Sign-up

ID

VAR-201108-0124


CVE

CVE-2011-3138


TITLE

IBM TFIM and TFIMBG of LTPA STS In module support implementation LTPA Vulnerabilities that bypass token signature verification

Trust: 0.8

sources: JVNDB: JVNDB-2011-004865

DESCRIPTION

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. IBM LTPA STS is prone to a security vulnerability related to the way it handles threads. The impact of this issue is currently unknown at the moment; however typical scenario may result in a denial-of-service condition or arbitrary data being overwritten. The following products are affected: IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 prior to 6.2.0.9 IBM Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 prior to 6.2.0.9. The product provides web and federated single sign-on (SSO) capabilities to users across multiple applications. Attackers can exploit the lack of thread safety to bypass the signature verification of LTPA tokens

Trust: 1.98

sources: NVD: CVE-2011-3138 // JVNDB: JVNDB-2011-004865 // BID: 49244 // VULHUB: VHN-51083

AFFECTED PRODUCTS

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0.8

Trust: 1.6

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0.1

Trust: 1.6

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0

Trust: 1.6

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0.2

Trust: 1.6

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0.3

Trust: 1.6

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0

Trust: 1.6

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0.8

Trust: 1.6

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0.1

Trust: 1.6

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0.3

Trust: 1.6

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0.2

Trust: 1.6

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:ltversion:6.2.0

Trust: 0.8

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2.0.9

Trust: 0.8

vendor:ibmmodel:tivoli federated identity managerscope:ltversion:6.2.0

Trust: 0.8

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2.0.9

Trust: 0.8

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:eqversion:6.2

Trust: 0.3

vendor:ibmmodel:tivoli federated identity managerscope:eqversion:6.2

Trust: 0.3

vendor:ibmmodel:tivoli federated identity manager business gatewayscope:neversion:6.2.0.9

Trust: 0.3

vendor:ibmmodel:tivoli federated identity managerscope:neversion:6.2.0.9

Trust: 0.3

sources: BID: 49244 // JVNDB: JVNDB-2011-004865 // CNNVD: CNNVD-201108-264 // NVD: CVE-2011-3138

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2011-3138
value: MEDIUM

Trust: 1.0

NVD: CVE-2011-3138
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201108-264
value: MEDIUM

Trust: 0.6

VULHUB: VHN-51083
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2011-3138
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-51083
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-51083 // JVNDB: JVNDB-2011-004865 // CNNVD: CNNVD-201108-264 // NVD: CVE-2011-3138

PROBLEMTYPE DATA

problemtype:NVD-CWE-Other

Trust: 1.0

problemtype:CWE-DesignError

Trust: 0.8

sources: JVNDB: JVNDB-2011-004865 // NVD: CVE-2011-3138

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201108-264

TYPE

design error

Trust: 0.6

sources: CNNVD: CNNVD-201108-264

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2011-004865

PATCH
title:4029498url:http://www.ibm.com/support/docview.wss?uid=swg24029498
Trust: 0.8
title:4029497url:http://www.ibm.com/support/docview.wss?uid=swg24029497
Trust: 0.8
title:IV01318url:http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2011-004865

EXTERNAL IDS
db:NVDid:CVE-2011-3138
Trust: 2.8
db:JVNDBid:JVNDB-2011-004865
Trust: 0.8
db:CNNVDid:CNNVD-201108-264
Trust: 0.7
db:AIXAPARid:IV01318
Trust: 0.6
db:BIDid:49244
Trust: 0.4
db:VULHUBid:VHN-51083
Trust: 0.1
sources:
            
            
            VULHUB: VHN-51083 // 
            
            
            
            BID: 49244 // 
            
            
            
            JVNDB: JVNDB-2011-004865 // 
            
            
            
            CNNVD: CNNVD-201108-264 // 
            
            
            
            NVD: CVE-2011-3138

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv01318
Trust: 1.7
url:http://www.ibm.com/support/docview.wss?uid=swg24029497
Trust: 1.7
url:http://www.ibm.com/support/docview.wss?uid=swg24029498
Trust: 1.7
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/69198
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3138
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3138
Trust: 0.8
url:http://www.ibm.com
Trust: 0.3
url:https://www-304.ibm.com/support/docview.wss?uid=swg1iv01318
Trust: 0.3
sources:
            
            
            VULHUB: VHN-51083 // 
            
            
            
            BID: 49244 // 
            
            
            
            JVNDB: JVNDB-2011-004865 // 
            
            
            
            CNNVD: CNNVD-201108-264 // 
            
            
            
            NVD: CVE-2011-3138

CREDITS
IBM
Trust: 0.3
sources:
            
            
            BID: 49244

SOURCES
db:VULHUBid:VHN-51083
db:BIDid:49244
db:JVNDBid:JVNDB-2011-004865
db:CNNVDid:CNNVD-201108-264
db:NVDid:CVE-2011-3138

LAST UPDATE DATE
2024-11-23T23:12:57.412000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-51083date:2017-08-29T00:00:00
db:BIDid:49244date:2011-08-18T00:00:00
db:JVNDBid:JVNDB-2011-004865date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201108-264date:2011-08-15T00:00:00
db:NVDid:CVE-2011-3138date:2024-11-21T01:29:49.350

SOURCES RELEASE DATE
db:VULHUBid:VHN-51083date:2011-08-12T00:00:00
db:BIDid:49244date:2011-08-18T00:00:00
db:JVNDBid:JVNDB-2011-004865date:2012-03-27T00:00:00
db:CNNVDid:CNNVD-201108-264date:2011-08-15T00:00:00
db:NVDid:CVE-2011-3138date:2011-08-12T17:55:01.260