Security Bulletin: Tivoli Federated Identity Manager - Passwords exposed in trace files (CVE-2012-3310)
It is possible to configure Tivoli Federated Identity Manager (TFIM) in such a way that the logging of certain activities could result in the trace files produced by TFIM containing passwords that are either in clear text or obfuscated in a manner that the password can be derived.
CVE ID: CVE-2012-3310
The four logging configurations described below result in the TFIM trace files containing passwords that are either in clear text or obfuscated in a manner that the password can be derived. In all cases, accessing the configuration of the system in order to enable the logging, as well as accessing the resulting trace files, requires elevated privileges.
1) ALIAS SERVICE SETTINGS
Enabling the "all" TFIM log trace setting results in the Alias Service Settings LDAP "Bind Password" to appear in clear text in the resulting log files upon execution of SAML 2.0 Single Sign On flow.
2) VIEWING KEYSTORES
Enabling the "all" TFIM log trace setting results in obfuscated keystore passwords being logged upon "View Keys" execution in TFIM configuration.
3) ARTIFACT FEDERATION SINGLE SIGN ON WITH BASIC AUTHENTICATION
Enabling the "all" TFIM log trace setting results in the client Basic Authentication password being logged in clear text upon execution of SAML 2.0 Federation SSO flow using HTTP-Artifact.
4) STS MODULE USERNAMETOKEN
Enabling the "all" TFIM log trace setting results in the end-user supplied password being logged in clear text when issuing the UsernameToken.
An attack does not require local network access, but it does it require authentication and specialized knowledge and techniques. An exploit will not impact accessibility of system resources or the integrity of information, but the confidentiality of some of the data managed by TFIM could be compromised.
CVSS Base Score: 3.5
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)
All versions of TFIM before 6.2.2 are affected, including those no longer supported.
TFIM versions 6.1.1, 6.2.0, 6.2.1
Vendor Fixes: Patches and installation instructions are provided at the URLs listed below.
For versions of TFIM that are no longer supported, IBM recommends that customers upgrade to a supported, fixed version of the product.
- Ensure that only qualified users have administrative rights to the TFIM management console.
- Ensure that only qualified users can access the file system of the TFIM server.
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash.
Note: According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
More support for:
Tivoli Federated Identity Manager
Software version: 6.1.1, 6.2, 6.2.1
Operating system(s): AIX, HP-UX, Linux, Solaris, Windows, z/OS
Reference #: 1615977
Modified date: 04 January 2013