SB2023092013 - Multiple vulnerabilities in IBM Control Desk

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2012-5783)

The vulnerability allows a remote attacker to perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.

The vulnerability exists due to Apache Commons HttpClient does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can perform a man-in-the-middle attack to spoof SSL servers via an arbitrary valid certificate.

2) Improper Certificate Validation (CVE-ID: CVE-2014-3577)

The vulnerability allows a remote attacker to compromise the target system.

The vulnerability exists due to improper certificate validation. A remote attacker can perform a man-in-the-middle (MitM) attack and spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate.

3) Input validation error (CVE-ID: CVE-2012-6153)

The vulnerability allows a remote attacker to modify files on the system.

The vulnerability exists due to Apache Commons HttpClient does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate. A remote attacker can pass specially crafted input to the application and modify files on the system.

4) Resource management error (CVE-ID: CVE-2015-5262)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to improper management of internal resources within the application. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Remediation

Install update from vendor's website.

References

• https://www.ibm.com/support/pages/node/6847289