Security Bulletin: IBM Tivoli Monitoring Client Vulnerabilities

Summary

IBM Tivoli Monitoring Client is affected by user privilege escalation and possible denial of service vulnerabilities. IBM has addressed these vulnerabilities.

Vulnerability Details

CVEID: CVE-2017-1794 DESCRIPTION: IBM Tivoli Monitoring Enterprise Portal is vulnerable to both TEPS user privilege escalation and possible denial of service due to unconstrained memory growth.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137039&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)

Affected Products and Versions

IBM Tivoli Monitoring Enterprise Portal Server versions 6.2.3 through 6.2.3 Fix Pack 5 and 6.3.0 through 6.3.0 Fix Pack 7

Remediation/Fixes

The patches below update the IBM Tivoli Monitoring Enterprise Portal Server

Workarounds and Mitigations

Using the default IIOP or Corba plus SSL avoids the vulnerabilites as it does not use the same interfaces which have been shown to be vulnerable as per the CVE above. The following security bulletin ensures that default IIOP is using SSL:

<http://www-01.ibm.com/support/docview.wss?uid=swg22003402&gt;