Operating System:

[WIN][LINUX][Solaris][AIX]

Published:

03 March 2015

Protect yourself against future threats.

//Service

Incident Management

Whether it is proactive or reactive services you're after, we will help you detect, interpret and respond to attacks from across the globe.

Read more
Resources > Security Bulletins > ESB-2015.0482 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0482
Security Bulletin: Multiple Vulnerabilities fixed in IBM Security Identity
         Manager Virtual Appliance ( CVE-2014-6106, CVE-2014-6108,
               CVE-2014-6109, CVE-2014-6111, CVE-2014-6112 )
                               3 March 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Security Identity Manager
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated      
                   Cross-site Request Forgery     -- Remote with User Interaction
                   Provide Misleading Information -- Remote/Unauthenticated      
                   Reduced Security               -- Remote/Unauthenticated      
                   Unauthorised Access            -- Existing Account            
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-6112 CVE-2014-6111 CVE-2014-6109
                   CVE-2014-6108 CVE-2014-6106 

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21698020

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Vulnerabilities fixed in IBM Security Identity 
Manager Virtual Appliance ( CVE-2014-6106, CVE-2014-6108, CVE-2014-6109, 
CVE-2014-6111, CVE-2014-6112 )

Document information

More support for:

IBM Security Identity Manager

Server

Software version:

5.1, 6.0, 7.0

Operating system(s):

AIX, Linux, Solaris, Windows

Reference #:

1698020

Modified date:

2015-03-02

Security Bulletin

Summary

Multiple Vulnerabilities fixed in IBM Security Identity Manager versions 5.1,
6.0, and 7.0

Vulnerability Details

CVE-ID: CVE-2014-6106

Description: IBM Security Identity Manager is vulnerable to cross-site request
forgery, caused by improper validation of user-supplied input. By persuading 
an authenticated user to visit a malicious Web site, a remote attacker could 
send a malformed HTTP request. An attacker could exploit this vulnerability to
perform cross-site scripting attacks, Web cache poisoning, and other malicious
activities.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96145 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

- -----

CVE-ID: CVE-2014-6108

Description: IBM Security Identity Manager has an unencrypted connection for 
interfaces on by default. An attacker could can gather information transmitted
between the server and these interfaces using man in the middle techniques 
which could include sensitive data.

CVSS Base Score: 2.6

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96172 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:H/Au:N/C:P/I:N/A:N)

- -----

CVE-ID: CVE-2014-6109

Description: IBM Security Identity Manager could allow a remote attacker to 
manipulate server side LDAP queries. This may allow internal attackers to 
obtain access to confidential information bypassing UI controls.

CVSS Base Score: 3.5

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96173 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

- --------

CVE-ID: CVE-2014-6111

Description:

IBM Security Identity Manager stores encrypted user credentials along with the
keystore password in cleartext in configuration files. A local user could use
this information to decrypt the username and passwords to the SIM.

CVSS Base Score: 2.1

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96180 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:N/A:N)

- -----

CVE-ID: CVE-2014-6112

Description: IBM Security Identify Manager offers weaker than expected 
encryption in its use of SSL ciphers. This information could be decrypted by 
an attacker able to intercept traffic using man in the middle techniques.

CVSS Base Score: 4.3

CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/96184 for the 
current score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Security Identity Manager 7.0 Virtual Appliance

IBM Security Identity Manager 6.0

IBM Tivoli Identity Manager 5.1

Remediation/Fixes

Product and Version 			Fixes

IBM Tivoli Identity Manager 5.1 	5.1.0.15-ISS-TIM-IF0057

IBM Security Identity Manager 6.0 	6.0.0.4-ISS-SIM-IF0001

IBM Security Identity Manager 7.0 	7.0.0.0-ISS-SIM-IF0003

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS Guide

On-line Calculator V2

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Acknowledgement

IBM Security Ethical Hacking Team: Paul Ionescu, Brennan Brazeau, John 
Zuccato, Jonathan Fitz-Gerald, Warren Moynihan

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVPUIfRLndAQH1ShLAQLAlA/8CiJ+3bQ11dg3dF3t6ve0AhuPrOtSqwiX
IAP/D2dcVUPswrFhO6D1tyHjvsY4K832RskhtWx7RE4r659LyAlU64757Wzs8fyU
1FdEnsEuNrBMqadIClUJ8iL1BNiv1GkDVjicC3gZ2wFLm2FIRRFFbofA1bBmOatt
pRoKfSmhHJML5uunwLtZrBjgW01UBIuPGv5PAUGgjwbrraMWOX17gbCJihIMcpz9
dgMQPr3Ruq9ghrCR8240ysU77+p/SwSHotJj+jr9ucVvNY3ce663ZBygz/3UVARI
QVOHxwSKpKLv5O/ZNJVT7oC7N9ud6CeIqyUbtQ/y0Id6wZiLtSI2MmEdlHdhM6Vl
HnjhUHIerLfSNQKraKBpvwCe0QGH2d0OSYCWfnFwNzzH8vkmHOVF8C2nOSIURXRP
jbirdsAYs9QTV9dEaDC/f7ddOW1XAQpB0mLZrOkXWAnapi0KpXmMHKC4J21TChA/
P+672dHpZX7oxYvs2hwytUJbVhNZBAd8fVhtwvVtagiOUJQAv8pQgqQP0AndKP/k
JUjQ+jkXAoKdmdaxdHz6ZexOM2qxCD5fFEjHfJuuCfHkY0bRN64xdqUu76PxP9ZN
11+9YhJd3EXyMAw30BWOzEyVhybT5cC4GTYtol/mZLBohEUn8kc4PfWb3A3GC8wq
k2xR9HMjoqM=
=Vstf
-----END PGP SIGNATURE-----