IBM Support

Security Vulnerabilities fixed as a part of upcoming TKLM & SKLM Fixpacks

Fix Readme


Abstract

This document covers the security vulnerabilities that were fixed as a part of the TKLM v2.0.1.9, SKLM v2.5.0.8 and SKLM v2.6.0.3 fixpacks.

Content

The following security vulnerabilities were fixed as a part of the TKLM v2.0.1.9, SKLM v2.5.0.8 and SKLM v2.6.0.3 fixpacks:

1. Account Lockout - Fixed in SKLM v2.6.0.3 and SKLM v2.5.0.8. By default, when invalid credentials are entered in SKLM UI thrice, the user account gets locked. This behavior is controlled by the following properties:


klm.lockout.enable=true -> determines whether account lockout is enabled or not
tklm.lockout.attempts=3 -> the number of attempts which would lead to account lockout

2. Browse through UI - Fixed in SKLM v2.6.0.3 and SKLM v2.5.0.8. From these fixpacks onwards SKLM UI restricts users from browsing to different directories on their SKLM servers. All the data can now be only saved in SKLM DATA folder i.e. <SKLM_HOME>/data through SKLM UI . Users can disable or enable this browsing using the browse.restricted property.

browse.restricted=true|false -> to switch ON|OFF browse restrictions.


browse.root.dir={filepath} -> File path which user wants to be accessible through SKLM UI.

3. Weak password policy - Fixed in TKLM v2.0.1.9, SKLM v2.5.0.8 and SKLM v2.6.0.3. With these fixpacks, whenever any SKLM user tries to change or reset its password a password policy gets imposed. User needs to follow the policy to set a new password. The current password policy is as follows:


At least 1 Upper-case character
At least 1 Lower-case character
At least 1 Special character
At least 2 Numeric character
Minimum Password length is 6 characters
Maximum sequential charactes 2
Minimus alphabets 3
Minimum numeric 2
Password should not contain the username.

In addition to the above, Cross-site Scripting (CSS) was fixed in TKLM v2.0.1.9, SKLM v2.5.0.8 and SKLM v2.6.0.3 across TKLM / SKLM UI and Cross-Site Request Forgery (CSRF) has been fixed for SKLM 2.6.0.3, and 2.5.0.8, across SKLM UI.

[{"Product":{"code":"SSWPVP","label":"IBM Security Key Lifecycle Manager"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"Distributed","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"2.0.1;2.5;2.6","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]

Document Information

Modified date:
16 June 2018

UID

swg21997799

Page Feedback