Sign-up

ID

VAR-201406-0329


CVE

CVE-2014-3052


TITLE

IBM Security Access Manager for Web Vulnerability in which important information is obtained in the firmware of

Trust: 0.8

sources: JVNDB: JVNDB-2014-003021

DESCRIPTION

The reverse-proxy feature in IBM Security Access Manager (ISAM) for Web 8.0 with firmware 8.0.0.2 and 8.0.0.3 interprets the jct-nist-compliance parameter in the opposite of the intended manner, which makes it easier for remote attackers to obtain sensitive information by leveraging weak SSL encryption settings that lack NIST SP 800-131A compliance. IBM Security Access Manager is prone to a security-bypass vulnerability because it fails to adequately handle user-supplied input. An attacker can exploit this issue to bypass certain security restrictions and perform unauthorized actions to gain sensitive information. This may lead to further attacks. IBM Security Access Manager (ISAM) for Web (formerly known as IBM Tivoli Access Manager for e-business) is a set of products used in user authentication, authorization and Web single sign-on solutions of IBM Corporation in the United States. It provides user access management and Web application protection function. There is a security vulnerability in the reverse-proxy component of ISAM for Web 8.0 using firmware versions 8.0.0.2 and 8.0.0.3. The vulnerability stems from the fact that the program does not correctly set the jct-nist-compliance configuration parameter

Trust: 2.07

sources: NVD: CVE-2014-3052 // JVNDB: JVNDB-2014-003021 // BID: 68138 // VULHUB: VHN-70991 // VULMON: CVE-2014-3052

AFFECTED PRODUCTS

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.2

Trust: 1.6

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.3

Trust: 1.6

vendor:ibmmodel:security access manager for web appliancescope:eqversion:8.0

Trust: 1.0

vendor:ibmmodel:security access manager for web the appliancescope: - version: -

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0.0.2

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0.0.3

Trust: 0.8

vendor:ibmmodel:security access manager for webscope:eqversion:8.03

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.02

Trust: 0.3

vendor:ibmmodel:security access manager for webscope:eqversion:8.0

Trust: 0.3

sources: BID: 68138 // JVNDB: JVNDB-2014-003021 // CNNVD: CNNVD-201406-465 // NVD: CVE-2014-3052

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2014-3052
value: LOW

Trust: 1.0

NVD: CVE-2014-3052
value: LOW

Trust: 0.8

CNNVD: CNNVD-201406-465
value: LOW

Trust: 0.6

VULHUB: VHN-70991
value: LOW

Trust: 0.1

VULMON: CVE-2014-3052
value: LOW

Trust: 0.1

nvd@nist.gov: CVE-2014-3052
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-70991
severity: LOW
baseScore: 3.3
vectorString: AV:A/AC:L/AU:N/C:P/I:N/A:N
accessVector: ADJACENT_NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 6.5
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-70991 // VULMON: CVE-2014-3052 // JVNDB: JVNDB-2014-003021 // CNNVD: CNNVD-201406-465 // NVD: CVE-2014-3052

PROBLEMTYPE DATA

problemtype:CWE-16

Trust: 1.9

sources: VULHUB: VHN-70991 // JVNDB: JVNDB-2014-003021 // NVD: CVE-2014-3052

THREAT TYPE

specific network environment

Trust: 0.6

sources: CNNVD: CNNVD-201406-465

TYPE

configuration error

Trust: 0.6

sources: CNNVD: CNNVD-201406-465

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2014-003021

PATCH
title:1676705url:http://www-01.ibm.com/support/docview.wss?uid=swg21676705
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2014-003021

EXTERNAL IDS
db:NVDid:CVE-2014-3052
Trust: 2.9
db:JVNDBid:JVNDB-2014-003021
Trust: 0.8
db:CNNVDid:CNNVD-201406-465
Trust: 0.7
db:XFid:93454
Trust: 0.6
db:BIDid:68138
Trust: 0.5
db:VULHUBid:VHN-70991
Trust: 0.1
db:VULMONid:CVE-2014-3052
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70991 // 
            
            
            
            VULMON: CVE-2014-3052 // 
            
            
            
            BID: 68138 // 
            
            
            
            JVNDB: JVNDB-2014-003021 // 
            
            
            
            CNNVD: CNNVD-201406-465 // 
            
            
            
            NVD: CVE-2014-3052

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg21676705
Trust: 2.1
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv61553
Trust: 1.8
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/93454
Trust: 1.2
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-3052
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-3052
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/93454
Trust: 0.6
url:http://www.ibm.com/
Trust: 0.3
url:https://cwe.mitre.org/data/definitions/16.html
Trust: 0.1
url:https://www.securityfocus.com/bid/68138
Trust: 0.1
url:https://nvd.nist.gov
Trust: 0.1
sources:
            
            
            VULHUB: VHN-70991 // 
            
            
            
            VULMON: CVE-2014-3052 // 
            
            
            
            BID: 68138 // 
            
            
            
            JVNDB: JVNDB-2014-003021 // 
            
            
            
            CNNVD: CNNVD-201406-465 // 
            
            
            
            NVD: CVE-2014-3052

CREDITS
The vendor reported this issue.
Trust: 0.3
sources:
            
            
            BID: 68138

SOURCES
db:VULHUBid:VHN-70991
db:VULMONid:CVE-2014-3052
db:BIDid:68138
db:JVNDBid:JVNDB-2014-003021
db:CNNVDid:CNNVD-201406-465
db:NVDid:CVE-2014-3052

LAST UPDATE DATE
2024-11-23T22:59:40.483000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-70991date:2017-08-29T00:00:00
db:VULMONid:CVE-2014-3052date:2017-08-29T00:00:00
db:BIDid:68138date:2014-06-18T00:00:00
db:JVNDBid:JVNDB-2014-003021date:2014-06-24T00:00:00
db:CNNVDid:CNNVD-201406-465date:2014-06-23T00:00:00
db:NVDid:CVE-2014-3052date:2024-11-21T02:07:22.730

SOURCES RELEASE DATE
db:VULHUBid:VHN-70991date:2014-06-21T00:00:00
db:VULMONid:CVE-2014-3052date:2014-06-21T00:00:00
db:BIDid:68138date:2014-06-18T00:00:00
db:JVNDBid:JVNDB-2014-003021date:2014-06-24T00:00:00
db:CNNVDid:CNNVD-201406-465date:2014-06-23T00:00:00
db:NVDid:CVE-2014-3052date:2014-06-21T15:55:03.807