IBM489591F27A6AD11BFBC8919ADD2FBA33AA28757CC73D60A608A2D8D7A64097F5Security Bulletin: Vulnerabilities in IBM Sterling B2B Integrator and IBM Sterling File Gateway
0.003 Low
EPSS
Percentile
69.2%
Summary
IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by multiple security vulnerabilities. These vulnerabilities include:
- SQL Injection
- Path Traversal
- Unrestricted File Upload
- Cross-Site Scripting (XSS)
- Insufficient Session-ID Length
- Information Disclosure
- Command Injection
- File Type Manipulation
- Session Hijacking
Vulnerability Details
SQL Injection(CVE-2013-0560)
**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are subject to SQL Injection. An authenticated remote attacker could send specially-crafted SQL statements to various screens, which could allow the attacker to view, add, modify or delete information in the back-end database.
CVE ID: CVE-2013-0560
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83012 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:S/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Path Traversal (CVE-2013-2984)
**DESCRIPTION:**Path traversal is possible in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could gain access to restricted files.
CVE ID: CVE-2013-2984
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1
IBM Sterling File Gateway 2.2 and 2.1
Unrestricted File Upload (CVE-2013-2982)
**DESCRIPTION:**Any type of file is allowed to be uploaded in IBM Sterling B2B Integrator and IBM Sterling File Gateway. Successful attacker could take advantage of the flaw to launch other attacks.
CVE ID: CVE-2013-2982
CVSS Base Score: 6.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83997 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:P/A:P)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2 and 5.1
IBM Sterling File Gateway 2.2 and 2.1
Command Injection (CVE-2013-0476)
**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to FTP command injection attacks. A remote attacker could inject unauthorized FTP commands which could compromise the server.
CVE ID: CVE-2013-0476
CVSS Base Score: 5.8
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81405 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Insufficient Session-ID Length (CVE-2013-0539)
**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are affected by an insufficient Session-ID length vulnerability that exists in a third party component. A shorter session identifier leaves the applications open to brute-force session guessing attacks. An attacker can hijack a userβs session if the userβs session identifier is guessed.
CVE ID: CVE-2013-0539
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/82916 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Cross-Site Scripting (XSS) (CVE-2013-0455, CVE-2013-0468, CVE-2013-2983, CVE-2013-0559)
**DESCRIPTION:**Cross-Site Scripting (XSS) vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to execute a script in a victimβs web browser within the security context of the hosting web site, once the URL is clicked. An attacker could use this vulnerability to steal the victimβs cookie-based authentication credentials.
CVE ID: CVE-2013-0455
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80971 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE ID: CVE-2013-0468
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81334 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2013-2983
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83998 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CVE ID: CVE-2013-0559
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83011> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:N/AU:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Information Disclosure (CVE-2013-0558 CVE-2013-0463 CVE-2013-2985 CVE-2013-2987 CVE-2013-3020 CVE-2013-0568 CVE-2013-0475)
**DESCRIPTION:**Information Disclosure vulnerability is found in various areas of IBM Sterling B2B Integrator and IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.
CVE ID: CVE-2013-0558
CVSS Base Score: 5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83006 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
CVE ID: CVE-2013-0463
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81017 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2013-2985
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84008 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2013-2987
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84009 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2013-3020
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/84359 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2013-0568
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83165 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
CVE ID: CVE-2013-0475
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 5.0
File Type Manipulation(CVE-2013-0479)
**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway is vulnerable to file type or extension manipulation which could cause improper handling of the file.
CVE ID: CVE-2013-0479
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/81547 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Information Disclosure (CVE-2013-0567)
**DESCRIPTION:**Information Disclosure vulnerability is found in various areas of IBM Sterling File Gateway. A remote attacker could exploit this vulnerability to gain insight into application implementation details to form further attacks.
CVE ID: CVE-2013-0567
CVSS Base Score: 4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83164 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)
**
AFFECTED PRODUCTS:**
IBM Sterling File Gateway 2.2 and 2.1
Session Hijacking (CVE-2013-0456)
**DESCRIPTION:**IBM Sterling B2B Integrator and IBM Sterling File Gateway are vulnerable to session hijacking through cookie path manipulation.
