Default authentication methods in IBM Curam Social Program Management do not allow for a per user account lockout policy, and rather employ a single, system wide policy. For most users of the system, a low lockout threshold is desirable. However, for users used to integrate with another system, such as a user whose sole purpose is to allow another system to invoke a particular web service, a low threshold for lockout may allow an attacker to lock out the other system, thereby effecting a denial of service. This is context specific and default authentication in Curam does not allow for appropriate levels of configuration on the lockout threshold.
Default authentication in IBM Curam Social Program Management now supports additional configuration to allow more flexibility in this configuration. See the release notes of the relevant release for the supported options for configuration of password lockout policy.
Customers of IBM Curam Social Program Management using an alternative authentication system such as LDAP are NOT affected.
DESCRIPTION: IBM Curam Social Program Management allows an attacker with knowledge of usernames within the caseworker system to lock those users out of the system preventing the client from being able to access the web system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)
Affected Products and Versions
|Cúram SPM||6.0.5||Visit IBM Fix Central and upgrade to 220.127.116.11 or a subsequent 6.0.5 release.|
|Cúram SPM||6.0.4||Visit IBM Fix Central and upgrade to 18.104.22.168 or a subsequent 6.0.4 release.|
|Cúram SPM||6.0 SP2||Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a subsequent 6.0 SP2 release.|
|Cúram SPM||5.2||Visit IBM Fix Central and upgrade to 5.2 SP6 EP6 or a subsequent 5.2 release.|
See the release notes of the relevant release for the supported options for configuration of password lockout policy.
Workarounds and Mitigations
(i) It is possible to increase the number of login retries but enforce a stronger password policy. The password must be strong enough to resist brute-force/dictionary attacks, reducing the importance of the account lockout policy.
(ii) The period time that an account is locked can also be modified. Rather than permanently lock down accounts which enables attackers to execute permanent DoS attacks on legitimate clients, temporarily locking down accounts only allows for temporary DoS attacks.
If employing either of these mitigation strategies, authentication failures should be monitored closely.
Get Notified about Future Security Bulletins
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
Original version published 26 February 2015
Updated for missing links and text published 21 April 2015
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
17 July 2018