Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2014.1133 Security Bulletin: Multiple Security Vulnerabilities in Certain GUI Components of IBM Algo Credit Limits. 10 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: IBM Algo Credit Limits Publisher: IBM Operating System: AIX Linux variants Solaris Windows Impact/Access: Modify Arbitrary Files -- Existing Account Cross-site Request Forgery -- Remote with User Interaction Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0894 CVE-2014-0871 CVE-2014-0870 CVE-2014-0869 CVE-2014-0868 CVE-2014-0867 CVE-2014-0866 CVE-2014-0865 CVE-2014-0864 Original Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21675881 - --------------------------BEGIN INCLUDED TEXT-------------------- Security Bulletin: Multiple Security Vulnerabilities in Certain GUI Components of IBM Algo Credit Limits. Security Bulletin Document information More support for: Algo Credit Limits Software version: 4.7.0 Operating system(s): AIX, Linux, Solaris, Windows Reference #: 1675881 Modified date: 2014-06-30 Summary Abstract: Multiple security vulnerabilities exist in certain GUI components of IBM Algo Credit Limits, namely ACLM Web GUI, PDS Blotter Web GUI, and ACLM Win GUI. Details of each vulnerability and the affected component(s) are set out below. Vulnerability Details DESCRIPTION: Customers who have IBM Algo Credit Limits are potentially impacted by these vulnerabilities. CVE ID CVE-2014-0864 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90938 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) DESCRIPTION Affected Component(s): ACLM Web GUI The ACLM Web GUI does not verify that requests are made only from within the web application. An attacker could trick users into making an unintentional request to the web application which will be treated as an authorized request. This may allow an attacker to perform tasks on behalf of the victim user, like modifying limits. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. CVE-2014-0865 CVSS: CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90939 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) Affected Components: ACLM Win GUI The ACLM Win GUI client performs input validation only client-side. This could allow an attacker to alter arbitrary data, e.g. create a limit. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation. The attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. CVE-2014-0866 CVSS: CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90940 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected Component(s): ACLM Win GUI, PDS Blotter Web GUI The ACLM Win GUI client submits user credentials in plain-text. An attacker with access to the network communication could perform man-in-the-middle attacks and obtain user credentials. This vulnerability also applies to the PDS Blotter Web GUI client, where authentication is performed unencrypted. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information. It will not compromise the availability of the system or the integrity of data. CVE-2014-0867 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90941 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Affected Component(s): ACLM Web GUI A vulnerable page in ACLM Web GUI could allow an attacker to set and overwrite arbitrary cookies for a user that clicks on a manipulated link. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. CVE-2014-0868 CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90942 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) Affected Component(s): ACLM Web GUI The ACLM Web GUI application performs input validation only client-side. This could allow an attacker to alter arbitrary data. This vulnerability could also be used to circumvent dual control mechanisms by manipulating data after creation. The attack requires network access, some degree of authentication and degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. CVE-2014-0869 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90943 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI, ACLM Win GUI Insufficient encryption for storing and transferring users’ passwords could allow an attacker to retrieve the plain-text passwords without further knowledge of cryptographic keys. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. CVE-2014-0870 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90944 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI The ACLM Web GUI and the PDS Blotter Web GUI do not correctly neutralize user-controllable input before it is placed in output that is served as a web page. This may be used in a Cross-site scripting attack. Attackers could compromise user sessions and impersonate other users while performing arbitrary actions on behalf of the victim user. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack will not compromise the confidentiality of information or the availability of the system but may compromise the integrity of data. CVE-2014-0871 CVSS Base Score: 4.3 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90945 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) Affected Component(s): ACLM Web GUI Tomcat configuration discloses technical details within error messages to the user. This could allow an attacker to collect valuable data about the environment of the solution. The attack requires network access, no authentication and some degree of specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. CVE-2014-0894 CVSS Base Score: 3.5 CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91313 CVSS Environmental Score*: Undefined CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) Affected Component(s): ACLM Web GUI The password and the username of the backend database are disclosed in clear-text to the user of the ACLM Web GUI client. This could allow attackers to directly connect to the backend database and manipulate arbitrary data stored in the database. The attack requires network access, some degree of authentication and specialized knowledge and techniques. An attack may partially compromise the confidentiality of information but will not compromise the availability of the system or the integrity of data. Affected Products and Versions IBM Algo Credit Limits versions 4.5.0 - 4.7.0 Remediation/Fixes A fix has been created for version 4.7.0.03 of the named product. Download and install the fix as soon as practicable. Fix and installation instructions are provided at the URL listed below. For versions prior to 4.7.0 IBM recommends upgrading to a fixed, supported version/release/platform of the product. Patch Number ACLM 4.7.0.03 FP5 Download URL http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0005:0&includeSupersedes=0&source=fc&login=true http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0005:0&includeSupersedes=0&source=fc&login=true http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHES-fp0005:0&includeSupersedes=0&source=fc&login=true http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true Workarounds and Mitigations None known, apply fixes. References Complete CVSS Guide On-line Calculator V2 Related information IBM Secure Engineering Web Portal IBM Product Security Incident Response Blog Acknowledgement A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky of SEC Consult Vulnerability Lab Change History 23 June 2014: Original Copy Published *The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin. Disclaimer According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. Product Alias/Synonym ACL ACLM RICOS Algo Credit Limit Manager - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU73z2BLndAQH1ShLAQKYfA//bTuRlRR6McGwPeNGt+uWAIA5AzXPhd+x 2SkoqZDOJBRTPo7/39EDyggZ+DTdAzcRsWKhlASaIGXSYh5ep5D9Z0Yq6SHg5tIw id6ZpVje8SaeWH0eBnynM5zkLpt8MeC0LJUSlH5IuWCeueU3VcKvFgpUCSnjr60w jAG+g4aCjJoEO+rtnjpdvnqNp7o1VyVIVD2F9jPd5iBSc2A5vUJlu51FY3gLj/zt eich0Uq2s9QZO7N8WeKjzU0uL8L0CgtZDXGfiFx4d4N0rVupwS1RLl/5F7MKe/Qi zWn3EbyJapdmXYLsUsAVClYH9Iv2YXm+hsl/w7BZUtUbIWAXw/BVfGkH7jkDhL7/ BogQXcUgQmQqXhIGTXXWl+fVfIy6ZWKmQ7Q67VRcohFfCEsG3H5Xh4zw6O0rRF+S 9sKvBYys0Oss0S2QTg93iDOgG92JE++B7IzWGMdV0pnNzNiNtmUp2vgoYtLhneKB pScL1wWwDj5CG7PyfelAFb4fIFNrepi1GQTBdOktHL107tDrcUCmpgBQ/WxpzsWc W8hw04jl0wVQQyoLc8tWAx7dmcvzIUExSTcYbZWbAzHETHUy4jLxpMb115Li+aKm +gQC3I5rWVMXc6VwgNoYEN8Du+ihwsEeEGjc/urZPteJuHqiNPqLCm/IS/M5n6Mz OxU4ksVLW7w= =HSSh -----END PGP SIGNATURE-----