IBM Support

Security Bulletin: Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator

Security Bulletin


Summary

Multiple Security Vulnerabilities in Apache Geronimo Affect IBM Sterling B2B Integrator

Vulnerability Details

CVEID: CVE-2008-0732
DESCRIPTION: Apache Geronimo could allow a local attacker to obtain sensitive information, caused by the init script following symlinks during a chown operation. A location attacker could exploit this vulnerability and gain unauthorized access to files and directories to obtain sensitive information.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/40562 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

CVEID: CVE-2011-5034
DESCRIPTION: Apache Geronimo is vulnerable to a denial of service, caused by insufficient randomization of hash data structures. By sending multiple specially-crafted HTTP POST requests to an affected application containing conflicting hash key values, a remote attacker could exploit this vulnerability to cause the consumption of CPU resources.
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/72047 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)

CVEID: CVE-2006-0254
DESCRIPTION: Apache Geronimo is vulnerable to cross-site scripting, caused by improper validation of HTML tags by the Web-Access-Log Viewer. A remote attacker could exploit this vulnerability using a specially-crafted HTTP request to embed malicious script within the log file which, once the log file is viewed, would be executed in the administrator''s Web browser within the security context of the hosting Web site, allowing the attacker to steal the victim''s cookie-based authentication credentials.
CVSS Base Score: 2.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/24159 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2007-5797
DESCRIPTION: Apache Geronimo could alllow a remote attacker to bypass security restrictions, caused by an error in the SQLLoginModule during the authentication process. By logging into the database with a non-existent username, a remote attacker could exploit this vulnerability to bypass authentication and gain unauthorized access to the vulnerable system. Note: The IBM WebSphere Application Server Community Edition is also affected by this vulnerability.
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/38211 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P)

CVEID: CVE-2007-4548
DESCRIPTION: Apache Geronimo could allow a remote attacker to bypass security restrictions, caused by the login method in LoginModule implementations failing to throw an exception for failed logins. A remote attacker could exploit this vulnerability to bypass authentication and send a null username and password in the command line deployer of the deployment module to gain unauthorized access to the vulnerable system.
CVSS Base Score: 7
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/36468 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C)

Affected Products and Versions

5.2.0.1 - 5.2.6.3

Remediation/Fixes

PRODUCT & Version

Remediation/Fix

IBM Sterling B2B Integrator 5.2.0.1 - 5.2.6.3

Apply IBM Sterling B2B Integrator version 6.0.0.0 or 5.2.6.4 available on Fix Central

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Change History

24 August 2018: Original version published
10 September 2018: First Revision - Added versions in Affected products section

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

For PSIRT product record 110112

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Component":"","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2.0.1 - 5.2.6.3","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
04 February 2020

UID

ibm10728841