-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.2787
  Security Bulletin: IBM Maximo Asset Management installs with a default
      administrator account that a remote intruder could use to gain
            administrator access to the system. (CVE-2015-4966)
                             10 November 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Maximo Asset Management
Publisher:         IBM
Operating System:  Windows
                   AIX
                   HP-UX
                   Linux variants
                   Solaris
Impact/Access:     Administrator Compromise -- Existing Account
Resolution:        Patch/Upgrade
CVE Names:         CVE-2015-4966  

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21968191

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: IBM Maximo Asset Management installs with a default 
administrator account that a remote intruder could use to gain administrator 
access to the system. (CVE-2015-4966)

Security Bulletin

Document information

More support for:

Maximo Asset Management

Software version:

7.1, 7.1.1, 7.5, 7.6

Operating system(s):

Platform Independent

Reference #:

1968191

Modified date:

2015-10-30

Summary

IBM Maximo Asset Management installs with a default administrator account that
a remote intruder could use to gain administrator access to the system.

The vulnerability affects Maximo Asset Management, Maximo Asset Management 
Essentials, Maximo Industry Solutions (including Maximo for Energy 
Optimization, Maximo for Government, Maximo for Nuclear Power, Maximo for 
Transportation, Maximo for Life Sciences, Maximo for Oil and Gas, and Maximo 
for Utilities), SmartCloud Control Desk, Tivoli Asset Management for IT, 
Tivoli Service Request Manager, and Change and Configuration Management 
Database.

Vulnerability Details

CVEID: CVE-2015-4966

DESCRIPTION: IBM Maximo Asset Management installs with a default administrator
account that a remote intruder could use to gain administrator access to the 
system.

CVSS Base Score: 8.8

CVSS Temporal Score: See 
https://exchange.xforce.ibmcloud.com/vulnerabilities/105642 for the current 
score

CVSS Environmental Score*: Undefined

CVSS Vector: (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

1. Maximo Asset Management 7.6, 7.5, 7.1

2. Maximo Asset Management Essentials 7.5, 7.1

3. Maximo for Energy Optimization 7.1

4. Maximo for Government 7.5, 7.1

5. Maximo for Nuclear Power 7.5, 7.1

6. Maximo for Transportation 7.5, 7.1

7. Maximo for Life Sciences 7.6, 7.5, 7.1

8. Maximo for Oil and Gas 7.5, 7.1

9. Maximo for Utilities 7.5, 7.1

10. SmartCloud Control Desk 7.6, 7.5

11. Tivoli Asset Management for IT 7.2, 7.1

12. Tivoli Service Request Manager 7.2, 7.1

13. Change and Configuration Management Database 7.2, 7.1

Remediation/Fixes

The recommended solution is to download the appropriate Interim Fix or Fix 
Pack from Fix Central (What is Fix Central?) and apply for each affected 
product. See below for information on the fixes available for each product, 
version, and release. Follow the installation instructions in the readme 
documentation provided with each fix pack or interim fix.

For new installations, application of the Interim Fix or Fix Pack is 
sufficient for full protection. However, for existing installations, 
additional manual configuration is required after application of the Fix Pack
or Interim Fix. See instructions below.


For Maximo Asset Management, Maximo Asset Management Essentials and Maximo 
Industry Solutions 7.6, 7.5, 7.1:

VRM        Fix Pack or Interim Fix                                                Download
7.6.0      Maximo MIF 7.6.0.2 Interim Fix:                                        FixCentral
           7.6.0.2-TIV-MIF-IFIX001 or latest Interim Fix available

7.5.0      Maximo 7.5.0.9 Fix Pack Release:                                       FixCentral
           7.5.0.9-TIV-MAM-FP009

7.1.1      Maximo 7.1.1.13 Interim Fix:                                           Contact IBM Support
           Latest Interim Fix available


For SmartCloud Control Desk 7.6, 7.5:

VRM        Fix Pack or Interim Fix                                                Download
7.6.0      Maximo MIF 7.6.0.2 Interim Fix:                                        FixCentral
           7.6.0.2-TIV-MIF-IFIX001 or latest Interim Fix available

7.5.1      Maximo 7.5.0.9 Fix Pack Release:                                       FixCentral
           7.5.0.9-TIV-MAM-FP009

7.5.0      Maximo 7.5.0.9 Fix Pack Release:                                       FixCentral
           7.5.0.9-TIV-MAM-FP009


For Tivoli IT Asset Management for IT, Tivoli Service Request Manager, and 
Change and Configuration Management Database 7.2, 7.1:

VRM        Fix Pack or Interim Fix                                                Download
7.1 - 7.2  Maximo 7.1.1.13 Interim Fix:                                           Contact IBM Support
           Latest Interim Fix available


If assistance is needed in determining the appropriate Fix Pack or Interim Fix
level, contact IBM Technical Support. It is recommended that you always 
request the latest available Fix Pack or Interim Fix.

