Flashes (Alerts)
Abstract
IBM Sterling B2B Integrator 5.2 and IBM Sterling File Gateway 2.2 are affected by multiple security vulnerabilities. These vulnerabilities include:
- Denial of Service
- SQL Injection
- Cross-Site Scripting
- Windows MHTML Cross-Site Scripting
- Frame Injection
- Link Injection
- Session Not Invalidated
Content
VULNERABILITY DETAILS:
CVEID: CVE-2013-4002
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to a Denial of Service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected.
CVSS Base Score: 7.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CVEID: CVE-2013-5409
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVEID: CVE-2013-5405
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Cross-Site Scripting attacks. The remote attacker could exploit this vulnerability by inserting malicious code in various parameters which could lead to unauthorized access through the injected code.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-5406
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Windows MHTML Cross-Site Scripting attacks. A remote attacker could exploit this vulnerability by inserting malicious code in request parameters, which could lead to unauthorized access through the injected code.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87355 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-5407
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Frame Injection. A remote attacker can initiate a phishing through frames attack by inserting a malicious frame that may be used to gain unauthorized access or collect sensitive information.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-5411
DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Link Injection. A remote attacker can embed links (URL) to an external site or to different pages. The links can appear to be valid application links while causing the user to navigate to unintended sites or execute unintended actions within the application.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-5413
DESCRIPTION: Logging out of the IBM Sterling B2B Integrator and IBM Sterling File Gateway applications does not invalidate current session values. This could lead to other users employing those identifiers to impersonate that user and perform actions on their behalf.
CVSS Base Score: 1.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87362 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2
IBM Sterling File Gateway 2.2
IBM Sterling B2B Integrator 5.1
IBM Sterling File Gateway 2.1
REMEDIATION:
For IBM Sterling B2B Integrator 5.2 and IBM Sterling File Gateway 2.2:
Apply Fix Pack 5020402 or later
APAR IC96053, IC96055, IC96057, IC96049, IC96059, IC96051, IC98015
To acquire the fix please login to IBM Fix Central.
More details and release notes can be found here: IBM Sterling B2B Integrator 5.2 Information Center
For IBM Sterling B2B Integrator 5.1 and IBM Sterling File Gateway 2.1:
Apply Generic Interim Fix 5104_2
APAR IC96053, IC96049, IC96051, IC98794
To acquire the fix please login to IWM
For FAQs on downloading an iFix from the IWM site, see the following documentation:
https://www14.software.ibm.com/iwm/web/download_en_US.shtml
Workaround(s) & Mitigation(s):
None Known.
CHANGE HISTORY:
Dec 4. 2013: Initial Version.
Jan 7, 2014: Few typo corrections.
Jan 24, 2014: Updated Remediation section with 5104_2 APARs
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIN, DINCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
REFERENCES:
-Complete CVSS Guide
- On-line Calculator V2
Was this topic helpful?
Document Information
Modified date:
25 September 2022
UID
swg21657539