NEWS T2 24 Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

Integration News

Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway

IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities:

  • SQL Injection
  • Path Traversal
  • Unrestricted File Upload
  • Cross-Site Scripting (XSS)
  • Insufficient Session-ID Length
  • Information Disclosure
  • Command Injection
  • File Type Manipulation
  • Session Hijacking

Vulnerability Details

SQL Injection

CVEID: CVE-2013-0560

Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.

CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)

Affected Products and Versions

Path Traversal

CVEID:  CVE-2013-2984

Description:Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.

CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Affected Products and Versions

Unrestricted File Upload

CVEID: CVE-2013-2982

Description: Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.

CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Affected Products and Versions

Command Injection

CVEID: CVE-2013-0476

Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.

CVSS Base score: 5.8
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)

Affected Products and Versions

Insufficient Session-ID Length

CVEID: CVE-2013-0539

Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a user’s session if the user’s session identifier is guessed.

CVSS Base score: 5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)

Affected Products and Versions

Cross-Site Scripting (XSS)

CVEID: CVE-2013-0455

Description: Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

CVSS Base score: 4.3
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

CVEID: CVE-2013-0468
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-2983
CVSS Base score:
3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-0559
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)

Affected Products and Versions

Information Disclosure

CVEID: CVE-2013-0558

Description: Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVSS Base score: 5
CVSS Temporal Score: Click here.
CVSS Vector: 
(AV:N/AC:L/AU:N/C:P/I:N/A:N)

CVEID: CVE-2013-0463
CVSS Base score:
4
CVSS Temporal Score: Click here.
CVSS Vecto
r: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2013-2985
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-2987
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVEID: CVE-2013-3020
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:L/AC:M/Au:S/C:P/I:N/A:N)

CVEID: CVE-2013-0568
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:N/AC:M/Au:S/C:P/I:N/A:N)

CVEID: CVE-2013-0475
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

In File Type Manipulation

CVEID: CVE-2013-0479
Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.

CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:N/AC:L/Au:S/C:N/I:P/A:N)

CVEID: CVE-2013-0479
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:N/AC:L/Au:S/C:N/I:P/A:N)

Affected Products and Versions

Information Disclosure

CVEID: CVE-2013-0567
Description: Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.

CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

Session Hijacking

CVEID: CVE-2013-0456
Description: The Sterling solutions are vulnerable to session hijacking through cookie path manipulation.

CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector:
(AV:N/AC:M/AU:S/C:N/I:P/A:N)

Affected Products and Versions

Remediation/Fixes

Product

APAR

Remediated/Fixes

IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0

IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259

For the APAR fixes listed, apply Fix Pack 5010 available on IWM

IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1.

IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259

For the APAR fixes listed, apply generic iFix 5104_1 available on IWM

IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2

IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259

For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central

IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2

IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259

For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central

IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2

 
IC95996, IC88973

Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively

Additional Information:

The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.

Title

CVE ID

Link

Improper validation of user supplied input on select IBM Sterling B2B Integrator screens.

CVE-2012-5766

IBM Sterling B2B Integrator's session or sensitive cookies do not have the secure attribute enabled.

CVE-2012-5936

Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response.

CVE-2013-0481

A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway.

Mutliple CVEs

Workarounds and Mitigations

None.

Haga clic en el siguiente botón para descargar este boletín en formato Pdf.