Integration News
Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway
IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities:
- SQL Injection
- Path Traversal
- Unrestricted File Upload
- Cross-Site Scripting (XSS)
- Insufficient Session-ID Length
- Information Disclosure
- Command Injection
- File Type Manipulation
- Session Hijacking
Vulnerability Details
SQL Injection
CVEID: CVE-2013-0560
Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)
Affected Products and Versions
Path Traversal
CVEID: CVE-2013-2984
Description:Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.
CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Affected Products and Versions
Unrestricted File Upload
CVEID: CVE-2013-2982
Description: Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.
CVSS Base score: 6.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Affected Products and Versions
Command Injection
CVEID: CVE-2013-0476
Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.
CVSS Base score: 5.8
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
Affected Products and Versions
Insufficient Session-ID Length
CVEID: CVE-2013-0539
Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a user’s session if the user’s session identifier is guessed.
CVSS Base score: 5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
Affected Products and Versions
Cross-Site Scripting (XSS)
CVEID: CVE-2013-0455
Description: Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victim’s web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.
CVSS Base score: 4.3
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVEID: CVE-2013-0468
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-2983
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-0559
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)
Affected Products and Versions
Information Disclosure
CVEID: CVE-2013-0558
Description: Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.
CVSS Base score: 5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
CVEID: CVE-2013-0463
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2013-2985
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-2987
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVEID: CVE-2013-3020
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N)
CVEID: CVE-2013-0568
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CVEID: CVE-2013-0475
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
Affected Products and Versions
In File Type Manipulation
CVEID: CVE-2013-0479
Description: IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
CVEID: CVE-2013-0479
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
Affected Products and Versions
Information Disclosure
CVEID: CVE-2013-0567
Description: Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.
CVSS Base score: 4
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
Affected Products and Versions
Session Hijacking
CVEID: CVE-2013-0456
Description: The Sterling solutions are vulnerable to session hijacking through cookie path manipulation.
CVSS Base score: 3.5
CVSS Temporal Score: Click here.
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
Affected Products and Versions
Remediation/Fixes
Product | APAR | Remediated/Fixes |
IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0 | IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259 | For the APAR fixes listed, apply Fix Pack 5010 available on IWM |
IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1. | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply generic iFix 5104_1 available on IWM |
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central |
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259 | For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central |
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2 | | Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively |
Additional Information:
The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.
Title | CVE ID | Link |
Improper validation of user supplied input on select IBM Sterling B2B Integrator screens. | CVE-2012-5766 | |
IBM Sterling B2B Integrator's session or sensitive cookies do not have the secure attribute enabled. | CVE-2012-5936 | |
Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response. | CVE-2013-0481 | |
A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway. | Mutliple CVEs |
Workarounds and Mitigations
None.
Cliquez sur le bouton ci-dessous pour télécharger cette lettre d’information au format Pdf.