Additional Configuration for Existing Installations

Additional configuration is necessary for full protection on existing 
installations, even after application of Fix Pack or Interim Fix. Application
of the Fix Pack or Interim Fix will allow simplified configuration of this 
security setting via a new property, mxe.int.allowdefaultlogin. On new 
installations, this property will already exist, and have the secure value of
0. However, administrators on existing installations must manually add the 
property and set the secure value after the application of the Fix Pack or 
Interim Fix. Manually adding the new property via these instructions without 
applying a Fix Pack or Interim Fix is also not sufficient for protection.

To manually add the mxe.int.allowdefaultlogin property to an existing 
installation after applying the appropriate Fix Pack or Interim Fix, please 
complete the following steps:

1. Log in as a user with access to the System Properties application.

2. From the System Properties application, click New Row to add a row to the 
Global Properties Table.

3. Use the following values to populate the new row. Leave other fields with 
their default values.

Property Name: mxe.int.allowdefaultlogin

Description: Allow default login for MIF

Global Value: 0

Maximo Default: 0

4. Click Save. Then, check the checkbox for the row in the table containing 
the new property, and click Live Refresh. Click OK on the Live Refresh dialog.

Workarounds and Mitigations

Installation of the Fix Pack or Interim Fix above is the recommended 
remediation for this vulnerability for both new and existing installations. 
Application of the Fix Pack or Interim Fix will allow simplified configuration
of this security setting via a new property, mxe.int.allowdefaultlogin.

However, new and existing installations with version levels earlier than the 
Fix Pack and Interim Fix levels specified above may manually apply an 
alternative fix. This alternative fix provides the same protection as 
application of the Fix Pack or Interim Fix, but will not allow simplified 
configuration of the security setting via the new property. If the fix in the
Remediation/Fixes section has been applied and the mxe.int.allowdefaultlogin 
property is in use, the following manual configuration will have no effect.

To apply protection for this vulnerability without applying a Fix Pack or 
Interim Fix, please complete the following steps:

1. Navigate to the following file location: 
<maximo_root>\applications\maximo\mboejb\ejbmodule\META-INF

2. Open the ejb-jar.xml file.

3. Find all four instances of the following text. (You may Ctrl+F find 
"<env-entry-name>ALLOWDFLTLOGIN</env-entry-name>".)

<env-entry>

<env-entry-name>ALLOWDFLTLOGIN</env-entry-name>

<env-entry-type>java.lang.String</env-entry-type>

<env-entry-value>1</env-entry-value>

</env-entry>

4. In all four text blocks, change the <env-entry-value> from 1 to 0: 
<env-entry-value>0</env-entry-value>

5. Save the document. Delete the Maximo ear files, delete browser and app 
server caches, rebuild the maximo ear files, and redeploy.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support 
alerts like this.

References

Complete CVSS v3 Guide

On-line Calculator v3

Related information

IBM Secure Engineering Web Portal

IBM Product Security Incident Response Blog

Change History

30 October 2015: Original Version Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the impact of
this vulnerability in their environments by accessing the links in the 
Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the 
Common Vulnerability Scoring System (CVSS) is an "industry open standard 
designed to convey vulnerability severity and help to determine urgency and 
priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY 
OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 
FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT 
OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVkE9x36ZAP0PgtI9AQKoMA//S9jrElWCevOgrRVkzj4M3vuDIWe9ZQtP
Eikoft9s0TvyX+DYGdhXW334XIJdcLM6lqQlcUkQ9dui0baf6MLyuLCMfLL79Ogd
xKh3gSsxO7xoihid5W7+v7u1yfVDL3PLDtQvae5OXNGRdX2Yx6UxJ9rZewoq84Pp
gjz8jH0UXPxFaiBEsA/3HRoFhoyz7vzWZ4Y9XNpb1g96z7NP2Jnqejqm9sK5q92w
xSScRiYBdUYJJoRuOuptLpeLVrVU9oY6U1r9yzztxLuT1t4VPfL0bAEijuVQgIuT
mmRxnjOD2/VPIXTILAKvZTG3CMPo9E4rFnrzj9ZFHPZvEORPLgeKlhnLjjx0O63K
WfLUIjU5dqBl6qZBHZBmv5VEW0dNIVX0eXRVmzBmGu0clmwbfnrElcx8nxGG3zZ7
XnlhQspPRsAJel1c4ufh3av6f63QDKUU9Fk+/ZXHAbl1rhv6dZOM3iX7jHwYHr+E
UMq7FyLteTma/9jWksh/YDvhSJbuMXt6YC+SF0jgxfhsMf2wOUlDqvoKwYMVBdXv
RFHygxrqF0z0tRMiyZG1Vs/nhaY9tUE81szTv70rgXTw6WDLcE1WrWPYQC13EHcR
U5LDuWmYETmESnNk2nu8oyHHvBaEzjNgcP3edBFbUU7a1PHJ5CTaZHrtnjpaC9Hy
GmeboJTCVio=
=xnvT
-----END PGP SIGNATURE-----