var-201108-0124
Vulnerability from variot
The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. IBM LTPA STS is prone to a security vulnerability related to the way it handles threads. The impact of this issue is currently unknown at the moment; however typical scenario may result in a denial-of-service condition or arbitrary data being overwritten. The following products are affected: IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 prior to 6.2.0.9 IBM Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 prior to 6.2.0.9. The product provides web and federated single sign-on (SSO) capabilities to users across multiple applications. Attackers can exploit the lack of thread safety to bypass the signature verification of LTPA tokens
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-201108-0124",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.8"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.2"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.3"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.1"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.8"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.2"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.3"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0.1"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 1.6,
"vendor": "ibm",
"version": "6.2.0"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "lt",
"trust": 0.8,
"vendor": "ibm",
"version": "6.2.0"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.2.0.9"
},
{
"model": "tivoli federated identity manager",
"scope": "lt",
"trust": 0.8,
"vendor": "ibm",
"version": "6.2.0"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 0.8,
"vendor": "ibm",
"version": "6.2.0.9"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2"
},
{
"model": "tivoli federated identity manager",
"scope": "eq",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2"
},
{
"model": "tivoli federated identity manager business gateway",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2.0.9"
},
{
"model": "tivoli federated identity manager",
"scope": "ne",
"trust": 0.3,
"vendor": "ibm",
"version": "6.2.0.9"
}
],
"sources": [
{
"db": "BID",
"id": "49244"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager:6.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
},
{
"children": [],
"cpe_match": [
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.3:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.8:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.1:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
},
{
"cpe23Uri": "cpe:2.3:a:ibm:tivoli_federated_identity_manager_business_gateway:6.2.0.2:*:*:*:*:*:*:*",
"cpe_name": [],
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "NVD",
"id": "CVE-2011-3138"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IBM",
"sources": [
{
"db": "BID",
"id": "49244"
}
],
"trust": 0.3
},
"cve": "CVE-2011-3138",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"acInsufInfo": false,
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "NVD",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"severity": "MEDIUM",
"trust": 1.0,
"userInteractionRequired": false,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"acInsufInfo": null,
"accessComplexity": "Low",
"accessVector": "Network",
"authentication": "None",
"author": "NVD",
"availabilityImpact": "None",
"baseScore": 5.0,
"confidentialityImpact": "None",
"exploitabilityScore": null,
"id": "CVE-2011-3138",
"impactScore": null,
"integrityImpact": "Partial",
"obtainAllPrivilege": null,
"obtainOtherPrivilege": null,
"obtainUserPrivilege": null,
"severity": "Medium",
"trust": 0.8,
"userInteractionRequired": null,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"version": "2.0"
},
{
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "NONE",
"exploitabilityScore": 10.0,
"id": "VHN-51083",
"impactScore": 2.9,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:L/AU:N/C:N/I:P/A:N",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "NVD",
"id": "CVE-2011-3138",
"trust": 1.8,
"value": "MEDIUM"
},
{
"author": "CNNVD",
"id": "CNNVD-201108-264",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-51083",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-51083"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety. IBM LTPA STS is prone to a security vulnerability related to the way it handles threads. \nThe impact of this issue is currently unknown at the moment; however typical scenario may result in a denial-of-service condition or arbitrary data being overwritten. \nThe following products are affected:\nIBM Tivoli Federated Identity Manager (TFIM) 6.2.0 prior to 6.2.0.9\nIBM Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 prior to 6.2.0.9. The product provides web and federated single sign-on (SSO) capabilities to users across multiple applications. Attackers can exploit the lack of thread safety to bypass the signature verification of LTPA tokens",
"sources": [
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "BID",
"id": "49244"
},
{
"db": "VULHUB",
"id": "VHN-51083"
}
],
"trust": 1.98
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2011-3138",
"trust": 2.8
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264",
"trust": 0.7
},
{
"db": "AIXAPAR",
"id": "IV01318",
"trust": 0.6
},
{
"db": "BID",
"id": "49244",
"trust": 0.4
},
{
"db": "VULHUB",
"id": "VHN-51083",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-51083"
},
{
"db": "BID",
"id": "49244"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"id": "VAR-201108-0124",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-51083"
}
],
"trust": 0.01
},
"last_update_date": "2023-12-18T13:25:13.422000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "4029498",
"trust": 0.8,
"url": "http://www.ibm.com/support/docview.wss?uid=swg24029498"
},
{
"title": "4029497",
"trust": 0.8,
"url": "http://www.ibm.com/support/docview.wss?uid=swg24029497"
},
{
"title": "IV01318",
"trust": 0.8,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1iv01318"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "NVD-CWE-Other",
"trust": 1.0
},
{
"problemtype": "CWE-DesignError",
"trust": 0.8
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 1.7,
"url": "http://www-01.ibm.com/support/docview.wss?uid=swg1iv01318"
},
{
"trust": 1.7,
"url": "http://www.ibm.com/support/docview.wss?uid=swg24029497"
},
{
"trust": 1.7,
"url": "http://www.ibm.com/support/docview.wss?uid=swg24029498"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/69198"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2011-3138"
},
{
"trust": 0.8,
"url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2011-3138"
},
{
"trust": 0.3,
"url": "http://www.ibm.com"
},
{
"trust": 0.3,
"url": "https://www-304.ibm.com/support/docview.wss?uid=swg1iv01318"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-51083"
},
{
"db": "BID",
"id": "49244"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-51083"
},
{
"db": "BID",
"id": "49244"
},
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2011-08-12T00:00:00",
"db": "VULHUB",
"id": "VHN-51083"
},
{
"date": "2011-08-18T00:00:00",
"db": "BID",
"id": "49244"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"date": "2011-08-12T17:55:01.260000",
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"date": "2011-08-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-29T00:00:00",
"db": "VULHUB",
"id": "VHN-51083"
},
{
"date": "2011-08-18T00:00:00",
"db": "BID",
"id": "49244"
},
{
"date": "2012-03-27T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2011-004865"
},
{
"date": "2017-08-29T01:30:04.910000",
"db": "NVD",
"id": "CVE-2011-3138"
},
{
"date": "2011-08-15T00:00:00",
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
],
"trust": 0.6
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "IBM TFIM and TFIMBG of LTPA STS In module support implementation LTPA Vulnerabilities that bypass token signature verification",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2011-004865"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "design error",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-201108-264"
}
],
"trust": 0.6
}
}
Loading...
Loading...
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.