IBM Support

Security Bulletin: Multiple Vulnerabilities fixed in IBM Security Directory Server

Security Bulletin


Summary

Multiple Security Vulnerabilities fixed in the IBM Tivoli/Security Directory Server product.

Vulnerability Details


CVEID: CVE-2015-1978
DESCRIPTION:
 IBM Security Directory Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103697 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2015-1972
DESCRIPTION:
 IBM Security Directory Server could reveal sensitive information in error logs. A remote attacker with internal knowledge of the server could issue a specially crafted POST command to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103648 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1959
DESCRIPTION:
 IBM Security Directory Server could allow a local user to upload and download potentially sensitive encrypted files.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103502 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1974
DESCRIPTION:
 IBM Security Directory Server could allow an authenticated user to execute commands that they should not have access to through the web administration tool.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103693 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

CVEID: CVE-2015-2019
DESCRIPTION: IBM Security Directory Server allows some SSL pages to be cacheable which could allow a local attacker to obtain sensitive information.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2015-1975
DESCRIPTION:
 IBM Security Directory Server could allow an authenticated user to inject arguments into the web administration tool that would be executed by the user running the tool.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103694 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)

Affected Products and Versions

IBM Tivoli Directory Server 6.0, 6.1, 6.2, 6.3

IBM Security Directory Server 6.3.1, 6.4

Remediation/Fixes

Affected Products and Versions Fix Availability
IBM Tivoli Directory Server 6.0 IBM Tivoli Directory Server 6.0 iFix 75
IBM Tivoli Directory Server 6.1 IBM Tivoli Directory Server 6.1 iFix 68
IBM Tivoli Directory Server 6.2 IBM Tivoli Directory Server 6.2 iFix 44
IBM Tivoli Directory Server 6.3 IBM Tivoli Directory Server 6.3 iFix 37
IBM Security Directory Server 6.3.1 IBM Security Directory Server 6.3.1 iFix 11
IBM Security Directory Server 6.4 IBM Security Directory Server 6,4 iFix 2

Get Notified about Future Security Bulletins

References

Complete CVSS v2 Guide
On-line Calculator v2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Document information

More support for: IBM Security Directory Server

Software version: 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.4

Operating system(s): Platform Independent

Reference #: 1960659

Modified date: 24 June 2015


Translate this page: