Security Bulletin: Vulnerability in IBM® Sterling B2B Integrator can lead to ability to execute OS commands from CLA2 server without authentication (CVE-2012-5937).

Content

VULNERABILITY DETAILS:
CVE ID: CVE-2012-5937

DESCRIPTION:
A security vulnerability exists in the Sterling B2B Integrator CLA2 server which permits an unauthenticated user to execute arbitrary OS commands. An attacker with simple programming skills can exploit this vulnerability to execute any Unix or Windows command or script.

CVSS:
CVSS Base Score: 9.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/80403 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:N/C:C/I:N/A:C)

AFFECTED PRODUCTS:
Gentran Integration Suite 4.3
Sterling Integrator 5.0
Sterling Integrator 5.1
Sterling B2B Integrator 5.2
Sterling File Gateway 1.1
Sterling File Gateway 2.0
Sterling File Gateway 2.1
IBM® Sterling File Gateway 2.2

REMEDIATION:
Apply the following fixes (APAR IC85189):

Product Version	Remediation Fix Version
Gentran Integration Suite 4.3 Sterling File Gateway 1.1	iFix 4325_1 (download from IWM)
Sterling Integrator 5.0 Sterling File Gateway 2.0	iFix 5009_1 (download from IWM) Fix Pack 5010 (download from IWM)
Sterling Integrator 5.1 Sterling File Gateway 2.1	Fix Pack 5104 (download from IWM)
Sterling B2B Integrator 5.2 Sterling File Gateway 2.2	iFix 5020401_2 or Fix Pack 5020402 (download from Fix Central)

IWM: https://www14.software.ibm.com/iwm/web/download_en_US.shtml

FixCentral: http://www-933.ibm.com/support/fixcentral/

Workaround(s):
Disable all instances of the CLA2 server. Please review Critical Patch Notifications for instructions on how to disable CLA2 server. The critical patch notifications are available on IWM (for GIS 4.3, SI 5.0, SFG 1.1 and SFG 2.0 versions) or FixCentral (for B2Bi 5.2 and SFG 2.2 versions)

Mitigation(s):
Isolate CLA2 server network connectivity to limit access.

CHANGE HISTORY:
10 April, 2013: Initial Version
July 30, 2013: Changed affected products section to include Sterling B2B Integrator 5.0 and remediation section to include 5010
Dec 11, 2013: Changed remediation section to include Fix Pack 5020402 as one of the Fixes for Sterling B2B Integrator 5.2 and Sterling File Gateway 2.2

REFERENCES:
· Complete CVSS Guide
· On-line Calculator V2
· X-Force Vulnerability Database: https://exchange.xforce.ibmcloud.com/vulnerabilities/80403
· CVE-2012-5937

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.

Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.