Two vulnerabilities in IBM Security Access Manager

1) Privilege escalation

EUVDB-ID: #VU6917

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-3051

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to gain elevated privileges on the target server.

The weakness exists due to improper privilege controls. A remote attacker can access some privileged functionality of the server.

Mitigation

Update to version 9.0.3.0.
http://www-01.ibm.com/software/passportadvantage/pacustomers.html

Vulnerable software versions

IBM Security Verify Access: 9.0.0 - 9.0.2

CPE2.3

• cpe:2.3:a:ibm_corporation:security_access_manager:9.0.2:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg21995724

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Information disclosure

EUVDB-ID: #VU6918

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2016-3019

CWE-ID: CWE-261 - Weak Cryptography for Passwords

Exploit availability: No

Description

The vulnerability allows a remote authenticated attacker to obtain potentially sensitive information on the target system.

The weakness exists due to use of weak cryptographic algorithms for password stash files. A remote attacker can decrypt highly sensitive information.

Successful exploitation of the vulnerability results in passwords disclosure.

Mitigation

Install update from vendor's website.

Vulnerable software versions

IBM Security Verify Access: 9.0.0 - 9.0.3

CPE2.3

• cpe:2.3:a:ibm_corporation:security_access_manager:9.0.3:*:*:*:*:*:*:*

External links

http://www-01.ibm.com/support/docview.wss?uid=swg21988419

Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?