Security Bulletin
Summary
There are multiple vulnerabilities in various components used by IBM Security Access Manager for Mobile and IBM Security Access Manager for Web.
Vulnerability Details
The following vulnerabilities affect both IBM Security Access Manager for Mobile and IBM Security Access Manager for Web.
CVE-ID: CVE-2014-6080
DESCRIPTION: IBM Security Access Manager is vulnerable to an SQL injection attack in which a remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.
The vulnerability can be accessed from a remote network, is of medium complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95767 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-6078
DESCRIPTION: IBM Security Access Manager allows multiple failed login requests without locking out the user. This could allow an attacker to guess the admin credentials over a period of time through a brute force attack.
The vulnerability can be accessed from a remote network, is of low complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95762 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-6076
DESCRIPTION: IBM Security Access Manager fails to sanitize certain user actions that could allow a remote attacker to hijack the clicking action of another user. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95729 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-6077
DESCRIPTION: IBM Security Access Manager fails to properly validate certain user-supplied data. This could enable a cross-site request forgery attack. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request without the user's knowledge. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95730 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-ID: CVE-2014-6086
DESCRIPTION: Under certain conditions, IBM Security Access Manager can, if requested to do so by the user, use HTTP rather than HTTPS to communicate sensitive data, resulting in unencrypted traffic being transmitted which can be stolen using man in the middle techniques.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95813 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-6083
DESCRIPTION: IBM Security Access Manager does not prevent certain cookies being sent by client systems across an unencrypted HTTP connection. If the application is accessed via a network with HTTP after one such cookie has been set on the client, an attacker using man-in-the-middle techniques could recover packets for non-encrypted cookies that could potentially contain sensitive session information or credentials.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95810 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-6084
DESCRIPTION: IBM Security Access Manager offers weaker than expected encryption in its use of SSL ciphers. This information could be decrypted by an attacker able to intercept traffic using man in the middle techniques.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95811 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-6087
DESCRIPTION: IBM Security Access Manager could allow a remote attacker to obtain sensitive information, caused by the use of cipher suites with weak encryption algorithms. An attacker could exploit this vulnerability using network sniffing tools to obtain sensitive information.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95813 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-6088
DESCRIPTION: IBM Security Access Manager could allow a remote attacker to obtain sensitive information. If an SSL client running outside the server environment is not able to select a valid cipher for the connection, it could result in the server using a default null cipher. An attacker could exploit this vulnerability to obtain cleartext information over an SSL channel.
The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95860 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVE-ID: CVE-2014-6089
DESCRIPTION: IBM Security Access Manager does not properly enforce the destination directory for uploaded files. This could allow a remote attacker to upload files to protected areas of the file system. This could affect the operations of the system.
The vulnerability can be accessed from a remote network, is of low complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.
CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95860 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CVE-ID: CVE-2014-6082
DESCRIPTION: IBM Security Access Manager is vulnerable to a denial of service attack in which a remote authenticated attacker could cause certain components of the administration user interface to be unavailable.
The vulnerability can be accessed from a remote network, is of low complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could not compromise the integrity of the system and could partially compromise the accessibility of the system.
CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95809 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)
Affected Products and Versions
IBM Security Access Manager for Mobile 8.0, firmware versions 8.0.0.0, 8.0.0.1 8.0.0.3, 8.0.0.4, and 8.0.0.5.
IBM Security Access Manager for Web 7.0, 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, and 8.0.0.5
Remediation/Fixes
The table below provides links to patches for all affected versions. Follow the installation instructions in the README files included with the patch.
NOTE: The patch for the IBM Security Access Manager 8.0 versions is accessed from Passport Advantage and is numbered 8.0.1. This is a fixpack and is applied in the same manner as all appliance firmware patches. This patch can be applied in place and will not remove your existing configuration. Instructions for applying the patch are available at the following URL:
http://www-01.ibm.com/support/knowledgecenter/SSELE6_8.0.1/com.ibm.isam.doc_8.0.1/releaseinfo/task/tsk_upgrading.html
| Product | VRMF | APAR | Remediation |
| IBM Security Access Manager for Web -7.0
Appliance-based | 7.0.0.0 7.0.0.1 7.0.0.2 7.0.0.3 7.0.0.4 7.0.0.5 7.0.0.6 7.0.0.7 7.0.0.8 7.0.0.9 | IV67581
IV67358 | 7.0.0-ISS-WGA-FP0010 |
| IBM Security Access Manager for Web -7.0
Software-based | 7.0.0.0 7.0.0.1 7.0.0.2 7.0.0.3 7.0.0.4 7.0.0.5 7.0.0.6 7.0.0.7 7.0.0.8 7.0.0.9 | IV67581
IV67358 | 7.0.0-ISS-SAM-FP0010 |
| IBM Security Access Manager for Mobile -8.0 | 8.0.0.0 8.0.0.1 8.0.0.3 8.0.0.4 8.0.0.5 | IV67581
IV67358 | IBM Security Access Manager V8.0.1 Base Virtual Appliance .pkg file Multiplatform, Multilingual (CN34GML) |
| IBM Security Access Manager for Web -8.0 | 8.0.0.2 8.0.0.3 8.0.0.4 8.0.0.5 | IV67581
IV67358 | IBM Security Access Manager V8.0.1 Base Virtual Appliance .pkg file Multiplatform, Multilingual (CN34GML) |
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
IBM Security Systems Ethical Hacking Team: Paul Ionescu, Brennan Brazeau, John Zuccato, Jonathan Fitz-Gerald, Warren Moynihan
Change History
12 December 2014: Original Version Published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21684475