IBM Support

Security Bulletin: Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

Security Bulletin


Summary

IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities. These vulnerabilities include:
- SQL Injection
- Path Traversal
- Unrestricted File Upload
- Cross-Site Scripting (XSS)
- Insufficient Session-ID Length
- Information Disclosure
- Command Injection
- File Type Manipulation
- Session Hijacking

Vulnerability Details

SQL Injection (CVE-2013-0560)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVE ID: CVE-2013-0560
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83012 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0


IBM Sterling File Gateway 2.2, 2.1 and 2.0




Path Traversal (CVE-2013-2984)

DESCRIPTION: Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.

CVE ID: CVE-2013-2984
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1


IBM Sterling File Gateway 2.2 and 2.1




Unrestricted File Upload (CVE-2013-2982)

DESCRIPTION: Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.

CVE ID: CVE-2013-2982
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1


IBM Sterling File Gateway 2.2 and 2.1




Command Injection (CVE-2013-0476)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.

CVE ID: CVE-2013-0476
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81405 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0


IBM Sterling File Gateway 2.2, 2.1 and 2.0



Insufficient Session-ID Length (CVE-2013-0539)


DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a user’s session if the user’s session identifier is guessed.

CVE ID: CVE-2013-0539
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0


Cross-Site Scripting (XSS) (CVE-2013-0455, CVE-2013-0468, CVE-2013-2983, CVE-2013-0559)

DESCRIPTION: Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victim's web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.

CVE ID: CVE-2013-0455
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVE ID: CVE-2013-0468
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-2983
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVE ID: CVE-2013-0559


CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83011 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0


Information Disclosure (CVE-2013-0558 CVE-2013-0463 CVE-2013-2985 CVE-2013-2987 CVE-2013-3020 CVE-2013-0568 CVE-2013-0475)

DESCRIPTION: Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0558
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVE ID: CVE-2013-0463
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81017 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2985
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-2987
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84009 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-3020
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0568
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83165 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVE ID: CVE-2013-0475
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0


IBM Sterling File Gateway 2.2, 2.1 and 5.0




File Type Manipulation (CVE-2013-0479)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.

CVE ID: CVE-2013-0479
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)

AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0


IBM Sterling File Gateway 2.2, 2.1 and 2.0




Information Disclosure (CVE-2013-0567)

DESCRIPTION: Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVE ID: CVE-2013-0567
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83164 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

AFFECTED PRODUCTS:
IBM Sterling File Gateway 2.2 and 2.1




Session Hijacking (CVE-2013-0456)

DESCRIPTION: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to session hijacking through cookie path manipulation.

CVE ID: CVE-2013-0456
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)

Affected Products and Versions

IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0

Remediation/Fixes

Product

APAR
Remediated Fixes
IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259For the APAR fixes listed, apply Fix Pack 5010 available on IWM
IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1.IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259For the APAR fixes listed, apply generic iFix 5104_1 available on IWM
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2IC95996, IC88973Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively


To acquire the fix from IWM, login to IWM.
See FAQs on downloading an iFix from the IWM site.

To acquire the fix from Fix Central, login to IBM Fix Central.

More details and release notes can be found here:
IBM Sterling B2B Integrator 5.2 Knowledge Center

To acquire the fix from Passport Advantage, login here.

ADDITIONAL INFORMATION:

The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.

      Title
CVE IDLink
Improper validation of user supplied input on select IBM Sterling B2B Integrator screens CVE-2012-5766http://www.ibm.com/support/docview.wss?uid=swg21627982
IBM Sterling B2B Integrator's session or sensitive cookies do not have the secure attribute enabled CVE-2012-5936http://www.ibm.com/support/docview.wss?uid=swg21627985
Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response CVE-2013-0481http://www.ibm.com/support/docview.wss?uid=swg21627986
A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway.Mutliple CVEshttp://www.ibm.com/support/docview.wss?uid=swg21640831

Workarounds and Mitigations

None Known.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

June 30, 2013: Initial Version
July 30, 2013: Changed affected products section to include Sterling B2B Integrator 5.0 and remediation section to include 5010
Oct 7, 2013: Corrected few broken links
Dec 2, 2013: Updated Remediation to include 5020402 Fix Pack as one of the remediated version
Dec 12, 2014: Updated Remediation to include 5020500 Fix Pack as one of the remediated version

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SS3JSW","label":"IBM Sterling B2B Integrator"},"Business Unit":{"code":"BU055","label":"Cognitive Applications"},"Component":"--","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"PF012","label":"IBM i"},{"code":"PF016","label":"Linux"},{"code":"PF027","label":"Solaris"},{"code":"PF033","label":"Windows"}],"Version":"5.2;5.1;5.0","Edition":"All Editions","Line of Business":{"code":"LOB59","label":"Sustainability Software"}},{"Product":{"code":"SS4TGX","label":"IBM Sterling File Gateway"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":" ","Platform":[{"code":"PF002","label":"AIX"},{"code":"PF010","label":"HP-UX"},{"code":"","label":"i5\/OS"},{"code":"PF016","label":"Linux"},{"code":"PF033","label":"Windows"}],"Version":"2.2;2.1","Edition":"","Line of Business":{"code":"LOB59","label":"Sustainability Software"}}]

Document Information

Modified date:
11 February 2020

UID

swg21640830

Page Feedback