IBM Tivoli Application Dependency Discovery Manager contains a vulnerability that would allow an attacker to steal sensitive information to access TADDM database.
CVE ID: CVE-2014-6148
DESCRIPTION: An attacker can use a specially-crafted URL to steal sensitive TADDM database information from TADDM, by downloading the “rptdesign” file without prior TADDM authentication.
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96918> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
TADDM 7.2.2.0 - 7.2.2.2
For each affected TADDM release (7.2.2), there are eFixes prepared on top of latest FixPack:
Fix
|
VRMF
|
APAR
|
How to acquire fix
—|—|—|—
efix_authBypass_722FP220140731.zip
|
7.2.2.2
|
None
|
Details of the eFix are in etc/<efix_name>_readme.txt
Additionally, to prevent stealing of sensitive information from TADDM there is a need to disable BIRT-Report Viewer application. For further details see Security Bulletin: Vulnerabilities in BIRT-viewer embedded in IBM Tivoli Application Dependency Discovery Manager (<http://www-01.ibm.com/support/docview.wss?uid=swg21688296>).
To disable BIRT-Report Viewer application in TADDM, use the workaround from Security Bulletin: TADDM – Security improvement: BIRT-Report Viewer application vulnerable to directory traversal attack ().