Security Bulletin: Tivoli Federated Identity Manager Business Gateway - Multiple Protocol XML signature validation bypass (CVE-2012-3314)
IBM PSIRT 270004PFE3 firstname.lastname@example.org | | Tags:  psirtmedium psirtsecurity
0 Comments | 916 Visits
Tivoli Federated Identity Manager (TFIM) accepts specially crafted messages that can contain invalid or untrusted XML signatures for certain single sign-on protocols and token modules. TFIM could mistakenly accept a malicious message, allowing an attacker to perform actions as another user.
Affected product(s) & Affected version(s):
Tivoli Federated Identity Manager versions 6.1.1, 6.2.0, 6.2.1, 6.2.2
Tivoli Federated Identity Manager Business Gateway versions 6.1.1, 6.2.0, 6.2.1, 6.2.2
Refer to the following reference URLs for remediation and additional vulnerability details.