CVE ID: CVE-2013-0456
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80972 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
Affected Products and Versions
IBM Sterling B2B Integrator 5.2, 5.1 and 5.0
IBM Sterling File Gateway 2.2, 2.1 and 2.0
Remediation/Fixes
Product
|
APAR
|
Remediated Fixes
β|β|β
IBM Sterling B2B Integrator 5.0 or IBM Sterling File Gateway 2.0| IC90773, IC92007, IC89294, IC89538, IC89434, IC89385, IC89429, IC86096, IC87672, IC88970, IC87731, IC89293, IC89291, IC88972, IC90483, IC92612, IC91628, IC92259| For the APAR fixes listed, apply Fix Pack 5010 available on IWM
IBM Sterling B2B Integrator 5.1 or IBM Sterling File Gateway 2.1.| IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259| For the APAR fixes listed, apply generic iFix 5104_1 available on IWM
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2| IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259| For the APAR fixes listed, apply generic iFix 5020401_3 available on Fix Central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2| IC90773, IC91071, IC91046, IC89291, IC89293, IC89292, IC89295, IC88970, IC89429, IC89385, IC89434, IC90518, IC91012, IC91045, IC92888, IC84082, IC87731, IC87672, IC89538, IC86096, IC89294, IC90483, IC88972, IC91442, IC91525, IC92272, IC92007, IC91044, IC91151, IC94320, IC92259| For the APAR fixes listed, apply Fix Pack 5020402 available on Fix central
IBM Sterling B2B Integrator 5.2 or IBM Sterling File Gateway 2.2| IC95996, IC88973| Apply 5020500 Fix Pack or Media available on Fix Central and Passport Advantage respectively
To acquire the fix from IWM, login to IWM.
See FAQs on downloading an iFix from the IWM site.
To acquire the fix from Fix Central, login to IBM Fix Central.
More details and release notes can be found here:
IBM Sterling B2B Integrator 5.2 Knowledge Center
To acquire the fix from Passport Advantage, login here.
ADDITIONAL INFORMATION:
The iFixes listed above for Sterling B2B Integrator and Sterling File Gateway also contains fixes for the following reported vulnerabilities.
| Title | CVE ID | Link |
|---|---|---|
| Improper validation of user supplied input on select IBM Sterling B2B Integrator screens | CVE-2012-5766 | http://www.ibm.com/support/docview.wss?uid=swg21627982 |
| IBM Sterling B2B Integratorβs session or sensitive cookies do not have the secure attribute enabled | CVE-2012-5936 | http://www.ibm.com/support/docview.wss?uid=swg21627985 |
| Error in IBM Sterling B2B Integrator console processing could result in stack traces being displayed in the response | CVE-2013-0481 | http://www.ibm.com/support/docview.wss?uid=swg21627986 |
| A number of security vulnerabilities have been discovered in the OpenSSL libraries included in IBM Sterling B2B Integrator and IBM Sterling File Gateway. | Mutliple CVEs | http://www.ibm.com/support/docview.wss?uid=swg21640831 |
Workarounds and Mitigations
None Known.
Get Notified about Future Security Bulletins
Subscribe to [My Notifications](< http://www-01.ibm.com/software/support/einfo.html>) to be notified of important product support alerts like this.
References
Complete CVSS v2 Guide
On-line Calculator v2
Off
Related Information
IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog
Change History
June 30, 2013: Initial Version
July 30, 2013: Changed affected products section to include Sterling B2B Integrator 5.0 and remediation section to include 5010
Oct 7, 2013: Corrected few broken links
Dec 2, 2013: Updated Remediation to include 5020402 Fix Pack as one of the remediated version
Dec 12, 2014: Updated Remediation to include 5020500 Fix Pack as one of the remediated version
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an βindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.β IBM PROVIDES THE CVSS SCORES ββAS ISββ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. βAffected Products and Versionsβ referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
[{βProductβ:{βcodeβ:βSS3JSWβ,βlabelβ:βIBM Sterling B2B Integratorβ},βBusiness Unitβ:{βcodeβ:βBU055β,βlabelβ:βCognitive Applicationsβ},βComponentβ:βββ,βPlatformβ:[{βcodeβ:βPF002β,βlabelβ:βAIXβ},{βcodeβ:βPF010β,βlabelβ:βHP-UXβ},{βcodeβ:βPF012β,βlabelβ:βIBM iβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:βPF027β,βlabelβ:βSolarisβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β5.2;5.1;5.0β,βEditionβ:βAll Editionsβ,βLine of Businessβ:{βcodeβ:βLOB59β,βlabelβ:βSustainability Softwareβ}},{βProductβ:{βcodeβ:βSS4TGXβ,βlabelβ:βIBM Sterling File Gatewayβ},βBusiness Unitβ:{βcodeβ:βBU059β,βlabelβ:βIBM Software w/o TPSβ},βComponentβ:" β,βPlatformβ:[{βcodeβ:βPF002β,βlabelβ:βAIXβ},{βcodeβ:βPF010β,βlabelβ:βHP-UXβ},{βcodeβ:ββ,βlabelβ:βi5/OSβ},{βcodeβ:βPF016β,βlabelβ:βLinuxβ},{βcodeβ:βPF033β,βlabelβ:βWindowsβ}],βVersionβ:β2.2;2.1β,βEditionβ:β",βLine of Businessβ:{βcodeβ:βLOB59β,βlabelβ:βSustainability Softwareβ}}]
Related
0.003 Low
EPSS
Percentile
69.2%