IBM Tivoli Access Manager for e-Business WebSEAL Multiple Vulnerabilities

This script is Copyright (C) 2013-2014 Tenable Network Security, Inc.


Synopsis :

An access and authorization control management system, installed on
the remote host is affected by multiple vulnerabilities.

Description :

According to its self-reported version, the install of the IBM Tivoli
Access Manager for e-Business WebSEAL component is affected by the
following vulnerabilities :

- An input validation error exists that could allow
directory traversal attacks having an unspecified
impact. (CVE-2010-4622, CVE-2011-0494)

- An error exists related to 'shift-reload' actions that
could allow an authenticated attacker to cause denial
of service conditions. Note that only the 6.1.1.x
branch is affected by this issue. (CVE-2010-4623)

See also :

http://www.nessus.org/u?ab359a72
http://www-01.ibm.com/support/docview.wss?uid=swg24025790
http://www.nessus.org/u?401de4a7
http://www.nessus.org/u?5007bc88
http://www-01.ibm.com/support/docview.wss?uid=swg24028829

Solution :

Apply the interim fix 5.1.0.39-TIV-AWS-IF0040 / 6.0.0.25-TIV-AWS-IF0026
/ 6.1.0.5-TIV-AWS-IF0006 or later. Or apply the fixpack
6.1.1-TIV-AWS-FP0001 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Misc.

Nessus Plugin ID: 70139 ()

Bugtraq ID: 45582
45665
45836

CVE ID: CVE-2010-4622
CVE-2010-4623
CVE-2011-0494