Flashes (Alerts)
Abstract
Several vulnerabilities have been resolved in the Basic Services component of IBM Tivoli Monitoring. These vulnerabilities could have potentially caused a denial of service or Cross Site Scripting (XSS) exposure.
Content
VULNERABILITY DETAILS:
CVE ID: CVE-2013-0548
DESCRIPTION: Security scan reported several Cross Site Scripting (XSS) vulnerabilities.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82767 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
CVEID: CVE-2013-0551
DESCRIPTION: Specially crafted URLs could result in an abend for an IBM Tivoli Monitoring process.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82768 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
CVE ID: CVE-2013-0576
DESCRIPTION: Cross site scripting (XSS) vulnerability using Tivoli Enterprise Portal browser client..
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83328 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
CVE ID: CVE-2013-2960
DESCRIPTION: The HTTP processing of specialized URLs could result in a buffer overrun resulting in a segmentation fault in KDSMAIN.
CVSS:
CVSS Base Score: 7.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83724 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:C)
CVE ID: CVE-2013-2961
DESCRIPTION: Client security scanners reported potential issues with the Tivoli Monitoring internal web server with certain HTTP requests.
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:N/I:P/A:N)
CVE ID: CVE-2012-2190
DESCRIPTION: A vulnerability which allows remote attackers to cause a denial of service (daemon crash) via a crafted ClientHello message in the TLS Handshake Protocol.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75994 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
CVE ID: CVE-2012-2191
DESCRIPTION: A vulnerability which does not properly validate data during execution of a protection mechanism against the Vaudenay SSL CBC timing attack.
CVSS:
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/75996 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:N/I:N/A:P)
CVE ID: CVE-2012-2203
DESCRIPTION: A vulnerability regarding the use of PKCS #12 file format for certificate objects without enforcing file integrity.
CVSS:
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/77280 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:N/C:P/I:P/A:N)
CVE ID: ( All Java vulnerabilities Mentioned under : http://www-01.ibm.com/support/docview.wss?uid=swg21616490
AFFECTED PRODUCTS:
IBM Application Manager For Smart Business 1.2.1 (earlier known as : Tivoli Foundations Application Manager 1.2 ) having ITM base at 6.2.2 FP7 level OR at 6.2.2 FP2 level.
REMEDIATION:
Apply the Fix pack 1.2.1.0-TIV-IAMSB-FP0004.tar.gz to IBM Application Manager For Smart Business 1.2.1
Vendor Fix(es):
| Fix* | VRMF | TDS Remote Code Vulnerability APAR | Download |
| N/A | N/A | Fix Central |
Workaround(s):
None known, apply fixes
Mitigation(s):
None known
REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· CVE-2013-2960
· CVE-2013-2961
· CVE-2013-0548
· CVE-2013-0551
· CVE-2013-0576
· CVE-2012-2190
· CVE-2013-2191
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/83724
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/83725
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/82767
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/82768
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/77280
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/75996
• X-Force Vulnerability Database https://exchange.xforce.ibmcloud.com/vulnerabilities/75994
• Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21622585
• Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21634920
• Security bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21616490
RELATED INFORMATION:
IBM Secure Engineering Web Portal
ACKNOWLEDGEMENT
The vulnerabilities described in CVE-2013-0548 and CVE-2013-0551 were discovered by Ewerson Guimarães of DCLABs Security Team (DCA-2013-0001 and DCA-2013-0002 ).
Was this topic helpful?
Document Information
Modified date:
26 September 2022
UID
swg21640752