Security Bulletin: IBM TRIRIGA Application Platform Apache CXF Vulnerability (CVE-2017-5656)

Summary

IBM TRIRIGA Application Platform is vulnerable to an exploit that can allow an attacker to bypass security restrictions.

Vulnerability Details

CVEID: CVE-2017-5656 DESCRIPTION: Apache CXF could allow a remote attacker to bypass security restrictions, caused by a flaw in the STSClient. By sending a specially-crafted token, an attacker could exploit this vulnerability to bypass security restrictions.
CVSS Base Score: 5.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/125216 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Affected Products and Versions

The following IBM TRIRIGA Platform versions are affected.

· IBM TRIRIGA Application Platform 3.5.0 - 3.5.2.3.
· IBM TRIRIGA Application Platform 3.4.0 - 3.4.2.5.
· IBM TRIRIGA Application Platform 3.3.0 - 3.3.2.5.

Remediation/Fixes

Product

| VRMF| APAR| Remediation/First Fix
—|—|—|—
IBM TRIRIGA Application Platform| 3.5.3.0|
|

The fix is available in IBM TRIRIGA Application Platform 3.5.3 which is available for download on Passport Advantage.

IBM TRIRIGA Application Platform| 3.4.2.6|
|

The application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the IBM Support Portal.

IBM TRIRIGA Application Platform| 3.3.2.6|
|

The application fix pack is available through IBM TRIRIGA Customer support as a Limited Available Fix Pack. A request can be made through the IBM Support Portal.

Workarounds and Mitigations

Until you apply the fixes, it may be possible to reduce the risk of a successful attack by restricting access to internal networks, and not allowing external/Internet access to the application.