PT-2012-15: Multiple vulnerabilities in IBM InfoSphere Guardium

Vulnerable software

IBM InfoSphere Guardium
Version 8.2 and earlier

Application link:
http://www.ibm.com/software/data/guardium/

Software description

IBM InfoSphere Guardium is a solution used to monitor, audit and control data access that is handled in up-to-date enterprise BDMSs.

1. Cross-Site Request Forgery

Severity level

Severity level: Medium
Impact: Cross-Site Request Forgery
Access Vector: Network exploitable 

CVSS v2:
Base Score: 6.8
Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:P)

CVE: CVE-2012-3309

Vulnerability description

The specialists of the Positive Research center have detected "Cross-Site Request Forgery" vulnerability in IBM InfoSphere Guardium.

The vulnerability was discovered in Account creation panel. Successful exploitation of the vulnerability allows an attacker to create an administrator account.

How to fix

Use vendor's advisory:
http://www-01.ibm.com/support/docview.wss?uid=swg21609223

 

2. Sensitive Data Disclosure

Severity level

Severity level: Medium
Impact: Sensitive Data Disclosure
Access Vector: Network exploitable 

CVSS v2:
Base Score: 5
Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVE: CVE-2012-3312

Vulnerability description

The specialists of the Positive Research center have detected "Sensitive Data Disclosure" vulnerability in IBM InfoSphere Guardium.

Datasource Definition editor sends login and password for the configured database in clear text, if "Save Password" is enabled.

How to fix

Apply fixes:

Version 8.2: SqlGuard-8.2p100_GPU_July_2012 on FixCentral
Version 8.01: SqlGuard-8.01p100_GPU_July_2012 on FixCentral
Version 8.0: InfoSphere_Gaurdium_8.0p9010 on FixCentral

Advisory status

25.06.12 - Vendor is notified
25.06.12 - Vendor gets vulnerability details
15.08.12 - Vendor releases fixed version and details
30.08.12 - Public disclosure

Credits

The vulnerabilities was discovered by Igor Bulatenko, Positive Research Center (Positive Technologies Company)

References

http://en.securitylab.ru/lab/PT-2012-15
http://www-01.ibm.com/support/docview.wss?uid=swg21609223
http://www-01.ibm.com/support/docview.wss?uid=swg21609224

Reports on the vulnerabilities previously discovered by Positive Research:

http://ptsecurity.com/research/advisory/
http://en.securitylab.ru/lab/

Threatscape