Security Bulletin: IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities (CVE-2014-0830, CVE-2014-0831, CVE-2014-0832 , CVE-2014-0833)

Security Bulletin


Summary

IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities

Vulnerability Details

CVE ID: CVE-2014-0830

      SUMMARY: FTM 2.0 and 2.1 Table export function exposes a path traversal vulnerability

      DESCRIPTION:
      Search results in the FTM console can be exported as CSV format text files. As part of this function the server side code provides access to temporary files on the WAS server. It is possible for a rogue user, once logged in, to use client side tools to alter the file name to be read. Alteration can also include path traversal outside of the temporary file location. This potentially allows download of unauthorized files from the file system hosting the application server.
      This exposure is limited to authenticated users.

      CVSS Base Score: 4
      CVSS Temporal Score: See
      http://xforce.iss.net/xforce/xfdb/90584 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)


      AFFECTED PRODUCTS:
      IBM Financial Transaction Manager: 2.0 & 2.1

      REMEDIATION:
      FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
      FTM 2.1 customers may apply PTF/fixpack 2.1.0.1 or upgrade to FTM 2.1.1


      WORKAROUND(s):
      None


      MITIGATIONS(s)
      Ensure the application server user account does not have privileges to read files outside of its directories.

CVE ID: CVE-2014-0831
      SUMMARY: FTM 2.0 OAC is not protected from cross site request forgery vulnerabilities.

      DESCRIPTION:
      A hand crafted link could be used to trick a user to initiate a function of the FTM OAC. If the user is authorized the request could cause edit of configuration data. The user must be logged in. Detailed knowledge of FTM http request format is required to exploit. Also in the case of any request to edit configuration data the request would need knowledge of the data being edited. In the case of edit, the request would be audited and the edit history would be recorded.

      CVSS Base Score: 3.5
      CVSS Temporal Score: See
      http://xforce.iss.net/xforce/xfdb/90585 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


      AFFECTED PRODUCTS:
      IBM Financial Transaction Manager: 2.0

      REMEDIATION:
      FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


      WORKAROUND(s):
      None


      MITIGATIONS(s)
      None


CVE ID: CVE-2014-0832
      SUMMARY: FTM 2.0 Configuration details screens are exposed to cross site scripting vulnerabilities.

      DESCRIPTION:
      It is possible to create and edit configuration data that includes javascript in the text values. A subsequent user viewing these records would inadvertently execute the javascript in their browser.
      This exposure is limited to authenticated users.
      The creation and/or edit of the data to contain potentially malicious javascript if fully audited and traceable back to the user.

      CVSS Base Score: 3.5
      CVSS Temporal Score: See
      http://xforce.iss.net/xforce/xfdb/90586 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


      AFFECTED PRODUCTS:
      IBM Financial Transaction Manager: 2.0

      REMEDIATION:
      FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


      WORKAROUND(s):
      None


      MITIGATIONS(s)
      Restrict access to these screens to the minimum group of personnel to minimize risk.


CVE ID: CVE-2014-0833
      SUMMARY: FTM 2.0 OAC could accept a request to execute a resolution action where the user is not authorized.

      DESCRIPTION:
      It is possible for an authenticated user to initiate unauthorized process steps for data that is in a state that supports operator intervention. The impact of this depends on the customer process model and the action requested.

      CVSS Base Score: 3.5
      CVSS Temporal Score: See
      http://xforce.iss.net/xforce/xfdb/90612 for the current score
      CVSS Environmental Score*: Undefined
      CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)



      AFFECTED PRODUCTS:
      IBM Financial Transaction Manager: 2.0

      REMEDIATION:
      FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


      WORKAROUND(s):
      None


      MITIGATIONS(s)
      Use of IE8 or Firefox instead of IE6 or IE7 will prevent accidental exposure but does not prevent deliberate exploitation.

RELATED INFORMATION:

https://www-304.ibm.com/jct03001c/security/secure-engineering/process.html

ACKNOWLEDGEMENT:

None

Affected Products and Versions

Financial Transaction manager v2.0 and v2.1

Remediation/Fixes

CVE ID Product VRMF APAR Remediation
CVE-2014-0830 FTM v2.0.0.0
V2.0.0.1
v2.0.0.2
None. Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0830 FTM V2.1.0.0 None. Upgrade to v2.1.0.1 or v2.1.1
CVE-2014-0831 FTM v2.0.0.0
V2.0.0.1
v2.0.0.2
None. Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0832 FTM v2.0.0.0
V2.0.0.1
v2.0.0.2
None. Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0833 FTM v2.0.0.0
V2.0.0.1
v2.0.0.2
None. Upgrade to v2.0.0.3 or v2.1.1

Important note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Related information

Change History

24th January 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Financial Transaction Manager

Software version:

2.0, 2.1

Operating system(s):

AIX, Linux, z/OS

Reference #:

1662714

Modified date:

2014-01-31

Translate my page

Machine Translation

Content navigation