Security Bulletin: API Connect is affected by a weak two factor authentication vulnerability

Summary

IBM API Connect has addressed the following vulnerability.

API Connect user are affected by a TwoFactor (2FA/TFA) bypass while resetting password.
Using API Connect version 5.0.8.3 and with Two Factor Authentication enabled on the Developer Portal it is possible to bypass TFA and get full access.

Vulnerability Details

Vulnerability Details

CVEID:CVE-2018-1638
**DESCRIPTION:*IBM API Connect Developer Portal does not enforce Two Factor Authentication(TFA) while resetting a user password but enforces it for all other login scenarios.
CVSS Base Score: 5.3
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/144483&gt; for the current score
CVSS Environmental Score: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N)

Affected Products and Versions

Remediation/Fixes

Addressed in IBM API Connect iFix 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117 for V5.0.8.3.

Developer Portal is impacted.

Follow this link and find the fix ID 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117

http://www.ibm.com/support/fixcentral/swg/quickorder?parent=ibm%7EWebSphere&product=ibm/WebSphere/IBM+API+Connect&release=5.0.8.3&platform=All&function=fixId&fixids=5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117%3A67094276418854,5.0.8.3-APIConnect-Portal-Debian7-20180524-1117%3A67094276418854,5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117.ova%3A67094276418854&includeSupersedes=0&source=fc

Select Option 2 for 5.0.8.3-APIConnect-Portal-Ubuntu16-20180524-1117

Workarounds and Mitigations

None