You are here

U-116: IBM Tivoli Provisioning Manager Express for Software Distribution Multiple Vulnerabilities

March 5, 2012 - 7:00am

Addthis

PROBLEM:

IBM Tivoli Provisioning Manager Express for Software Distribution Multiple Vulnerabilities

PLATFORM:

IBM Tivoli Provisioning Manager Express for Software Distribution 4.x

ABSTRACT:

Multiple vulnerabilities have been reported in IBM Tivoli Provisioning Manager Express for Software Distribution, which can be exploited by malicious people to conduct SQL injection attacks and compromise a user's system.

referenceĀ  LINKS:

Secunia Advisory SA48216
CVE-2012-0198
CVE-2012-0199

IMPACT ASSESSMENT:

High

Discussion:

Certain input passed via "Printer.getPrinterAgentKey" to the SoapServlet servlet is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A boundary error in the "RunAndUploadFile()" method of the Isig.isigCtl.1 ActiveX Control can be exploited to cause a stack-based buffer overflow.

Impact:

Successful exploitation of this vulnerability may allow execution of arbitrary code.

Solution:

Filter malicious characters and character sequences using a proxy. Set the kill-bit for the affected ActiveX control

Addthis