Security Bulletin: Vulnerabilities found in IBM Sterling B2B Integrator and IBM Sterling File Gateway (CVE-2013-4002, CVE-2013-5409, CVE-2013-5405, CVE-2013-5406, CVE-2013-5407, CVE-2013-5411, CVE-2013-5413)

Flash (Alert)


Abstract

IBM Sterling B2B Integrator 5.2 and IBM Sterling File Gateway 2.2 are affected by multiple security vulnerabilities. These vulnerabilities include:
- Denial of Service
- SQL Injection
- Cross-Site Scripting
- Windows MHTML Cross-Site Scripting
- Frame Injection
- Link Injection
- Session Not Invalidated

Content


VULNERABILITY DETAILS:

CVEID: CVE-2013-4002

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to a Denial of Service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected.

CVSS Base Score: 7.1
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/85260 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:C)

CVEID: CVE-2013-5409

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVSS Base Score: 6.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87358 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

CVEID: CVE-2013-5405

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Cross-Site Scripting attacks. The remote attacker could exploit this vulnerability by inserting malicious code in various parameters which could lead to unauthorized access through the injected code.

CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87354 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-5406

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Windows MHTML Cross-Site Scripting attacks. A remote attacker could exploit this vulnerability by inserting malicious code in request parameters, which could lead to unauthorized access through the injected code.

CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87355 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-5407

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Frame Injection. A remote attacker can initiate a phishing through frames attack by inserting a malicious frame that may be used to gain unauthorized access or collect sensitive information.

CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87356 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-5411

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to Link Injection. A remote attacker can embed links (URL) to an external site or to different pages. The links can appear to be valid application links while causing the user to navigate to unintended sites or execute unintended actions within the application.

CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87360 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-5413

DESCRIPTION: Logging out of the IBM Sterling B2B Integrator and IBM Sterling File Gateway applications does not invalidate current session values. This could lead to other users employing those identifiers to impersonate that user and perform actions on their behalf.

CVSS Base Score: 1.9
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/87362 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:N/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2
IBM Sterling File Gateway 2.2
IBM Sterling B2B Integrator 5.1
IBM Sterling File Gateway 2.1

REMEDIATION:
For IBM Sterling B2B Integrator 5.2 and IBM Sterling File Gateway 2.2:

    Apply Fix Pack 5020402 or later
    APAR IC96053, IC96055, IC96057, IC96049, IC96059, IC96051, IC98015

    To acquire the fix please login to IBM Fix Central.
    More details and release notes can be found here: IBM Sterling B2B Integrator 5.2 Information Center

For IBM Sterling B2B Integrator 5.1 and IBM Sterling File Gateway 2.1:

Workaround(s) & Mitigation(s):
None Known.

CHANGE HISTORY:
Dec 4. 2013: Initial Version.
Jan 7, 2014: Few typo corrections.
Jan 24, 2014: Updated Remediation section with 5104_2 APARs

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIN, DINCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

REFERENCES:
-Complete CVSS Guide
- On-line Calculator V2

Rate this page:

(0 users)Average rating

Document information


More support for:

Sterling B2B Integrator

Software version:

5.1, 5.2.4.2

Operating system(s):

AIX, All, HP-UX, IBM i, Linux, Solaris, Windows, i5/OS

Software edition:

All Editions

Reference #:

1657539

Modified date:

2014-01-24

Translate my page

Machine Translation

Content navigation