IBM Support

Security Bulletin: Multiple vulnerabilities addressed in IBM Security Access Manager

Security Bulletin


Summary

There are multiple vulnerabilities in various components used by IBM Security Access Manager for Mobile and IBM Security Access Manager for Web.

Vulnerability Details


The following vulnerabilities affect both IBM Security Access Manager for Mobile and IBM Security Access Manager for Web.


CVE-ID: CVE-2014-6080

DESCRIPTION: IBM Security Access Manager is vulnerable to an SQL injection attack in which a remote attacker could send specially-crafted SQL statements, which could allow the attacker to view, add, modify or delete information in the back-end database.

The vulnerability can be accessed from a remote network, is of medium complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95767 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)



CVE-ID: CVE-2014-6078

DESCRIPTION: IBM Security Access Manager allows multiple failed login requests without locking out the user. This could allow an attacker to guess the admin credentials over a period of time through a brute force attack.

The vulnerability can be accessed from a remote network, is of low complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 5.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95762 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:P/A:N)



CVE-ID: CVE-2014-6076

DESCRIPTION: IBM Security Access Manager fails to sanitize certain user actions that could allow a remote attacker to hijack the clicking action of another user. By persuading a victim to visit a malicious Web site, a remote attacker could send a specially-crafted HTTP request to hijack the victim's click actions or launch other client-side browser attacks.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95729 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)



CVE-ID: CVE-2014-6077

DESCRIPTION: IBM Security Access Manager fails to properly validate certain user-supplied data. This could enable a cross-site request forgery attack. By persuading an authenticated user to visit a malicious Web site, a remote attacker could send a malformed HTTP request without the user's knowledge. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning, and other malicious activities.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95730 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)



CVE-ID: CVE-2014-6086

DESCRIPTION: Under certain conditions, IBM Security Access Manager can, if requested to do so by the user, use HTTP rather than HTTPS to communicate sensitive data, resulting in unencrypted traffic being transmitted which can be stolen using man in the middle techniques.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95813 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2014-6083

DESCRIPTION: IBM Security Access Manager does not prevent certain cookies being sent by client systems across an unencrypted HTTP connection. If the application is accessed via a network with HTTP after one such cookie has been set on the client, an attacker using man-in-the-middle techniques could recover packets for non-encrypted cookies that could potentially contain sensitive session information or credentials.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95810 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2014-6084

DESCRIPTION: IBM Security Access Manager offers weaker than expected encryption in its use of SSL ciphers. This information could be decrypted by an attacker able to intercept traffic using man in the middle techniques.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95811 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2014-6087

DESCRIPTION: IBM Security Access Manager could allow a remote attacker to obtain sensitive information, caused by the use of cipher suites with weak encryption algorithms. An attacker could exploit this vulnerability using network sniffing tools to obtain sensitive information.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95813 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2014-6088

DESCRIPTION: IBM Security Access Manager could allow a remote attacker to obtain sensitive information. If an SSL client running outside the server environment is not able to select a valid cipher for the connection, it could result in the server using a default null cipher. An attacker could exploit this vulnerability to obtain cleartext information over an SSL channel.

The vulnerability can be accessed from a remote network, is of medium complexity and does not require authentication. A successful exploit could partially compromise the confidentiality of the system, could not compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95860 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)



CVE-ID: CVE-2014-6089

DESCRIPTION: IBM Security Access Manager does not properly enforce the destination directory for uploaded files. This could allow a remote attacker to upload files to protected areas of the file system. This could affect the operations of the system.

The vulnerability can be accessed from a remote network, is of low complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could partially compromise the integrity of the system and could not compromise the accessibility of the system.

CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95860 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)



CVE-ID: CVE-2014-6082

DESCRIPTION: IBM Security Access Manager is vulnerable to a denial of service attack in which a remote authenticated attacker could cause certain components of the administration user interface to be unavailable.

The vulnerability can be accessed from a remote network, is of low complexity and requires authentication. A successful exploit could not compromise the confidentiality of the system, could not compromise the integrity of the system and could partially compromise the accessibility of the system.

CVSS Base Score: 4.0
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95809 for more information
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:N/A:P)

Affected Products and Versions

IBM Security Access Manager for Mobile 8.0, firmware versions 8.0.0.0, 8.0.0.1 8.0.0.3, 8.0.0.4, and 8.0.0.5.
IBM Security Access Manager for Web 7.0, 8.0, firmware versions 8.0.0.2, 8.0.0.3, 8.0.0.4, and 8.0.0.5

Remediation/Fixes

The table below provides links to patches for all affected versions. Follow the installation instructions in the README files included with the patch.

NOTE: The patch for the IBM Security Access Manager 8.0 versions is accessed from Passport Advantage and is numbered 8.0.1. This is a fixpack and is applied in the same manner as all appliance firmware patches. This patch can be applied in place and will not remove your existing configuration. Instructions for applying the patch are available at the following URL:

http://www-01.ibm.com/support/knowledgecenter/SSELE6_8.0.1/com.ibm.isam.doc_8.0.1/releaseinfo/task/tsk_upgrading.html

ProductVRMFAPARRemediation
IBM Security Access Manager for Web -7.0

Appliance-based

7.0.0.0
7.0.0.1
7.0.0.2
7.0.0.3

7.0.0.4
7.0.0.5
7.0.0.6
7.0.0.7

7.0.0.8
7.0.0.9
IV67581

IV67358

7.0.0-ISS-WGA-FP0010
IBM Security Access Manager for Web -7.0

Software-based

7.0.0.0
7.0.0.1
7.0.0.2
7.0.0.3

7.0.0.4
7.0.0.5
7.0.0.6
7.0.0.7

7.0.0.8
7.0.0.9
IV67581

IV67358

7.0.0-ISS-SAM-FP0010
IBM Security Access Manager for Mobile -8.08.0.0.0
8.0.0.1
8.0.0.3
8.0.0.4

8.0.0.5
IV67581

IV67358

IBM Security Access Manager V8.0.1 Base Virtual Appliance .pkg file Multiplatform, Multilingual (CN34GML)
IBM Security Access Manager for Web -8.08.0.0.2
8.0.0.3
8.0.0.4

8.0.0.5
IV67581

IV67358

IBM Security Access Manager V8.0.1 Base Virtual Appliance .pkg file Multiplatform, Multilingual (CN34GML)

Workarounds and Mitigations

None

Get Notified about Future Security Bulletins

References

Off

Acknowledgement

IBM Security Systems Ethical Hacking Team: Paul Ionescu, Brennan Brazeau, John Zuccato, Jonathan Fitz-Gerald, Warren Moynihan

Change History

12 December 2014: Original Version Published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSELE6","label":"IBM Security Access Manager for Mobile"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"--","Platform":[{"code":"PF016","label":"Linux"}],"Version":"8.0;8.0.0.1;8.0.0.3;8.0.0.4;8.0.0.5","Edition":""},{"Product":{"code":"SSPREK","label":"IBM Security Access Manager for Web"},"Business Unit":{"code":"BU008","label":"Security"},"Component":"Not Applicable","Platform":[{"code":"PF016","label":"Linux"}],"Version":"7.0;8.0.0.2;8.0.0.4;8.0.0.5","Edition":""}]

Document Information

Modified date:
16 June 2018

UID

swg21684475