IBM Support

Security Bulletin: Multiple vulnerabilities found on IBM Security Secret Server

Created by Raghavan Arun on
Published URL:
https://www.ibm.com/support/pages/node/1169536
1169536

Security Bulletin


Summary

Multiple vulnerabilities found on IBM Security Secret Server has been addressed in the release 10.7.000059.

Vulnerability Details

CVEID:   CVE-2019-4639
DESCRIPTION:   IBM Security Secret Server uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170045 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVEID:   CVE-2019-4631
DESCRIPTION:   IBM Security Secret Server could allow a remote attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially-crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170001 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)
CVEID:   CVE-2019-4635
DESCRIPTION:   IBM Security Secret Server could allow a privileged user to perform unauthorized command injection due to imporoper input neutralization of special elements.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170011 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N)
CVEID:   CVE-2019-4638
DESCRIPTION:   IBM Security Secret Server does not set the secure attribute on authorization tokens or session cookies. This could allow an attacker to obtain sensitive information using man in the middle techniques.
CVSS Base score: 3.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170044 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)
CVEID:   CVE-2019-4637
DESCRIPTION:   IBM Security Secret Server uses incomplete blocklisting for input validation which allows attackers to bypass application controls resulting in direct impact to the system and data integrity.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170043 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID:   CVE-2019-4640
DESCRIPTION:   IBM Security Secret Server processes patches, image backups and other updates without sufficiently verifying the origin and integrity of the code which could result in an attacker executing malicious code.
CVSS Base score: 4.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170046 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:H/A:N)
CVEID:   CVE-2019-4632
DESCRIPTION:   IBM Security Secret Server is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.
CVSS Base score: 6.1
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170004 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
CVEID:   CVE-2019-4636
DESCRIPTION:   IBM Security Secret Server could disclose sensitive information to an authenticated user from generated error messages.
CVSS Base score: 2.7
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/170013 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N)
CVEID:   CVE-2012-5662
DESCRIPTION:   x3270 before 3.3.12ga12 does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVSS Base score: 4.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/82984 for the current score.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)


CVEID:   CVE-2014-4861
DESCRIPTION:   The Remote Desktop Launcher in Thycotic Secret Server before 8.6.000010 does not properly cleanup a temporary file that contains an encrypted password once a session has ended.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/140555 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)


CVEID:   CVE-2017-11725
DESCRIPTION:   The share function in Thycotic Secret Server before 10.2.000019 mishandles the Back Button, leading to unintended redirections.
CVSS Base score: 7.4
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/129954 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N)

Affected Products and Versions

IBM Security Secret Server, All Versions

Remediation/Fixes

Upgrade to the fixpack available here.

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

Internal Use Only

PVR0147364 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Use of a Broken or Risky Cryptographic Algorithm Medium CVE-2019-4639 IBM Security Secret Server ADV0018419
PVR0147365 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Overly Permissive CORS Policy Low CVE-2019-4633 IBM Security Secret Server ADV0018420
PVR0147366 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Open Redirect High CVE-2019-4631 IBM Security Secret Server ADV0018427
PVR0147374 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: OS Command Injection Low CVE-2019-4635 IBM Security Secret Server ADV0018421
PVR0147376 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Missing Cookie Secure Attribute Low CVE-2019-4638 IBM Security Secret Server ADV0018422
PVR0147383 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Hazardous Input Validation Medium CVE-2019-4637 IBM Security Secret Server ADV0018424
PVR0147384 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Download of Code without Integrity Check Medium CVE-2019-4640 IBM Security Secret Server ADV0018428
PVR0147385 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Cross-Site Scripting Medium CVE-2019-4632 IBM Security Secret Server ADV0018425
PVR0147386 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Application Error Low CVE-2019-4636 IBM Security Secret Server ADV0018426
PVR0201145 Disclosure Required
(empty)
(empty)
(empty)
PEN-TEST: Using Components with Known Vulnerabilities High CVE-2012-5662, CVE-2014-4861, CVE-2017-1 IBM Security Secret Server ADV0020477 Identity Security Systems Yes - Review Remediation Plan

Document Location

Worldwide

[{"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSWHLP","label":"IBM Security Secret Server"},"Component":"","Platform":[{"code":"PF033","label":"Windows"}],"Version":"All versions","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Product Synonym

ISSS

Document Information

Modified date:
01 March 2022

UID

ibm11169536