IBM Support

Security Bulletin: Multiple Security Vulnerabilities in Certain GUI Components of IBM Algo Credit Limits.

Security Bulletin


Summary

Abstract: Multiple security vulnerabilities exist in certain GUI components of IBM Algo Credit Limits, namely ACLM Web GUI, PDS Blotter Web GUI, and ACLM Win GUI. Details of each vulnerability and the affected component(s) are set out below.

Vulnerability Details

DESCRIPTION:
Customers who have IBM Algo Credit Limits are potentially impacted by these vulnerabilities.

CVE ID DESCRIPTION
CVE-2014-0864
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90938 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Component(s): ACLM Web GUI
The ACLM Web GUI does not verify that requests are made only from within the web application. An attacker could trick users into making an unintentional request to the web application which will be treated as an authorized request. This may allow an attacker to perform tasks on behalf of the victim user, like modifying limits.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data.
CVE-2014-0865
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90939 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Components: ACLM Win GUI
The ACLM Win GUI client performs input validation only client-side. This could allow an attacker to alter arbitrary data, e.g. create a limit. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation.
The attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data.
CVE-2014-0866
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90940 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Component(s): ACLM Win GUI, PDS Blotter Web GUI
The ACLM Win GUI client submits user credentials in plain-text. An attacker with access to the network communication could perform man-in-the-middle attacks and obtain user credentials. This vulnerability also applies to the PDS Blotter Web GUI client, where authentication is performed unencrypted.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information. It will not compromise the availability of the system or the integrity of data.
CVE-2014-0867
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90941 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Component(s): ACLM Web GUI
A vulnerable page in ACLM Web GUI could allow an attacker to set and overwrite arbitrary cookies for a user that clicks on a manipulated link.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data.
CVE-2014-0868
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90942 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
Affected Component(s): ACLM Web GUI
The ACLM Web GUI application performs input validation only client-side. This could allow an attacker to alter arbitrary data. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation.
The attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data.
CVE-2014-0869
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90943 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI, ACLM Win GUI
Insufficient encryption for storing and transferring users’ passwords could allow an attacker to retrieve the plain-text passwords without further knowledge of cryptographic keys.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data.
CVE-2014-0870
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90944 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI
The ACLM Web GUI and the PDS Blotter Web GUI do not correctly neutralize user-controllable input before it is placed in output that is served as a web page. This may be used in a Cross-site scripting attack. Attackers could compromise user sessions and impersonate other users while performing arbitrary actions on behalf of the victim user.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data.
CVE-2014-0871
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90945 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Affected Component(s): ACLM Web GUI
Tomcat configuration discloses technical details within error messages to the user. This could allow an attacker to collect valuable data about the environment of the solution.
The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data.
CVE-2014-0894
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/91313 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Affected Component(s): ACLM Web GUI
The password and the username of the backend database are disclosed in clear-text to the user of the ACLM Web GUI client. This could allow attackers to directly connect to the backend database and manipulate arbitrary data stored in the database.
The attack requires network access, some degree of authentication and specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data.

Affected Products and Versions

IBM Algo Credit Limits versions 4.5.0 - 4.7.0

Remediation/Fixes

A fix has been created for version 4.7.0.03 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below.

For versions prior to 4.7.0 IBM recommends upgrading to a fixed, supported version/release/platform of the product.


Patch Number Download URL
ACLM 4.7.0.03 FP5 http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHES-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true

Workarounds and Mitigations

None known, apply fixes.

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky of SEC Consult Vulnerability Lab

Change History

23 June 2014: Original Copy Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Product Alias/Synonym

ACL
ACLM
RICOS
Algo Credit Limit Manager

Document information

More support for: Algo Credit Limits

Software version: 4.7.0

Operating system(s): AIX, Linux, Solaris, Windows

Reference #: 1675881

Modified date: 26 May 2015