Security Bulletin: IBM Tivoli Federated Identity Manager OpenID: signature validation not applied to all attributes (CVE-2012-6359)
IBM PSIRT 270004PFE3 firstname.lastname@example.org | | Tags:  psirtmedium psirtsecurity
0 Comments | 1,167 Visits
An OpenID message can be modified to contain unsigned attributes that will be accepted by a relying party because Tivoli Federated Identity Manager (TFIM) does not check that all attributes have been signed.
Affected product(s) & Affected version(s):
Tivoli Federated Identity Manager Business Gateway versions 6.2.0, 6.2.1, 6.2.2
Refer to the following reference URLs for remediation and additional vulnerability details.
Source Bulletin: http://www-01.ibm.com/support/docview.wss?uid=swg21615748