Security Bulletin: IBM Security Access Manager for Web - NIST setting (CVE-2014-3052)

Summary

A defect in the configuration of IBM Security Access Manager (ISAM) for Web v8.0 could result in systems failing to properly comply to NIST800-131 standards.

Vulnerability Details

CVE ID :
CVE-2014-3052

DESCRIPTION:
The reverse proxy component of IBM Security Access Manager for Web can be configured to require compliance with NIST 800-131A standards when creating an SSL connection to a protected backend application. This is controlled by the “jct-nist-compliance” configuration parameter in the [junction] stanza of the reverse proxy configuration file. An error in the configuration code causes the reverse proxy to incorrectly reverse the setting of this configuration parameter. If the parameter is set to “yes”, the reverse proxy interprets it as “no”. As a consequence, the SSL connection will not enforce compliance with NIST800 131A standards and could be using encryption settings that are weaker than required.

This vulnerability is not complex to exploit. It can be exploited from the adjacent network and authentication is not required. An exploit can partially affect the confidentially of the system, but not integrity or availability of the system.

CVSS:
CVSS Base Score: 3.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/93454&gt;
Environmental Score*: Undefined
CVSS Vector: (AV:A/AC:L/Au:N/C:P/I:N/A:N)

Affected Products and Versions

IBM Security Access Manager for Web version 8.0, firmware versions 8.0.0.2 and 8.0.0.3.

Remediation/Fixes

IBM has provided patches for all affected versions. Follow the installation instructions in the README files included with the patch.

Workarounds and Mitigations

If an IBM Security Access Manager for Web customer wishes to configure a reverse proxy component to use an SSL connection to a protected backend application that is compliant with NIST800-131a, then the “jct-nist-compliance” configuration parameter must be set to “no”.