IBM Tivoli Provisioning Manager LDAP Access Control Bug Lets Remote Users Execute SOAP Commands
|
|
SecurityTracker Alert ID: 1021394 |
|
SecurityTracker URL: http://securitytracker.com/id/1021394
|
|
CVE Reference:
CVE-2008-5686
(Links to External Site)
|
Updated: Dec 23 2008
|
Original Entry Date: Dec 15 2008
|
Impact:
Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 5.1, 5.1.0.2, 5.1.1, 5.1.1.1
|
Description:
A vulnerability was reported in IBM Tivoli Provisioning Manager. A remote authenticated user can execute arbitrary SOAP commands on the target system.
A remote authenticated LDAP user within the domain or suffix of the Tivoli Provisioning Manager (TPM), Tivoli Provisioning Manager for Software (TPMfSW), or Tivoli Intelligent Orchestrator (TIO) can execute SOAP commands, even if the user is not created in the TPM user records.
Systems using LDAP authentication and sharing the LDAP service with other applications are affected.
Systems using the LDAP service only for Tivoli Provisioning Manager authentication are not affected.
|
Impact:
A remote authenticated user can execute arbitrary SOAP commands on the target system.
|
Solution:
The vendor has issued a fix (Interim Fix IF0006 for 5.1.1.1).
The vendor's advisory is available at:
http://www-01.ibm.com/support/docview.wss?uid=swg21330228
|
Vendor URL: www-01.ibm.com/support/docview.wss?uid=swg21330228 (Links to External Site)
|
Cause:
Access control error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (Solaris - SunOS), Windows (2003)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
