PT-2012-15: Multiple vulnerabilities in IBM InfoSphere Guardium

(PT-2012-15) Positive Technologies Security Advisory
Multiple vulnerabilities in IBM InfoSphere Guardium

Vulnerable software

IBM InfoSphere Guardium
Version 8.2 and earlier

Application link:
http://www.ibm.com/software/data/guardium/

Software description

IBM InfoSphere Guardium is a solution used to monitor, audit and control data access that is handled in up-to-date enterprise BDMSs.

1. Cross-Site Request Forgery

Severity level

Severity level: Medium
Impact: Cross-Site Request Forgery
Access Vector: Network exploitable 

CVSS v2:
Base Score: 6.8
Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-3309

Vulnerability description

The specialists of the Positive Research center have detected "Cross-Site Request Forgery" vulnerability in IBM InfoSphere Guardium.

The vulnerability was discovered in Account creation panel. Successful exploitation of the vulnerability allows an attacker to create an administrator account.

How to fix

Use vendor's advisory:
http://www-01.ibm.com/support/docview.wss?uid=swg21609223

 

2. Sensitive Data Disclosure

Severity level

Severity level: Medium
Impact: Sensitive Data Disclosure
Access Vector: Network exploitable 

CVSS v2:
Base Score: 5
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE: CVE-2012-3312

Vulnerability description

The specialists of the Positive Research center have detected "Sensitive Data Disclosure" vulnerability in IBM InfoSphere Guardium.

Datasource Definition editor sends login and password for the configured database in clear text, if "Save Password" is enabled.

How to fix

Apply fixes:

Version 8.2: SqlGuard-8.2p100_GPU_July_2012 on FixCentral
Version 8.01: SqlGuard-8.01p100_GPU_July_2012 on FixCentral
Version 8.0: InfoSphere_Gaurdium_8.0p9010 on FixCentral

Advisory status

25.06.12 - Vendor is notified
25.06.12 - Vendor gets vulnerability details
15.08.12 - Vendor releases fixed version and details
30.08.12 - Public disclosure

Credits

The vulnerabilities was discovered by Igor Bulatenko, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-15
http://www-01.ibm.com/support/docview.wss?uid=swg21609223
http://www-01.ibm.com/support/docview.wss?uid=swg21609224

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

About Positive Technologies

Positive Technologies www.ptsecurity.com is among the key players in the IT security market in Russia.

The principal activities of the company include the development of integrated tools for information security monitoring (MaxPatrol); providing IT security consulting services and technical support; development of the Securitylab leading Russian information security portal.

Among the clients of Positive Technologies, there are more than 40 state enterprises, more than 50 banks and financial organizations, 20 telecommunication companies, more than 40 plant facilities, as well as IT, service and retail companies from Russia, the CIS countries, the Baltic States, China, Ecuador, Germany, Great Britain, Holland, Iran, Israel, Japan, Mexico, the Republic of South Africa, Thailand, Turkey, and the USA.

Positive Technologies is a team of highly skilled developers, advisers and experts with years of vast hands-on experience. The company specialists possess professional titles and certificates; they are the members of various international societies and are actively involved in the IT security field development.