IBM Support

Security Bulletin: IBM Tivoli Monitoring Basic Services component. (CVE-2012-6702, CVE-2016-5300)

Security Bulletin


Summary

IBM Tivoli Monitoring uses Expat parser for parsing various configuration xml files as well as parsing soap requests.

Vulnerability Details

CVEID: CVE-2012-6702
DESCRIPTION:
 Expat, when used in a parser that has not called XML_SetHashSalt or passed it a seed of 0, could provide weaker than expected security. An attacker could exploit this vulnerability using attack vectors involving use of the srand function to defeat cryptographic protection mechanisms.
CVSS Base Score: 5.9
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114541 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)

CVEID: CVE-2016-5300
DESCRIPTION:
 Expat XML parser is vulnerable to a denial of service, caused by the failure to use sufficient entropy for hash initialization. By using a specially-crafted identifiers in an XML document, a remote attacker could exploit this vulnerability to cause the application to crash.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/114435 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Affected Products and Versions

The basic services module, kbb for IBM Tivoli Monitoring 622 through 622 Fix Pack 9, 623 through 623 Fix Pack 5 and 630 through 630 Fix Pack 7 is affected and is included in the TEMA(ax/gl), TEMS(ms), TEPS(cq) and the User Interface Extensions(ue) components.

For the various configuration xml files used by ITM, if they were to be manipulated with malicious intent by someone with access to your ITM installation, then you could be vulnerable to the CVE's reported in this bulletin. Configuration files include those for the firewall gateway as well as private situations and audit logging.

For soap server enabling soap security also reduces the risk to just malicious users with ITM access.

Remediation/Fixes

The patches below update the TEMA(ax), TEMS(ms), TEPS(cq) and User Interface(ue) components which are shipped as part of ITM

The technote Upgrading Shared Components for IBM Tivoli Monitoring Agents provides information on updating Shared Libraries.

FixVRMFHow to acquire fix
6.3.0-TIV-ITM-FP0007-IV888886.3.0http://www.ibm.com/support/docview.wss?uid=swg24043486
6.2.3-TIV-ITM-FP0005-IV888886.2.3
6.2.2-TIV-ITM-FP0009-IV888886.2.2

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

14 Feb 2017 Draft bulletin created
24 Feb 2017 Minor corrections in document

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSTFXA","label":"Tivoli Monitoring"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"},{"code":"PF035","label":"z\/OS"}],"Version":"6.3.0.6;6.3.0.5;6.3.0.4;6.3.0.3;6.3.0.2;6.3.0.1;6.3.0;6.3;6.2.3.5;6.2.3.4;6.2.3.3;6.2.3.2;6.2.3.1;6.2.3;6.2.2.9;6.2.2.8;6.2.2.7;6.2.2.6;6.2.2.5;6.2.2.4;6.2.2.3;6.2.2.2;6.2.2;6.3.0.7","Edition":"","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21998701