Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM40FA55E580A51BFCE5DFA1B67557F71A74D06C836AF7A055A875701872B16CA4
HistoryJul 17, 2018 - 10:10 a.m.

Security Bulletin: IBM Cúram Social Program Management when not configured with LDAP or SSO may be vulnerable to denial of service.(CVE-2014-6092).

2018-07-1710:10:47
www.ibm.com
12

EPSS

0.002

Percentile

64.8%

JSON

Summary

Default authentication methods in IBM Curam Social Program Management do not allow for a per user account lockout policy, and rather employ a single, system wide policy. For most users of the system, a low lockout threshold is desirable. However, for users used to integrate with another system, such as a user whose sole purpose is to allow another system to invoke a particular web service, a low threshold for lockout may allow an attacker to lock out the other system, thereby effecting a denial of service. This is context specific and default authentication in Curam does not allow for appropriate levels of configuration on the lockout threshold.

Default authentication in IBM Curam Social Program Management now supports additional configuration to allow more flexibility in this configuration. See the release notes of the relevant release for the supported options for configuration of password lockout policy.

Customers of IBM Curam Social Program Management using an alternative authentication system such as LDAP are NOT affected.

Vulnerability Details

CVEID: CVE-2014-6092 DESCRIPTION: IBM Curam Social Program Management allows an attacker with knowledge of usernames within the caseworker system to lock those users out of the system preventing the client from being able to access the web system.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/95870 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:N/A:P)

Affected Products and Versions

5.2
6.0 SP2
6.0.4
6.0.5

Remediation/Fixes

_Product _

| _VRMF _ | Remediation/First Fix
—|—|—
Cúram SPM | 6.0.5 | Visit IBM Fix Central and upgrade to 6.0.5.6 or a subsequent 6.0.5 release.
Cúram SPM | 6.0.4 | Visit IBM Fix Central and upgrade to 6.0.4.6 or a subsequent 6.0.4 release.
Cúram SPM | 6.0 SP2 | Visit IBM Fix Central and upgrade to 6.0 SP2 EP26 or a subsequent 6.0 SP2 release.
Cúram SPM | 5.2 | Visit IBM Fix Central and upgrade to 5.2 SP6 EP6 or a subsequent 5.2 release.

See the release notes of the relevant release for the supported options for configuration of password lockout policy.

Workarounds and Mitigations

(i) It is possible to increase the number of login retries but enforce a stronger password policy. The password must be strong enough to resist brute-force/dictionary attacks, reducing the importance of the account lockout policy.

(ii) The period time that an account is locked can also be modified. Rather than permanently lock down accounts which enables attackers to execute permanent DoS attacks on legitimate clients, temporarily locking down accounts only allows for temporary DoS attacks.

If employing either of these mitigation strategies, authentication failures should be monitored closely.

Related

cvelist 1
prion 1
nvd 1
cve 1
cvelist
cvelist
CVE-2014-6092
2015-04-27 01:00:00
prion
prion
Code injection
2015-04-27 11:59:00
nvd
nvd
CVE-2014-6092
2015-04-27 11:59:02
cve
cve
CVE-2014-6092
2015-04-27 11:59:02

EPSS

0.002

Percentile

64.8%

JSON
Related for 40FA55E580A51BFCE5DFA1B67557F71A74D06C836AF7A055A875701872B16CA4
cvelist1prion1nvd1cve1