You are here

V-073: IBM Tivoli Federated Identity Manager Signature Verification Flaw Lets Remote Users Modify Attributes

January 21, 2013 - 12:15am

Addthis

PROBLEM:

IBM Tivoli Federated Identity Manager Signature Verification Flaw Lets Remote Users Modify Attributes

PLATFORM:

Tivoli Federated Identity Manager versions 6.2.0, 6.2.1, 6.2.2

ABSTRACT:

A vulnerability was reported in IBM Tivoli Federated Identity Manager.

REFERENCE LINKS:

IBM Security Bulletin: 1615744
SecurityTracker Alert ID:  1028011
CVE-2012-6359

IMPACT ASSESSMENT:

Medium

DISCUSSION:

The system does not check that all attributes have been signed. A remote user with the ability to conduct a man-in-the-middle attack can modify OpenID message attributes.

IMPACT:

A remote user can modify data.

SOLUTION:

The vendor has issued a fix (APARs IV23451, IV23452, IV23453).

Addthis