Security Bulletin
Summary
The IBM WebSphere Application Server component provided with IBM Tivoli Federated Identity Manager (FIM) and IBM Tivoli Federated Identity Manager Business Gateway (FIMBG) is vulnerable to a denial of service attack and a transport layer security (TLS) timing attack.
Vulnerability Details
CVE-ID: CVE-2014-0423
DESCRIPTION:
The XML parser used by FIM and FIMBG is vulnerable to a denial of service attack, triggered by malformed XML data. The malformed data causes the XML parser to consume CPU resource for several minutes before the data is eventually rejected. This behavior can be used to launch a denial of service attack against the FIM or FIMBG server.
The attack does not require local network access but does it require authentication and some degree of specialized knowledge and techniques. An exploit would not impact the integrity of data, but the availability of the system and the confidentiality of information could be compromised.
CVSS Base Score: 5.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90340 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)
CVE-ID: CVE-2014-0411
DESCRIPTION:
The implementation of TLS used by FIM and FIMBG is subject to a timing attack that could be exploited by a man in the middle attack to decrypt the encrypted communication.
The attack does not require local network access nor does it require authentication, but a high degree of specialized knowledge and techniques are required. An exploit would not affect the availability of the system, but it could impact the confidentiality of information and the integrity of data.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90357 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)
Affected Products and Versions
IBM Tivoli Federated Identity Manager (FIM) versions 6.0, 6.1.0, 6.1.1, 6.2.0, 6.2.1, 6.2.2
IBM Tivoli Federated Identity Manager Business Gateway (FIMBG) versions 6.1.1, 6.2.0, 6.2.1, 6.2.2
Remediation/Fixes
The IBM SDK for Java is obtained through the WebSphere Application Server distribution used by FIM and FIMBG. Patch instructions for WebSphere Application Server versions are available through this Security Bulletin: Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application Server January 2014 CPU
Supported WebSphere Application Server versions for TFIM and TFIMBG
| TFIM/TFIMBG Version | WebSphere Application Server (WAS) Version |
| TFIM 6.0 | WAS 6.1 |
| TFIM 6.1 | WAS 6.1 |
| TFIM 6.2.0 | WAS 6.1 |
| TFIM 6.2.1 | WAS 6.1 WAS 7.0 |
| TFIM 6.2.2 | WAS 7.0 WAS 8.0 WAS 8.5 WAS 8.5.5 |
| TFIMBG 6.1.1 | eWAS (Embedded WebSphere Application Server) 6.1 |
| TFIMBG 6.2.0 | eWAS 6.1 WAS 6.1 |
| TFIMBG 6.2.1 | eWAS 6.1 WAS 6.1 WAS 7.0 |
| TFIMBG 6.2.2 | eWAS 6.1 WAS 6.1 WAS 7.0 WAS 8.0 WAS 8.5 WAS 8.5.5 |
For TFIM version 6.0, IBM recommends upgrading to a fixed, supported version/release/platform of the product.
IMPORTANT: The security bulletin lists all CVEs that affect WebSphere Application Server. FIM and FIMBG are only affected by the CVEs listed in this security bulletin.
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
CVE-2014-0411
http://xforce.iss.net/xforce/xfdb/90340
http://xforce.iss.net/xforce/xfdb/90357
Change History
25 Feb 2014 - initial publish
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21665712