IBM Support

Security Bulletin: Tivoli Key Lifecycle Manager can be affected by multiple vulnerabilities in Tivoli Integrated Portal (CVE-2013-0464, CVE-2012-3325, CVE-2011-4858)

Flashes (Alerts)


Abstract

Multiple vulnerabilities in IBM Tivoli Integrated Portal can affect IBM Tivoli Key Lifecycle Manager

Content

VULNERABILITY DETAILS:


DESCRIPTION:

CVE-2013-0464

The IBM Eclipse Help System (contained within the Tivoli Integrated Portal component provided with Tivoli Key Lifecycle Manager), as used in multiple IBM products, is vulnerable to cross-site scripting. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

The attack requires some specialized knowledge or techniques and network access, but does not require authentication. An exploit could impact the integrity of data, but the confidentiality of information and the availability of the system are not compromised.


CVEID:
CVE-2013-0464

CVSS Base Score: 4.3
CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/81060 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


AFFECTED PRODUCTS AND VERSIONS:
IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)


REMEDIATION:

Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:

  • 1.0.0-ISS-TKLM-IF0006
  • 2.0.0-ISS-TKLM-IF0007
  • 2.0.1-ISS-TKLM-IF0004


  • Contact IBM Technical Support to obtain these fixes

    Workaround(s):
    None

    Mitigation(s):
    None


    CVE-2012-3325

    The WebSphere Application Server (contained within the Tivoli Integrated Portal component of Tivoli Key Lifecycle Manager), could allow a remote authenticated attacker to bypass security restrictions, caused by an error when validating user credentials following application of APAR PM44303. An attacker could exploit this vulnerability to gain unauthorized administrative access to the application and potentially gain access to confidential and critical customer data.

    The attack requires some specialized knowledge or techniques and network access, and requires single authentication. An exploit could impact the integrity of data, the confidentiality of information and the availability of the system.


    CVEID:
    CVE-2012-3325

    CVSS Base Score: 6
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/77959 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:P/A:P)


    AFFECTED PRODUCTS AND VERSIONS:
    IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)


    REMEDIATION:

    Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:
  • 1.0.0-ISS-TKLM-IF0006
  • 2.0.0-ISS-TKLM-IF0007
  • 2.0.1-ISS-TKLM-IF0004


  • Contact IBM Technical Support to obtain these fixes

    Workaround(s):
    None

    Mitigation(s):
    None



    CVE-2011-4858

    Apache Tomcat (contained within the Tivoli Integrated Portal component of Tivoli Key Lifecycle Manager), is vulnerable to a denial of service, caused by the improper handling of an overly large number of parameter and parameter values. By sending a specially-crafted request, a remote attacker could exploit this vulnerability to consume an overly large amount of CPU resources.

    The attack does not require specialized knowledge or techniques, nor does it require authentication, and network access required. An exploit could impact the availability of the system, but the confidentiality of information and the integrity of data are not compromised.


    CVEID:
    CVE-2011-4858

    CVSS Base Score: 5
    CVSS Temporal Score: See CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/72425 for the current score
    CVSS Environmental Score*: Undefined
    CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)


    AFFECTED PRODUCTS AND VERSIONS:
    IBM Tivoli Key Lifecycle Manager v1, v2 and v2.0.1 on distributed platforms only (does not apply to z/OS platform)


    REMEDIATION:

    Upgrade to Tivoli Integrated Portal (TIP) 1.1.1.19 by applying Interim fix applicable for respective product release:
  • 1.0.0-ISS-TKLM-IF0006
  • 2.0.0-ISS-TKLM-IF0007
  • 2.0.1-ISS-TKLM-IF0004


  • Contact IBM Technical Support to obtain these fixes

    Workaround(s):
    None

    Mitigation(s):
    None


    REFERENCES:
  • On-line Calculator V2
  • CVE-2013-0464
  • CVE-2012-3325
  • CVE-2011-4858
  • IBM Security Alerts
  • https://exchange.xforce.ibmcloud.com/vulnerabilities/81060
  • https://exchange.xforce.ibmcloud.com/vulnerabilities/77959
  • https://exchange.xforce.ibmcloud.com/vulnerabilities/72425



  • RELATED INFORMATION:
    IBM Secure Engineering Web Portal
    IBM Product Security Incident Response Blog


    ACKNOWLEDGEMENT
    None


    *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the References section of this Flash.


    Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

    [{"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Distributed","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"1.0;2.0;2.0.1","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

    Document Information

    Modified date:
    25 September 2022

    UID

    swg21650482