Security Bulletin: Multiple Security Issues in IBM Tealeaf Customer Experience

Summary

IBM Tealeaf Customer Experience contains hard-coded credentials. A remote attacker could exploit this vulnerability to gain access to the system.
IBM Tealeaf Customer Experience could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences to view arbitrary files on the system.

Vulnerability Details

CVEID: CVE-2017-1204**
DESCRIPTION:** IBM Tealeaf contains hard-coded credentials. A remote attacker could exploit this vulnerability to gain access to the system.
CVSS Base Score: 5.6
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/123740&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L)

CVEID: CVE-2017-1279**
DESCRIPTION:** IBM Tealeaf Customer Experience could allow a remote attacker to traverse directories on the system. An attacker could send a specially-crafted URL request containing “dot dot” sequences (/…/) to view arbitrary files on the system.
CVSS Base Score: 6.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/124757&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N)

Affected Products and Versions

IBM Tealeaf Customer Experience v8.7, v8.8 and v9.0.2

Remediation/Fixes

Product

|

VRMF

|

Remediation/First Fix

—|—|—

IBM Tealeaf Customer Experience

|

9.0.2A

| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.5321_9.0.2A_IBM_Tealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.5321_9.0.2A_IBM_Tealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>)

IBM Tealeaf Customer Experience

|

9.0.2

| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.1351_IBM_Tealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=9.0.2.1351_IBM_Tealeaf_CXUpgrade_FixPack6&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>)

IBM Tealeaf Customer Experience

|

8.8

| http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=8.8.0.9075_IBMTealeaf_CXUpgrade_FixPack11&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc

IBM Tealeaf Customer Experience

|

8.7

| [http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=8.7.1.8885_IBMTealeaf_CXUpgrade_FixPack12&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc](<http://www.ibm.com/support/fixcentral/swg/quickorder?parent=Enterprise%20Marketing%20Management&product=ibm/Other+software/Tealeaf+Customer+Experience&release=All&platform=All&function=fixId&fixids=8.7.1.8885_IBMTealeaf_CXUpgrade_FixPack12&includeRequisites=1&includeSupersedes=0&downloadMethod=http&source=fc>)

Workarounds and Mitigations

None