IBM Support

Security Bulletin: IBM Security Access Manager for Web - NIST setting (CVE-2014-3052)

Security Bulletin


Summary

A defect in the configuration of IBM Security Access Manager (ISAM) for Web v8.0 could result in systems failing to properly comply to NIST800-131 standards.

Vulnerability Details

CVE ID :
CVE-2014-3052


DESCRIPTION:
The reverse proxy component of IBM Security Access Manager for Web can be configured to require compliance with NIST 800-131A standards when creating an SSL connection to a protected backend application. This is controlled by the "jct-nist-compliance" configuration parameter in the [junction] stanza of the reverse proxy configuration file. An error in the configuration code causes the reverse proxy to incorrectly reverse the setting of this configuration parameter. If the parameter is set to "yes", the reverse proxy interprets it as "no". As a consequence, the SSL connection will not enforce compliance with NIST800 131A standards and could be using encryption settings that are weaker than required.

This vulnerability is not complex to exploit. It can be exploited from the adjacent network and authentication is not required. An exploit can partially affect the confidentially of the system, but not integrity or availability of the system.

CVSS:
CVSS Base Score: 3.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/93454
Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Security Access Manager for Web version 8.0, firmware versions 8.0.0.2 and 8.0.0.3.

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.

FixBuildAPARDownload URL
8.0.0.3-ISS-WGA-IF000380033IV61553http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.0.1&platform=All&function=all

Workarounds and Mitigations

If an IBM Security Access Manager for Web customer wishes to configure a reverse proxy component to use an SSL connection to a protected backend application that is compliant with NIST800-131a, then the "jct-nist-compliance" configuration parameter must be set to "no".

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSPREK","label":"Tivoli Access Manager for e-business"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"8.0","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21676705