-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0137
   Security Bulletin: IBM Financial Transaction Manager 2.0 and 2.1 OAC
       vulnerabilities (CVE-2014-0830, CVE-2014-0831, CVE-2014-0832
                             , CVE-2014-0833)
                              3 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Financial Transaction Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   z/OS
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
                   Unauthorised Access             -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0833 CVE-2014-0832 CVE-2014-0831
                   CVE-2014-0830  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21662714

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Financial Transaction Manager 2.0 and 2.1 OAC 
vulnerabilities (CVE-2014-0830, CVE-2014-0831, CVE-2014-0832 , CVE-2014-0833)

Security Bulletin

Summary

Document information

More support for:
Financial Transaction Manager

Software version:
2.0, 2.1

Operating system(s):
AIX, Linux, z/OS

Reference #:
1662714

Modified date:
2014-01-31

IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities

Vulnerability Details

CVE ID: CVE-2014-0830

        SUMMARY: FTM 2.0 and 2.1 Table export function exposes a path traversal
        vulnerability

        DESCRIPTION:
        Search results in the FTM console can be exported as CSV format text 
        files. As part of this function the server side code provides access to
        temporary files on the WAS server. It is possible for a rogue user, 
        once logged in, to use client side tools to alter the file name to be 
        read. Alteration can also include path traversal outside of the 
        temporary file location. This potentially allows download of 
        unauthorized files from the file system hosting the application server.

        This exposure is limited to authenticated users.

        CVSS Base Score: 4
        CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90584 for 
        the current score
        CVSS Environmental Score*: Undefined
        CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

        AFFECTED PRODUCTS:
        IBM Financial Transaction Manager: 2.0 & 2.1

        REMEDIATION:
        FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
        FTM 2.1 customers may apply PTF/fixpack 2.1.0.1 or upgrade to FTM 2.1.1

        WORKAROUND(s):
        None

        MITIGATIONS(s)
        Ensure the application server user account does not have privileges to 
	read files outside of its directories.

CVE ID: CVE-2014-0831

        SUMMARY: FTM 2.0 OAC is not protected from cross site request forgery 
	vulnerabilities.

        DESCRIPTION:
        A hand crafted link could be used to trick a user to initiate a 
	function of the FTM OAC. If the user is authorized the request could 
	cause edit of configuration data. The user must be logged in. Detailed 
	knowledge of FTM http request format is required to exploit. Also in 
	the case of any request to edit configuration data the request would
	need knowledge of the data being edited. In the case of edit, the
	request would be audited and the edit history would be recorded.

        CVSS Base Score: 3.5
        CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90585 for 
	the current score
        CVSS Environmental Score*: Undefined
        CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

        AFFECTED PRODUCTS:
        IBM Financial Transaction Manager: 2.0

        REMEDIATION:
        FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

        WORKAROUND(s):
        None

        MITIGATIONS(s)
        None 

CVE ID: CVE-2014-0832

        SUMMARY: FTM 2.0 Configuration details screens are exposed to cross 
	site scripting vulnerabilities.

        DESCRIPTION:
        It is possible to create and edit configuration data that includes 
	javascript in the text values. A subsequent user viewing these records 
	would inadvertently execute the javascript in their browser.
        This exposure is limited to authenticated users.
        The creation and/or edit of the data to contain potentially malicious 
	javascript if fully audited and traceable back to the user.

        CVSS Base Score: 3.5
        CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90586 for 
	the current score
        CVSS Environmental Score*: Undefined
        CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

        AFFECTED PRODUCTS:
        IBM Financial Transaction Manager: 2.0

        REMEDIATION:
        FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

        WORKAROUND(s):
        None

        MITIGATIONS(s)
        Restrict access to these screens to the minimum group of personnel to 
	minimize risk. 

CVE ID: CVE-2014-0833

        SUMMARY: FTM 2.0 OAC could accept a request to execute a resolution 
	action where the user is not authorized.

        DESCRIPTION:
        It is possible for an authenticated user to initiate unauthorized 
	process steps for data that is in a state that supports operator 
	intervention. The impact of this depends on the customer process model
	and the action requested.

