IBM BigFix Platform 9.2.x < 9.2.12 / 9.5.x < 9.5.7 Multiple Vulnerabilities
Medium Nessus Plugin ID 104357
SynopsisAn infrastructure management application running on the remote host is affected by multiple vulnerabilities.
DescriptionAccording to its self-reported version, the IBM BigFix Platform application running on the remote host is 9.2.x prior to 9.2.12, or 9.5.x prior to 9.5.7. It is, therefore, affected by multiple vulnerabilities :
- An unspecified cross-site request forgery (XSRF) vulnerability allows an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. (CVE-2017-1218)
- An unspecified flaw allows the disclosure of sensitive information to unauthorized users. (CVE-2017-1220)
- A failure to perform an authentication check for a critical resource or functionality allowing anonymous users access to protected areas. (CVE-2017-1222)
- An information disclosure vulnerability exists due to sensitive information in URL parameters being stored in server logs, referrer headers and browser history.
- An information disclosure vulnerability exists due to a failure to properly enable the secure cookie attribute. An attacker could exploit this vulnerability to obtain sensitive information using man in the middle techniques. (CVE-2017-1228)
- An information disclosure vulnerability exists due to the use of insufficiently random numbers in a security context that depends on unpredictable numbers. This weakness allows attackers to expose sensitive information by guessing tokens or identifiers.
- An information disclosure vulnerability exists as sensitive data is transmitted in cleartext.
IBM BigFix Platform was formerly known as Tivoli Endpoint Manager, IBM Endpoint Manager, and IBM BigFix Endpoint Manager.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
SolutionUpgrade to IBM BigFix Platform version 9.2.12 / 9.5.7 or later.