A defect in the configuration of IBM Security Access Manager (ISAM) for Web v8.0 could result in systems failing to properly comply to NIST800-131 standards.
CVE ID :
CVE-2014-3052
DESCRIPTION:
The reverse proxy component of IBM Security Access Manager for Web can be configured to require compliance with NIST 800-131A standards when creating an SSL connection to a protected backend application. This is controlled by the βjct-nist-complianceβ configuration parameter in the [junction] stanza of the reverse proxy configuration file. An error in the configuration code causes the reverse proxy to incorrectly reverse the setting of this configuration parameter. If the parameter is set to βyesβ, the reverse proxy interprets it as βnoβ. As a consequence, the SSL connection will not enforce compliance with NIST800 131A standards and could be using encryption settings that are weaker than required.
This vulnerability is not complex to exploit. It can be exploited from the adjacent network and authentication is not required. An exploit can partially affect the confidentially of the system, but not integrity or availability of the system.
CVSS:
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93454>
Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:N)
IBM Security Access Manager for Web version 8.0, firmware versions 8.0.0.2 and 8.0.0.3.
IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.
Fix | Build | APAR | Download URL |
---|---|---|---|
8.0.0.3-ISS-WGA-IF0003 | 80033 | IV61553 | http://www-933.ibm.com/support/fixcentral/swg/selectFixes?parent=Security%2BSystems&product=ibm/Tivoli/Tivoli+Access+Manager+for+e-business&release=8.0.0.1&platform=All&function=all |
If an IBM Security Access Manager for Web customer wishes to configure a reverse proxy component to use an SSL connection to a protected backend application that is compliant with NIST800-131a, then the βjct-nist-complianceβ configuration parameter must be set to βnoβ.