You are here

V-145: IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities

April 30, 2013 - 12:09am

Addthis

PROBLEM:

IBM Tivoli Federated Identity Manager Products Java Multiple Vulnerabilities

PLATFORM:

IBM Tivoli Federated Identity Manager versions 6.1, 6.2.0, 6.2.1, and 6.2.2.
IBM Tivoli Federated Identity Manager Business Gateway versions 6.1.1, 6.2.0, 6.2.1 and 6.2.2.

ABSTRACT:

IBM has acknowledged a weakness and two vulnerabilities in IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway

REFERENCE LINKS:

IBM Reference #:1634544
Secunia Advisory SA53233
CVE-2013-0169
CVE-2013-0440
CVE-2013-0443

IMPACT ASSESSMENT:

Medium

DISCUSSION:

CVE-2013-0440 - Unspecified vulnerability in IBM Java
Runtime Environment allows remote attackers to affect availability via vectors related to JSSE.

CVE- 2013-0443 - Unspecified vulnerability in IBM Java Runtime Environment allows remote attackers to affect confidentiality and integrity via vectors related to JSSE

CVE-2013-0169 - The Transport Layer Security protocol does not properly consider timing side-channel attacks, which allows remote attackers to conduct distinguishing attacks and plain-text recovery attacks via statistical analysis of timing data for crafted packets, aka the "Lucky Thirteen" issue.

IMPACT:

IBM Tivoli Federated Identity Manager and IBM Tivoli Federated Identity Manager Business Gateway can be exploited by malicious people to disclose certain sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

SOLUTION:

Upgrade your IBM Java Runtime Environment to a Websphere interim fix.

Addthis