Notification: New Vulnerabilities in IBM products – September 16, 2014

Posted: September 16, 2014 in Vulnerability News
Tags: , ,

IBM logo

IBM products Vulnerabilities


Cyber Security Notification: New Vulnerabilities of September 2014

#1 Multiple vulnerabilities in IBM products

Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 3

CVSSv2 Rating: (AV: N / AC: M / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 4.3 / Temporal: 3.2
(AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: OF / RC: C) = Base: 5 / Temporal: 3.7
(AV: N / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: OF / RC: C) = Base: 5 / Temporal: 3.7

CVE ID: CVE-2013-4286
CVE-2014-0075
CVE-2014-0099

Vector operation: Local Network
Impact: Denial of service, Unauthorized modification of data, Security Bypass,  spoofing attacks

• Affected Products: IBM Flex System V7000 7.x, IBM Storwize (V3500 7.x, V3700 7.x, V5000 7.x, V7000 7.x), IBM System Storage SAN Volume Controller 7.x
• Affected versions: IBM Flex System (V7000 7.x, IBM Storwize V3500 7.x, V3700 7.x, V5000 7.x, V7000 7.x), IBM System Storage SAN Volume Controller 7.x

Description:

Vulnerabilities allow malicious people to bypass certain security restrictions, manipulate sensitive data, and can be exploited by malicious people to conduct denial of service and spoofing attacks.
The vulnerability is caused due to the presence of a vulnerable version of Apache Tomcat.

Solution: Install the latest version 7.2.0.8 or 7.3.0.5 with the manufacturer’s website.

Manufacturer URL: http://www.ibm.com/systems/hk/storage/disk/storwize_v3700/index.html

Link: http://www.ibm.com/support/docview.wss?uid=ssg1S1004867

#2 Multiple vulnerabilities in IBM Rational License Key Server

Danger: Low
Availability Corrections: Yes
Number of vulnerabilities: 2

CVSSv2 Rating: (AV: A / AC: L / Au: N / C: P / I: N / A: N / E: U / RL: OF / RC: ND) = Base: 3.3 / Temporal: 0
(AV: A / AC: L / Au: N / C: P / I: P / A: N / E: U / RL: OF / RC: ND) = Base: 4.8 / Temporal: 0
CVE ID: CVE-2014-3079, CVE-2014-4756

Vector operation: Local Network
Impact: Disclosure of sensitive data, Unauthorized modification of data, Security Bypass

• Affected products: IBM Rational License Key Server 8.x
• Affected versions: IBM Rational License Key Server (8.1.4, 8.1.4.2, 8.1.4.3)

Description:

Vulnerabilities allow malicious people to bypass certain security restrictions, manipulate data, and gain access to important data.

1. The vulnerability is due to the fact that the ‘Administration and Reporting Tool’ does not properly restrict access to the license usage information. A remote user can get access to the confidential data.
2. The vulnerability is caused due to an unspecified error in the ‘Administration and Reporting Tool’. This vulnerability can be exploited to disclose and manipulate files cookies. Details were not disclosed.

Solution: Install the latest version 8.1.4.4 from the manufacturer.

Links:
http://www.ibm.com/support/docview.wss?uid=swg21681449
http://www.ibm.com/support/docview.wss?uid=swg24038045


 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s