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling B2B Integrator

Software version:

5.0, 5.1, 5.2

Operating system(s):

AIX, All, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

All Editions

Reference #:

1640830

Modified date:

2013-07-01

Translate my page

Machine Translation

Content navigation