copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2014.1133 - [Win][Linux][Solaris][AIX] IBM Algo Credit Limits: Multiple vulnerabilities

Date: 10 July 2014

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2014.1133
          Security Bulletin: Multiple Security Vulnerabilities in
             Certain GUI Components of IBM Algo Credit Limits.
                               10 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           IBM Algo Credit Limits
Publisher:         IBM
Operating System:  AIX
                   Linux variants
                   Solaris
                   Windows
Impact/Access:     Modify Arbitrary Files     -- Existing Account            
                   Cross-site Request Forgery -- Remote with User Interaction
                   Cross-site Scripting       -- Remote with User Interaction
                   Access Confidential Data   -- Remote/Unauthenticated      
                   Unauthorised Access        -- Remote/Unauthenticated      
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-0894 CVE-2014-0871 CVE-2014-0870
                   CVE-2014-0869 CVE-2014-0868 CVE-2014-0867
                   CVE-2014-0866 CVE-2014-0865 CVE-2014-0864

Original Bulletin: 
   http://www-01.ibm.com/support/docview.wss?uid=swg21675881

- --------------------------BEGIN INCLUDED TEXT--------------------

Security Bulletin: Multiple Security Vulnerabilities in Certain GUI 
Components of IBM Algo Credit Limits.

Security Bulletin

Document information

More support for:
Algo Credit Limits

Software version:
4.7.0

Operating system(s):
AIX, Linux, Solaris, Windows

Reference #:
1675881

Modified date:
2014-06-30

Summary

Abstract: Multiple security vulnerabilities exist in certain GUI 
components of IBM Algo Credit Limits, namely ACLM Web GUI, PDS Blotter Web 
GUI, and ACLM Win GUI. Details of each vulnerability and the affected 
component(s) are set out below.
Vulnerability Details

DESCRIPTION:
Customers who have IBM Algo Credit Limits are potentially impacted by 
these vulnerabilities.

CVE ID 	
CVE-2014-0864
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90938 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) 

DESCRIPTION
Affected Component(s): ACLM Web GUI
The ACLM Web GUI does not verify that requests are made only from within 
the web application. An attacker could trick users into making an 
unintentional request to the web application which will be treated as an 
authorized request. This may allow an attacker to perform tasks on behalf 
of the victim user, like modifying limits.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack will not compromise the 
confidentiality of information or the availability of the system but may 
compromise the integrity of data.

CVE-2014-0865
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90939 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) 

Affected Components: ACLM Win GUI
The ACLM Win GUI client performs input validation only client-side. This 
could allow an attacker to alter arbitrary data, e.g. create a limit. This 
vulnerability could also be used to circumvent dual control mechanisms by 
manipulating data after creation.
The attack requires network access, some degree of authentication and 
degree of specialized knowledge and techniques. An attack will not 
compromise the confidentiality of information or the availability of the 
system but may compromise the integrity of data.

CVE-2014-0866
CVSS:
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90940 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Component(s): ACLM Win GUI, PDS Blotter Web GUI
The ACLM Win GUI client submits user credentials in plain-text. An 
attacker with access to the network communication could perform 
man-in-the-middle attacks and obtain user credentials. This vulnerability 
also applies to the PDS Blotter Web GUI client, where authentication is 
performed unencrypted.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack may partially compromise 
the confidentiality of information. It will not compromise the 
availability of the system or the integrity of data.

CVE-2014-0867
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90941 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) 

Affected Component(s): ACLM Web GUI
A vulnerable page in ACLM Web GUI could allow an attacker to set and 
overwrite arbitrary cookies for a user that clicks on a manipulated link.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack will not compromise the 
confidentiality of information or the availability of the system but may 
compromise the integrity of data.

CVE-2014-0868
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90942 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N) 

Affected Component(s): ACLM Web GUI
The ACLM Web GUI application performs input validation only client-side. 
This could allow an attacker to alter arbitrary data. This vulnerability 
could also be used to circumvent dual control mechanisms by manipulating 
data after creation.
The attack requires network access, some degree of authentication and 
degree of specialized knowledge and techniques. An attack will not 
compromise the confidentiality of information or the availability of the 
system but may compromise the integrity of data.

CVE-2014-0869
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90943 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI, ACLM Win GUI
Insufficient encryption for storing and transferring users’ passwords 
could allow an attacker to retrieve the plain-text passwords without 
further knowledge of cryptographic keys.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack may partially compromise 
the confidentiality of information but will not compromise the 
availability of the system or the integrity of data.

