-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.0251
 Security Bulletin: Tivoli Federated Identity Manager and Tivoli Federated
Identity Manager Business Gateway can be affected by two vulnerabilities in
              the IBM WebSphere Application Server component
                      (CVE-2014-0423, CVE-2014-0411)
                             26 February 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Tivoli Federated Identity Manager
Publisher:         IBM
Operating System:  AIX
                   HP-UX
                   Linux variants
                   Solaris
                   Windows
                   z/OS
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Denial of Service              -- Existing Account      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0423 CVE-2014-0411 

Reference:         ASB-2014.0005
                   ESB-2014.0058

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21665712

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Tivoli Federated Identity Manager and Tivoli Federated 
Identity Manager Business Gateway can be affected by two vulnerabilities in the 
IBM WebSphere Application Server component (CVE-2014-0423, CVE-2014-0411)

Flash (Alert)

Document information

More support for:
Tivoli Federated Identity Manager

Software version:
6.0, 6.1, 6.1.1, 6.2, 6.2.1, 6.2.2

Operating system(s):
AIX, HP-UX, Linux, Solaris, Windows, z/OS

Reference #:
1665712

Modified date:
2014-02-25

Abstract

The IBM WebSphere Application Server component provided with IBM Tivoli 
Federated Identity Manager (FIM) and IBM Tivoli Federated Identity Manager 
Business Gateway (FIMBG) is vulnerable to a denial of service attack and a 
transport layer security (TLS) timing attack.

Content

VULNERABILITY DETAILS: 
CVE-ID:
CVE-2014-0423

DESCRIPTION: 
The XML parser used by FIM and FIMBG is vulnerable to a denial of service 
attack, triggered by malformed XML data. The malformed data causes the XML 
parser to consume CPU resource for several minutes before the data is 
eventually rejected. This behavior can be used to launch a denial of service 
attack against the FIM or FIMBG server.

The attack does not require local network access but does it require 
authentication and some degree of specialized knowledge and techniques. An 
exploit would not impact the integrity of data, but the availability of the 
system and the confidentiality of information could be compromised.
CVSS Base Score: 5.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90340 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/L:Au/S:C/P:I/N:A/P)

CVE-ID:
CVE-2014-0411

DESCRIPTION: 
The implementation of TLS used by FIM and FIMBG is subject to a timing attack 
that could be exploited by a man in the middle attack to decrypt the encrypted 
communication. 

The attack does not require local network access nor does it require 
authentication, but a high degree of specialized knowledge and techniques are 
required. An exploit would not affect the availability of the system, but it 
could impact the confidentiality of information and the integrity of data.

CVSS Base Score: 4
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90357 for the 
current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV/N:AC/H:Au/N:C/P:I/P:A/N)


AFFECTED PRODUCTS AND VERSIONS: 
IBM Tivoli Federated Identity Manager (FIM) versions 6.0, 6.1.0, 6.1.1, 6.2.0, 
6.2.1, 6.2.2
IBM Tivoli Federated Identity Manager Business Gateway (FIMBG) versions 6.1.1, 
6.2.0, 6.2.1, 6.2.2


REMEDIATION: 
Remediation/Solutions:
The IBM SDK for Java is obtained through the WebSphere Application Server 
distribution used by FIM and FIMBG. Patch instructions for WebSphere 
Application Server versions are available through this Security Bulletin: 
Multiple vulnerabilities in current IBM SDK for Java for WebSphere Application 
Server January 2014 CPU

Supported WebSphere Application Server versions for TFIM and TFIMBG

TFIM/TFIMBG Version	WebSphere Application Server (WAS) Version
TFIM 6.0		WAS 6.1
TFIM 6.1		WAS 6.1
TFIM 6.2.0		WAS 6.1
TFIM 6.2.1		WAS 6.1
			WAS 7.0
TFIM 6.2.2		WAS 7.0
			WAS 8.0
			WAS 8.5
			WAS 8.5.5
TFIMBG 6.1.1		eWAS (Embedded WebSphere Application Server) 6.1
TFIMBG 6.2.0		eWAS 6.1
			WAS 6.1
TFIMBG 6.2.1		eWAS 6.1
			WAS 6.1
			WAS 7.0
TFIMBG 6.2.2		eWAS 6.1
			WAS 6.1
			WAS 7.0
			WAS 8.0
			WAS 8.5
			WAS 8.5.5

For TFIM version 6.0, IBM recommends upgrading to a fixed, supported 
version/release/platform of the product. 

IMPORTANT: The security bulletin lists all CVEs that affect WebSphere 
Application Server. FIM and FIMBG are only affected by the CVEs listed in this 
security bulletin. 

Workaround(s): 
None 

Mitigation(s): 
None 

REFERENCES:
Complete CVSS Guide
On-line Calculator V2
CVE-2014-0423
CVE-2014-0411
http://xforce.iss.net/xforce/xfdb/90340
http://xforce.iss.net/xforce/xfdb/90357
IBM Security Alerts


RELATED INFORMATION: 
IBM Secure Engineering Web Portal 
IBM Product Security Incident Response Blog 


ACKNOWLEDGEMENT
None

CHANGE HISTORY:
25 Feb 2014 - initial publish
*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of 
this vulnerability in their environments by accessing the links in the 
Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

Cross reference information
Segment		Product	Component	Platform	Version	Edition
Security	Tivoli Federated Identity Manager Business Gateway

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUw1bQxLndAQH1ShLAQIz8A/+PEbIEXWvhcfweg1sEry+jVwKIeDtAA2Z
Cwv0vywKxzZ98vMQ3GtpUUWpdFCRpzVpQReKki8Js+Ko3E9b9d8mj7fb8wDIdHRA
WV8klQqRwXGrTuS+4+wlI5nnQFDGktmvNO2j9mxbzEVuBJTO26QTzMPI73wKVcrn
6YLqq9JRvvWu4aFCKOyHHsFeHboX/2nWqDFLKQYdmV6ZwYx9VdSh/Sn9IDrjHh3m
r/7/BJV1iqNfkBRFxfXHYk654qIXowUyg3UGCp5NICh1SgZ3WwSkY6bYQmzxiG3Q
QN/BNAWdgZ0TCk7V0y0RmpTdgud5kgStqSUk0C9HRJVZPDsem4Y4CZ0YgM+qqomE
jys6sJ8KB1jFEDWPE6jNIZOmw4NOAhuxIJdGfwFy1Q1i5aZLnxLKI04k7OPfEUGx
4GgeuF2ND3trnTIDUMno7Nan2zz7NEZm1fOx/kxf2MrRIrvJ94pH9lRnUoqpFnRo
gLq2gfM5AUpQRWAuYPv2gqyV+6gKu+uBY7awbO44H5p/5GTk34OeeAm6NwllJ+yv
uRd+eKhJoaCFXKK+bhmf2BTVIJ7lAitI9J3aPngYe8HjOgxRdaHST/HG2TwOwyi3
wFBInGVWG2Cy828afU56HuMvoRfg8PwKMYE2Bql98FxlYzmqXtCYaycKP2d7Eoqr
gtLlGydnF4Y=
=75S8
-----END PGP SIGNATURE-----