IBM Tivoli Monitoring Client is affected by user privilege escalation and possible denial of service vulnerabilities. IBM has addressed these vulnerabilities.
CVEID: CVE-2017-1794 DESCRIPTION: IBM Tivoli Monitoring Enterprise Portal is vulnerable to both TEPS user privilege escalation and possible denial of service due to unconstrained memory growth.
CVSS Base Score: 7.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/137039> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H)
IBM Tivoli Monitoring Enterprise Portal Server versions 6.2.3 through 6.2.3 Fix Pack 5 and 6.3.0 through 6.3.0 Fix Pack 7
The patches below update the IBM Tivoli Monitoring Enterprise Portal Server
Fix | VRMF | How to acquire fix |
---|---|---|
6.3.0-TIV-ITM-FP0007-IJ09127 | 6.3.0 | <http://www.ibm.com/support/docview.wss?uid=ibm10731703> |
6.2.3-TIV-ITM-FP0005-IJ09127 | 6.2.3 |
Using the default IIOP or Corba plus SSL avoids the vulnerabilites as it does not use the same interfaces which have been shown to be vulnerable as per the CVE above. The following security bulletin ensures that default IIOP is using SSL:
<http://www-01.ibm.com/support/docview.wss?uid=swg22003402>