CVE-2011-3138

The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.

CVSS v2.0 5.0 MEDIUM

5.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 10.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318
http://www.ibm.com/support/docview.wss?uid=swg24029497
http://www.ibm.com/support/docview.wss?uid=swg24029498
https://exchange.xforce.ibmcloud.com/vulnerabilities/69198

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:::::::*

Configuration 2 (hide)

OR	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:::::::*
	cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:::::::*

History

No history.

Information

Published : 2011-08-12 17:55

Updated : 2024-02-04 17:54

NVD link : CVE-2011-3138

Mitre link : CVE-2011-3138

CVE.ORG link : CVE-2011-3138

JSON object : View

Products Affected

ibm

tivoli_federated_identity_manager
tivoli_federated_identity_manager_business_gateway

CWE

NVD-CWE-Other

{"id": "CVE-2011-3138", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 5.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2011-08-12T17:55:01.260", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318", "source": "cve@mitre.org"}, {"url": "http://www.ibm.com/support/docview.wss?uid=swg24029497", "source": "cve@mitre.org"}, {"url": "http://www.ibm.com/support/docview.wss?uid=swg24029498", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69198", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-Other"}]}], "descriptions": [{"lang": "en", "value": "The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety."}, {"lang": "es", "value": "El m\u00f3dulo de LTPA STS en IBM Tivoli Federated Identity Manager (TFIM) v6.2.0 anterior a v6.2.0.9 y Tivoli Federated Identity Manager Business Gateway (TFIMBG) v6.2.0 anterior a v6.2.0.9 se basa en una instancia est\u00e1tica de una clase Java Development Kit (JDK), lo que podr\u00eda permitir a un atacante eludir la verificaci\u00f3n de token de firma LTPA aprovechando la falta de seguridad de los subprocesos."}], "lastModified": "2017-08-29T01:30:04.910", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E508843E-DEA8-433D-AFD5-2730D2745E0B"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0B08471C-D834-4247-87A6-6F9D6777375B"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BF2E0940-AAAF-43CA-A34B-7D7F69D98C15"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0BFC5237-6ECD-4B6D-AC3D-D32886302CA4"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5E654796-0374-42DC-8635-8F8AE969B60A"}], "operator": "OR"}]}, {"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1807D56B-4569-47FB-8562-0DA753DCFD89"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "789B771E-5A03-41E8-A7B1-B7AAEA6C2F5E"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "24EC2003-784F-4CA5-8F16-041B1DFFCCC2"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EA8101A0-DF31-42C6-A72F-3A10ECF588D2"}, {"criteria": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E95282DC-382A-4E4B-A5B9-D554A45339AD"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}