Security Bulletin: Vulnerabilities in BIRT-viewer embedded in IBM Tivoli Application Dependency Discovery Manager (TADDM) (CVE-2014-6149)

Summary

There are vulnerabilities in BIRT-viewer embedded in TADDM that cannot be fixed, so there is a need to disable BIRT-viewer in TADDM. For secure use of BIRT reports in TADDM there is a need to use Tivoli Common Reporting (TCR) where TADDM BIRT reports can be migrated.

Vulnerability Details

CVE ID: CVE-2014-6149
DESCRIPTION: IBM Tivoli Application Dependency Discovery Manager could allow a remote attacker to traverse directories on the system.
CVSS Base Score: 4.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/96919&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/Au:S/C:P/I:N/A:N)

Affected Products and Versions

TADDM 7.2.0.0 - 7.2.0.10
TADDM 7.2.1.0 - 7.2.1.6
TADDM 7.2.2.0 - 7.2.2.2

Remediation/Fixes

To provide ability to use BIRT reports in TADDM, despite the vulnerabilities that were found in BIRT-viewer, the only secure solution is to use Tivoli Common Reporting (TCR).
Additionally, starting from TADDM 7.2.2, BIRT-viewer is no longer deployed in TADDM by default.

Workarounds and Mitigations

To mitigate the issues use the workaround from Security Bulletin: TADDM – Security improvement: BIRT-Report Viewer application vulnerable to directory traversal attack (<http://www.ibm.com/support/docview.wss?uid=swg21672395&gt;) that allows vulnerable BIRT-Report Viewer application to be disabled in TADDM.