Security Bulletin: IBM Tivoli Application Dependency Discovery Manager (TADDM) can reveal TADDM database sensitive information (CVE-2014-6148)

Summary

IBM Tivoli Application Dependency Discovery Manager contains a vulnerability that would allow an attacker to steal sensitive information to access TADDM database.

Vulnerability Details

CVE ID: CVE-2014-6148
DESCRIPTION: An attacker can use a specially-crafted URL to steal sensitive TADDM database information from TADDM, by downloading the “rptdesign” file without prior TADDM authentication.

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96918&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

TADDM 7.2.2.0 - 7.2.2.2

Remediation/Fixes

For each affected TADDM release (7.2.2), there are eFixes prepared on top of latest FixPack:

Fix

|

VRMF

|

APAR

|

How to acquire fix

—|—|—|—

efix_authBypass_722FP220140731.zip

|

7.2.2.2

|

None

|

Download eFix

Details of the eFix are in etc/<efix_name>_readme.txt

Additionally, to prevent stealing of sensitive information from TADDM there is a need to disable BIRT-Report Viewer application. For further details see Security Bulletin: Vulnerabilities in BIRT-viewer embedded in IBM Tivoli Application Dependency Discovery Manager (<http://www-01.ibm.com/support/docview.wss?uid=swg21688296&gt;).

Workarounds and Mitigations

To disable BIRT-Report Viewer application in TADDM, use the workaround from Security Bulletin: TADDM – Security improvement: BIRT-Report Viewer application vulnerable to directory traversal attack ().