Security Bulletin
Summary
Multiple Security Vulnerabilities fixed in the IBM Tivoli/Security Directory Server product.
Vulnerability Details
CVEID: CVE-2015-1978
DESCRIPTION: IBM Security Directory Server is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using a specially-crafted URL to execute script in a victim's Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim's cookie-based authentication credentials.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103697 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2015-1972
DESCRIPTION: IBM Security Directory Server could reveal sensitive information in error logs. A remote attacker with internal knowledge of the server could issue a specially crafted POST command to obtain sensitive information.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103648 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1959
DESCRIPTION: IBM Security Directory Server could allow a local user to upload and download potentially sensitive encrypted files.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103502 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1974
DESCRIPTION: IBM Security Directory Server could allow an authenticated user to execute commands that they should not have access to through the web administration tool.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103693 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)
CVEID: CVE-2015-2019
DESCRIPTION: IBM Security Directory Server allows some SSL pages to be cacheable which could allow a local attacker to obtain sensitive information.
CVSS Base Score: 2.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/104005 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-2808
DESCRIPTION: The RC4 algorithm, as used in the TLS protocol and SSL protocol, could allow a remote attacker to obtain sensitive information. An attacker could exploit this vulnerability to remotely expose account credentials without requiring an active man-in-the-middle session. Successful exploitation could allow an attacker to retrieve credit card data or other sensitive information. This vulnerability is commonly referred to as "Bar Mitzvah Attack".
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/101851 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVEID: CVE-2015-1975
DESCRIPTION: IBM Security Directory Server could allow an authenticated user to inject arguments into the web administration tool that would be executed by the user running the tool.
CVSS Base Score: 4.1
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/103694 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:P/A:P)
Affected Products and Versions
IBM Tivoli Directory Server 6.0, 6.1, 6.2, 6.3
IBM Security Directory Server 6.3.1, 6.4
Remediation/Fixes
|
Affected Products and Versions | Fix Availability |
| IBM Tivoli Directory Server 6.0 | IBM Tivoli Directory Server 6.0 iFix 75 |
| IBM Tivoli Directory Server 6.1 | IBM Tivoli Directory Server 6.1 iFix 68 |
| IBM Tivoli Directory Server 6.2 | IBM Tivoli Directory Server 6.2 iFix 44 |
| IBM Tivoli Directory Server 6.3 | IBM Tivoli Directory Server 6.3 iFix 37 |
| IBM Security Directory Server 6.3.1 | IBM Security Directory Server 6.3.1 iFix 11 |
| IBM Security Directory Server 6.4 | IBM Security Directory Server 6,4 iFix 2 |
Get Notified about Future Security Bulletins
References
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21960659