Sign-up

ID

VAR-201602-0387


CVE

CVE-2015-5012


TITLE

IBM Security Access Manager for Web Appliance SSH Vulnerability that breaks cryptographic protection mechanisms

Trust: 0.8

sources: JVNDB: JVNDB-2015-006988

DESCRIPTION

The SSH implementation on IBM Security Access Manager for Web appliances 7.0 before 7.0.0 FP19, 8.0 before 8.0.1.3 IF3, and 9.0 before 9.0.0.0 IF1 does not properly restrict the set of MAC algorithms, which makes it easier for remote attackers to defeat cryptographic protection mechanisms via unspecified vectors. IBM Security Access Manager for Web is prone to an information-disclosure vulnerability. An attacker can exploit this issue to gain access to sensitive information; this may lead to further attacks. It provides user access management and Web application protection function. There is a security loophole in the SSH implementation of ISAM for Web. The loophole is caused by the program not correctly restricting the setting of the MAC algorithm. The following versions are affected: ISAM for Web Version 7.0, Version 8.0, Version 9.0

Trust: 1.98

sources: NVD: CVE-2015-5012 // JVNDB: JVNDB-2015-006988 // BID: 85206 // VULHUB: VHN-82973

AFFECTED PRODUCTS

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.6

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.4

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.7

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.15

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.13

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.14

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.5

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.8

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.16

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.9

Trust: 1.6

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.12

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.0

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.18

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.3

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.3

Trust: 1.0

vendor:ibmmodel:security access manager 9.0scope:eqversion:9.0.0

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.17

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.5

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.2

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.11

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.1.2

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.2

Trust: 1.0

vendor:ibmmodel:security access manager for web 7.0scope:eqversion:7.0.0.10

Trust: 1.0

vendor:ibmmodel:security access manager for web 8.0scope:eqversion:8.0.0.1

Trust: 1.0

vendor:ibmmodel:security access manager for web softwarescope:eqversion:7.0.0 fp19

Trust: 0.8

vendor:ibmmodel:security access manager softwarescope:eqversion:9.0.0.0 if1

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:ltversion:8.0

Trust: 0.8

vendor:ibmmodel:security access manager softwarescope:ltversion:9.0

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:ltversion:7.0

Trust: 0.8

vendor:ibmmodel:security access manager for web softwarescope:eqversion:8.0.1.3 if3

Trust: 0.8

sources: JVNDB: JVNDB-2015-006988 // CNNVD: CNNVD-201602-277 // NVD: CVE-2015-5012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2015-5012
value: HIGH

Trust: 1.0

NVD: CVE-2015-5012
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-201602-277
value: MEDIUM

Trust: 0.6

VULHUB: VHN-82973
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2015-5012
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-82973
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: PARTIAL
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

nvd@nist.gov: CVE-2015-5012
baseSeverity: HIGH
baseScore: 7.5
vectorString: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector: NETWORK
attackComplexity: LOW
privilegesRequired: NONE
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: NONE
availabilityImpact: NONE
exploitabilityScore: 3.9
impactScore: 3.6
version: 3.0

Trust: 1.0

sources: VULHUB: VHN-82973 // JVNDB: JVNDB-2015-006988 // CNNVD: CNNVD-201602-277 // NVD: CVE-2015-5012

PROBLEMTYPE DATA

problemtype:CWE-310

Trust: 1.9

sources: VULHUB: VHN-82973 // JVNDB: JVNDB-2015-006988 // NVD: CVE-2015-5012

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201602-277

TYPE

encryption problem

Trust: 0.6

sources: CNNVD: CNNVD-201602-277

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2015-006988

PATCH
title:1971422url:http://www-01.ibm.com/support/docview.wss?uid=swg21971422
Trust: 0.8
title:IBM Security Access Manager for Web Security vulnerabilitiesurl:http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=60218
Trust: 0.6
sources:
            
            
            JVNDB: JVNDB-2015-006988 // 
            
            
            
            CNNVD: CNNVD-201602-277

EXTERNAL IDS
db:NVDid:CVE-2015-5012
Trust: 2.8
db:JVNDBid:JVNDB-2015-006988
Trust: 0.8
db:CNNVDid:CNNVD-201602-277
Trust: 0.7
db:BIDid:85206
Trust: 0.4
db:VULHUBid:VHN-82973
Trust: 0.1
sources:
            
            
            VULHUB: VHN-82973 // 
            
            
            
            BID: 85206 // 
            
            
            
            JVNDB: JVNDB-2015-006988 // 
            
            
            
            CNNVD: CNNVD-201602-277 // 
            
            
            
            NVD: CVE-2015-5012

REFERENCES
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv78768
Trust: 1.7
url:http://www-01.ibm.com/support/docview.wss?uid=swg1iv78780
Trust: 1.7
url:http://www-01.ibm.com/support/docview.wss?uid=swg21971422
Trust: 1.7
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2015-5012
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2015-5012
Trust: 0.8
url:http://www.ibm.com/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-82973 // 
            
            
            
            BID: 85206 // 
            
            
            
            JVNDB: JVNDB-2015-006988 // 
            
            
            
            CNNVD: CNNVD-201602-277 // 
            
            
            
            NVD: CVE-2015-5012

CREDITS
IBM X-Force Ethical Hacking Team: Paul Ionescu, Warren Moynihan, Jonathan Fitz-Gerald, John Zuccato, Chris Shepherd, Dmitriy Beryoza
Trust: 0.3
sources:
            
            
            BID: 85206

SOURCES
db:VULHUBid:VHN-82973
db:BIDid:85206
db:JVNDBid:JVNDB-2015-006988
db:CNNVDid:CNNVD-201602-277
db:NVDid:CVE-2015-5012

LAST UPDATE DATE
2024-11-23T22:01:34.010000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-82973date:2016-03-11T00:00:00
db:BIDid:85206date:2016-02-11T00:00:00
db:JVNDBid:JVNDB-2015-006988date:2016-03-16T00:00:00
db:CNNVDid:CNNVD-201602-277date:2016-02-16T00:00:00
db:NVDid:CVE-2015-5012date:2024-11-21T02:32:10.550

SOURCES RELEASE DATE
db:VULHUBid:VHN-82973date:2016-02-15T00:00:00
db:BIDid:85206date:2016-02-11T00:00:00
db:JVNDBid:JVNDB-2015-006988date:2016-03-16T00:00:00
db:CNNVDid:CNNVD-201602-277date:2016-02-16T00:00:00
db:NVDid:CVE-2015-5012date:2016-02-15T02:59:06.577