CVE-2014-0870
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90944 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N) 

Affected Component(s): ACLM Web GUI, PDS Blotter Web GUI
The ACLM Web GUI and the PDS Blotter Web GUI do not correctly neutralize 
user-controllable input before it is placed in output that is served as a 
web page. This may be used in a Cross-site scripting attack. Attackers 
could compromise user sessions and impersonate other users while 
performing arbitrary actions on behalf of the victim user.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack will not compromise the 
confidentiality of information or the availability of the system but may 
compromise the integrity of data.

CVE-2014-0871
CVSS Base Score: 4.3
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/90945 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N) 

Affected Component(s): ACLM Web GUI
Tomcat configuration discloses technical details within error messages to 
the user. This could allow an attacker to collect valuable data about the 
environment of the solution.
The attack requires network access, no authentication and some degree of 
specialized knowledge and techniques. An attack may partially compromise 
the confidentiality of information but will not compromise the 
availability of the system or the integrity of data.

CVE-2014-0894
CVSS Base Score: 3.5
CVSS Temporal Score: See http://xforce.iss.net/xforce/xfdb/91313 
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N) 

Affected Component(s): ACLM Web GUI
The password and the username of the backend database are disclosed in 
clear-text to the user of the ACLM Web GUI client. This could allow 
attackers to directly connect to the backend database and manipulate 
arbitrary data stored in the database.
The attack requires network access, some degree of authentication and 
specialized knowledge and techniques. An attack may partially compromise 
the confidentiality of information but will not compromise the 
availability of the system or the integrity of data.

Affected Products and Versions

IBM Algo Credit Limits versions 4.5.0 - 4.7.0

Remediation/Fixes

A fix has been created for version 4.7.0.03 of the named product. Download 
and install the fix as soon as practicable. Fix and installation 
instructions are provided at the URL listed below.

For versions prior to 4.7.0 IBM recommends upgrading to a fixed, supported 
version/release/platform of the product.


Patch Number   ACLM 4.7.0.03 FP5 

Download URL
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolOra-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-SolDB2-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-RHES-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-AIX-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true
http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm~Information+Management&product=ibm/Information+Management/Algo+Credit+Manager&release=All&platform=All&function=fixId&fixids=4.7.0.03-Algo-CreditLimits-WinDB2-fp0005:0&includeSupersedes=0&source=fc&login=true

Workarounds and Mitigations

None known, apply fixes.

References

Complete CVSS Guide
On-line Calculator V2

Related information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Acknowledgement

A. Kolmann, V. Habsburg-Lothringen, F. Lukavsky of SEC Consult 
Vulnerability Lab

Change History

23 June 2014: Original Copy Published

*The CVSS Environment Score is customer environment specific and will 
ultimately impact the Overall CVSS Score. Customers can evaluate the 
impact of this vulnerability in their environments by accessing the links 
in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), 
the Common Vulnerability Scoring System (CVSS) is an "industry open 
standard designed to convey vulnerability severity and help to determine 
urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" 
WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF 
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE 
RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY 
VULNERABILITY.

Product Alias/Synonym

ACL
ACLM
RICOS
Algo Credit Limit Manager

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU73z2BLndAQH1ShLAQKYfA//bTuRlRR6McGwPeNGt+uWAIA5AzXPhd+x
2SkoqZDOJBRTPo7/39EDyggZ+DTdAzcRsWKhlASaIGXSYh5ep5D9Z0Yq6SHg5tIw
id6ZpVje8SaeWH0eBnynM5zkLpt8MeC0LJUSlH5IuWCeueU3VcKvFgpUCSnjr60w
jAG+g4aCjJoEO+rtnjpdvnqNp7o1VyVIVD2F9jPd5iBSc2A5vUJlu51FY3gLj/zt
eich0Uq2s9QZO7N8WeKjzU0uL8L0CgtZDXGfiFx4d4N0rVupwS1RLl/5F7MKe/Qi
zWn3EbyJapdmXYLsUsAVClYH9Iv2YXm+hsl/w7BZUtUbIWAXw/BVfGkH7jkDhL7/
BogQXcUgQmQqXhIGTXXWl+fVfIy6ZWKmQ7Q67VRcohFfCEsG3H5Xh4zw6O0rRF+S
9sKvBYys0Oss0S2QTg93iDOgG92JE++B7IzWGMdV0pnNzNiNtmUp2vgoYtLhneKB
pScL1wWwDj5CG7PyfelAFb4fIFNrepi1GQTBdOktHL107tDrcUCmpgBQ/WxpzsWc
W8hw04jl0wVQQyoLc8tWAx7dmcvzIUExSTcYbZWbAzHETHUy4jLxpMb115Li+aKm
+gQC3I5rWVMXc6VwgNoYEN8Du+ihwsEeEGjc/urZPteJuHqiNPqLCm/IS/M5n6Mz
OxU4ksVLW7w=
=HSSh
-----END PGP SIGNATURE-----