Security Bulletin
Summary
IBM Financial Transaction Manager 2.0 and 2.1 OAC vulnerabilities
Vulnerability Details
CVE ID: CVE-2014-0830
SUMMARY: FTM 2.0 and 2.1 Table export function exposes a path traversal vulnerability
DESCRIPTION:
Search results in the FTM console can be exported as CSV format text files. As part of this function the server side code provides access to temporary files on the WAS server. It is possible for a rogue user, once logged in, to use client side tools to alter the file name to be read. Alteration can also include path traversal outside of the temporary file location. This potentially allows download of unauthorized files from the file system hosting the application server.
This exposure is limited to authenticated users.
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90584 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0 & 2.1
REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
FTM 2.1 customers may apply PTF/fixpack 2.1.0.1 or upgrade to FTM 2.1.1
WORKAROUND(s):
None
MITIGATIONS(s)
Ensure the application server user account does not have privileges to read files outside of its directories.
CVE ID: CVE-2014-0831
SUMMARY: FTM 2.0 OAC is not protected from cross site request forgery vulnerabilities.
DESCRIPTION:
A hand crafted link could be used to trick a user to initiate a function of the FTM OAC. If the user is authorized the request could cause edit of configuration data. The user must be logged in. Detailed knowledge of FTM http request format is required to exploit. Also in the case of any request to edit configuration data the request would need knowledge of the data being edited. In the case of edit, the request would be audited and the edit history would be recorded.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90585 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0
REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
WORKAROUND(s):
None
MITIGATIONS(s)
None
CVE ID: CVE-2014-0832
SUMMARY: FTM 2.0 Configuration details screens are exposed to cross site scripting vulnerabilities.
DESCRIPTION:
It is possible to create and edit configuration data that includes javascript in the text values. A subsequent user viewing these records would inadvertently execute the javascript in their browser.
This exposure is limited to authenticated users.
The creation and/or edit of the data to contain potentially malicious javascript if fully audited and traceable back to the user.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90586 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0
REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
WORKAROUND(s):
None
MITIGATIONS(s)
Restrict access to these screens to the minimum group of personnel to minimize risk.
CVE ID: CVE-2014-0833
SUMMARY: FTM 2.0 OAC could accept a request to execute a resolution action where the user is not authorized.
DESCRIPTION:
It is possible for an authenticated user to initiate unauthorized process steps for data that is in a state that supports operator intervention. The impact of this depends on the customer process model and the action requested.
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/90612 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Financial Transaction Manager: 2.0
REMEDIATION:
FTM 2.0 customers may apply PTF/fixpack 2.0.0.3 or upgrade to FTM 2.1.1
WORKAROUND(s):
None
MITIGATIONS(s)
Use of IE8 or Firefox instead of IE6 or IE7 will prevent accidental exposure but does not prevent deliberate exploitation.
RELATED INFORMATION:
https://www-304.ibm.com/jct03001c/security/secure-engineering/process.html
ACKNOWLEDGEMENT:
None
Affected Products and Versions
Financial Transaction manager v2.0 and v2.1
Remediation/Fixes
CVE ID | Product | VRMF | APAR | Remediation |
CVE-2014-0830 | FTM | v2.0.0.0 V2.0.0.1 v2.0.0.2 | None. | Upgrade to v2.0.0.3 or v2.1.1 |
CVE-2014-0830 | FTM | V2.1.0.0 | None. | Upgrade to v2.1.0.1 or v2.1.1 |
CVE-2014-0831 | FTM | v2.0.0.0 V2.0.0.1 v2.0.0.2 | None. | Upgrade to v2.0.0.3 or v2.1.1 |
CVE-2014-0832 | FTM | v2.0.0.0 V2.0.0.1 v2.0.0.2 | None. | Upgrade to v2.0.0.3 or v2.1.1 |
CVE-2014-0833 | FTM | v2.0.0.0 V2.0.0.1 v2.0.0.2 | None. | Upgrade to v2.0.0.3 or v2.1.1 |
Get Notified about Future Security Bulletins
Important Note
IBM strongly suggests that all System z customers be subscribed to the System z Security Portal to receive the latest critical System z security and integrity service. If you are not subscribed, see the instructions on the System z Security web site. Security and integrity APARs and associated fixes will be posted to this portal. IBM suggests reviewing the CVSS scores and applying all security or integrity fixes as soon as possible to minimize any potential risk.
References
http://xforce.iss.net/xforce/xfdb/90584
http://xforce.iss.net/xforce/xfdb/90585
http://xforce.iss.net/xforce/xfdb/90586
http://xforce.iss.net/xforce/xfdb/90612
Change History
24th January 2014: Original copy published
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Was this topic helpful?
Document Information
Modified date:
16 June 2018
UID
swg21662714