Security Bulletin
Summary
There are multiple security vulnerabilities in various components used by IBM Security Identity Manager Virtual Appliance
Vulnerability Details
CVEID: CVE-2015-5352
DESCRIPTION: OpenSSH could allow a remote authenticated attacker to bypass security restrictions, caused by an error when making connections after ForwardX11Timeout expired. If X11 connections are forwarded with ForwardX11Trusted=no, an attacker could exploit this vulnerability to bypass XSECURITY restrictions.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104418 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2015-6563
DESCRIPTION: OpenSSH could allow a local attacker to bypass security restrictions, caused by the acceptance of extraneous username data in MONITOR_REQ_PAM_INIT_CTX requests by the monitor component in sshd. An attacker could exploit this vulnerability to conduct impersonation attacks.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105881 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2015-6564
DESCRIPTION: OpenSSH could allow a local attacker to gain elevated privileges on the system, caused by a use-after-free error in the mm_answer_pam_free_ctx function. An attacker could exploit this vulnerability to gain elevated privileges on the system.
CVSS Base Score: 7.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/105882 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
Affected Products and Versions
IBM Security Identity Manager Virtual Appliance versions 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1.0, 7.0.1.1, 7.0.1.3
Remediation/Fixes
Ensure that the version listed below is installed on the system.
| Product Version | Fix level |
| IBM Security Identity Manager (ISIM) Virtual Appliance releases 7.0.0.0, 7.0.0.1, 7.0.0.2, 7.0.0.3, 7.0.1.0, 7.0.1.1, 7.0.1.3 Upgrading from firmware version 7.0.0.0 to 7.0.1.3 requires intermediate upgrade to 7.0.0.2 or 7.0.1.0. Upgrading from 7.0.0.2 or later requires no intermediate upgrade. | Apply IBM Security Identity Manager (ISIM) 7.0.1-ISS-SIM-FP0004 |
Get Notified about Future Security Bulletins
References
Change History
2016-10-24: Initial Draft
2016-11-02: Remove openssl. even though I updated the build, test failed. seemed to grab the fips version from 2013.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Product Synonym
ISIM
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21992927