Security Bulletin: IBM Service Delivery Manager security exposure after installing PM44303 for WebSphere Application Server (CVE-2012-3325)

Jan 11, 2013 8:51 pm EST

For selected versions of IBM WebSphere Application Server, there is a potential security exposure after installing an Interim Fix for PM44303 or a Fix Pack containing PM44303. If you upgraded IBM WebSphere Application Server from the original version provided with IBM Service Delivery Manager you may be affected by the issue. CVE(s):CVE-2012-3325 Affected version(s): IBM ...read more


Security Bulletin: IBM Tivoli Federated Identity Manager Business Gateway can be affected by a vulnerability in IBM Java Runtime Environment (CVE-2012-5081)

Jan 9, 2013 6:34 pm EST

The implementation of TLS in the IBM Java JDK may not check the TLS vector length as set out in the Internet Engineering Task Force Request For Comments (RFC) 5246. The fix enhances the checking for the vector length. . CVE(s):CVE-2012-5081 Affected product: Tivoli Federated Identity Manager Business GatewayAffected version(s): 6.1.1, 6.2.0, 6.2.1, 6.2.2 Refer ...read more


Security Bulletin: IBM Tivoli Federated Identity Manager OpenID: signature validation not applied to all attributes (CVE-2012-6359)

Jan 7, 2013 3:04 pm EST

An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed. CVE(s):CVE-2012-6539 Affected product(s) &Affected version(s): Tivoli Federated Identity Manager Business Gateway versions 6.2.0, 6.2.1, 6.2.2 Refer to the following reference URLs for ...read more


Security Bulletin: IBM Tivoli Federated Identity Manager OpenID: signature validation not applied to all attributes (CVE-2012-6359)

Jan 7, 2013 2:59 pm EST

An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed. CVE(s):CVE-2012-6539 Affected product(s) &Affected version(s): Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2 Refer to the following reference URLs for remediation and ...read more


Security Bulletin: Tivoli Federated Identity Manager – Unprotected Management Console Servlets (CVE-2012-3315)

Jan 7, 2013 2:53 pm EST

The management console used to administer Tivoli Federated Identity Manager contains servlets which are not all protected via a J2EE security constraint. These servlets could be used by an unauthenticated user to download certain resources from TFIM. CVE(s):CVE-2012-3315 Affected product(s) &Affected version(s): All versions of TFIM before 6.2.2 are affected, including those no longer supported.. ...read more


Security Bulletin: Tivoli Federated Identity Manager – Passwords exposed in trace files (CVE-2012-3310)

Jan 7, 2013 2:47 pm EST

It is possible to configure Tivoli Federated Identity Manager (TFIM) in such a way that the logging of certain activities could result in the trace files produced by TFIM containing passwords that are either in clear text or obfuscated in a manner that the password can be derived. CVE(s):CVE-2012-3310 Affected product(s) &Affected version(s): All versions ...read more


Security Bulletin: Tivoli Federated Identity Manager Potential security exposure with IBM WebSphere Application Server APAR PM44303 (CVE-2012-3325)

Jan 7, 2013 2:42 pm EST

If you have installed an interim fix for PM44303, Websphere Application Server Fixpack 21 or Fixpack 23 which includes APAR PM44303, there is the potential for an authenticated user to gain access to unauthorized resources. CVE(s):CVE-2012-3325 Affected product(s) &Affected version(s): TFIM 6.1.1, 6.2.0, 6.2.1, 6.2. Refer to the following reference URLs for remediation and additional ...read more


Security Bulletin: IBM Tivoli Directory Server Cross-Site scripting vulnerability with the Web Admin Tool (CVE-2012-0740)

Jan 7, 2013 4:24 am EST

IBM Tivoli Directory Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input by the Web Admin Tool. CVE(s):CVE-2012-0740 Affected product(s) &Affected version(s): TDS 6.1, 6.2 and 6.3 only Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin:http://www-01.ibm.com/support/docview.wss?uid=swg21591257X-Force Database:https://exchange.xforce.ibmcloud.com/vulnerabilities/74610 ...read more


Security Bulletin: IBM Tivoli Directory Server paged search may cause denial of service may crash if paged searches are enabled (CVE-2012-0743)

Jan 7, 2013 4:19 am EST

There is a potential security exposure with IBM® WebSphere® Application Server after installing PM44303 or a fix pack that contains PM44303 that affects IBM Rational® Application Developer installations. CVE(s):CVE-2012-0743 Affected product(s) &Affected version(s): TDS 6.3 and earlier Refer to the following reference URLs for remediation and additional vulnerability details. Source Bulletin:http://www-01.ibm.com/support/docview.wss?uid=swg21591267X-Force Database:https://exchange.xforce.ibmcloud.com/vulnerabilities/74633 ...read more