        CVSS Base Score: 3.5
        CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90612 for 
	the current score
        CVSS Environmental Score*: Undefined
        CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

        AFFECTED PRODUCTS:
        IBM Financial Transaction Manager: 2.0

        REMEDIATION:
        FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1

        WORKAROUND(s):
        None

        MITIGATIONS(s)
        Use of IE8 or Firefox instead of IE6 or IE7 will prevent accidental 
	exposure but does not prevent deliberate exploitation. 

RELATED INFORMATION:

https://www-304.ibm.com/jct03001c/security/secure-engineering/process.html

ACKNOWLEDGEMENT:

None
Affected Products

Financial Transaction manager v2.0 and v2.1

Remediation/Fixes

CVE ID 		Product 	VRMF 		APAR 	Remediation
CVE-2014-0830 	FTM 		v2.0.0.0	None. 	Upgrade to v2.0.0.3 or 
				V2.0.0.1		v2.1.1
				v2.0.0.2 		

CVE-2014-0830 	FTM 		V2.1.0.0 	None. 	Upgrade to v2.1.0.1 or 
							v2.1.1

CVE-2014-0831 	FTM 		v2.0.0.0	None. 	Upgrade to v2.0.0.3 or 
				V2.0.0.1		v2.1.1
				v2.0.0.2 	

CVE-2014-0832 	FTM 		v2.0.0.0	None. 	Upgrade to v2.0.0.3 or 
				V2.0.0.1		v2.1.1
				v2.0.0.2 	

CVE-2014-0833 	FTM 		v2.0.0.0	None. 	Upgrade to v2.0.0.3 or 
				V2.0.0.1		v2.1.1
				v2.0.0.2 	

Important note:

IBM strongly suggests that all System z customers be subscribed to the System z
Security Portal to receive the latest critical System z security and integrity 
service. If you are not subscribed, see the instructions on the System z 
Security web site. Security and integrity APARs and associated fixes will be 
posted to this portal. IBM suggests reviewing the CVSS scores and applying all
security or integrity fixes as soon as possible to minimize any potential risk.

References:
Complete CVSS Guide
On-line Calculator V2
http://xforce.iss.net/xforce/xfdb/90584
http://xforce.iss.net/xforce/xfdb/90585
http://xforce.iss.net/xforce/xfdb/90586
http://xforce.iss.net/xforce/xfdb/90612

Change History

24th January 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF
ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY
ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUu8tdBLndAQH1ShLAQLwYQ//XreO9ZuA/JsghTKY9rOoF0FANmpAXVle
cA8+LLbCjjdLd8g/jIIw73RxMarAcFadWxyvKBV2PRonHXKyt6NEYsaOJxjhvXjc
3MXTuNgsQ7adeQ/kEAhYSb0dd4PG7qTGBS3yn89QSteQ77HzmhdLb81EmMji4Yej
g+Uo5vrM+VtLTFbaLaqrL53KjsmAfgjx6MUiD/W/bn7emw+xeAiIjGyDQ6VDO/9m
a0xyPT73CfefA6IsqQiE1bUB5jPdm+eB0j0ZYyMbPTKU1fskAZFlxJP85Tk2NB1h
ubH9amFp0dz2bkLrmIrz1reV3uWYJGTy5FDF7rNPaVrvZFvMO/RO0G74E1pkeBV0
9VD7qU0dcwDSk75q5Q64MV+G9yw7ERMiVm8DIcYRVdx9kvbZMV69n9Qs4s2LETH/
mxgRcUTrMYvCIP1QXiqAx7kUpUiS9rfB7EMA7+O+j/9PtMu20GKDWWfGJsoiyTh7
SPwQFV/I/MUZV+26qZClLoPx/FTTMIwLWtYaMkVSmin2mAmNGtgzuVPlq587R0hc
waRlW7rCMKejr7u30h5IMbxUyF6/rNTHE1lq+ookUuEuOWvxMn1DDl8jwIAkUw2F
iJ9ZgqPU7i+6iPJ8DiHD7vahpzh28Eqa8fYczkJWJQDEDEKaX6NHqORFrAmTwMK3
KAacIWJwBME=
=oDQN
-----END PGP SIGNATURE-----