PROBLEM:
IBM Tivoli Federated Identity Manager Signature Verification Flaw Lets Remote Users Modify Attributes
PLATFORM:
Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2
ABSTRACT:
A vulnerability was reported in IBM Tivoli Federated Identity Manager.
REFERENCE LINKS:
IBM Security Bulletin: 1615744
SecurityTracker Alert ID: 1028011
CVE-2012-6359
IMPACT ASSESSMENT:
Medium
DISCUSSION:
The system does not check that all attributes have been signed. A remote user with the ability to conduct a man-in-the-middle attack can modify OpenID message attributes.
IMPACT:
A remote user can modify data.
SOLUTION:
The vendor has issued a fix (APARs IV23451, IV23452, IV23453).