search menu icon-carat-right cmu-wordmark

CERT Coordination Center

IBM Tivoli Directory Server may allow unauthorized access

Vulnerability Note VU#194753

Original Release Date: 2005-11-17 | Last Revised: 2005-12-08

Overview

IBM Tivoli Directory Server may allow unauthorized access to change, modify, and/or delete directory data under certain circumstances.

Description

The IBM Tivoli Directory Server product is described as:

IBM Tivoli Directory Server provides a powerful Lightweight Directory Access Protocol (LDAP) identity infrastructure that is the foundation for deploying comprehensive identity management applications and advanced software architectures like Web services.

The Tivoli Directory Server may allow unauthorized access enabling attackers to manipulate directory data that they should not be able to access or change. Additional details about the underlying cause of the vulnerability are not available.

Impact

An attacker may be able to access, delete, modify, or change directory data.

Solution

Apply an update
Please reference the IBM Security Vulnerability note on this issue for information on updates, fixes, and workarounds.


Use SSL communication and authentication

Enabling SSL-only communication and SSL Client-Server authentication is believed to mitigate the flaw being exposed, although all customers are urged to apply the updates.

Vendor Information

194753
 
Affected   Unknown   Unaffected

IBM Corporation

Notified:  November 03, 2005 Updated:  November 17, 2005

Status

  Vulnerable

Vendor Statement

INTRODUCTION
A potential security vulnerability has been identified by IBM for the
IBM Tivoli Directory Server (ITDS), version 5.2.0 and 6.0.0.

LAST UPDATE
This information has been updated as of November 7th, 2005

STATUS
IBM has identified a vulnerability that would allow unauthorized access
to change, modify and/or delete directory data stored in IBM Tivoli
Directory Server. While it is not believed that this vulnerability
exists when the IBM Tivoli Directory Server is set to use SSL only and
SSL Client Server authentication, IBM strongly recommends that all
customers update their installation with the correct fix.

Customers are strongly recommended to apply the appropriate fix as soon
as possible.

Please refer to the following link for more information:
http://www-1.ibm.com/support/docview.wss?uid=swg21221665

QUESTIONS
For any questions, support can be obtained through the following means:
?Local call center - A list of country-specific phone numbers can be
found at:
http://techsupport.services.ibm.com/guides/contacts.html
?Create PMR through the online support page:
http://www-306.ibm.com/software/support/probsub.html

Please refer to http://www-3.ibm.com/software/sysmgmt/products/support/
for information regarding these options.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please reference the IBM Security Vulnerability note on this issue for information on updates, fixes, and workarounds.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  November 17, 2005 Updated:  November 17, 2005

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to IBM for reporting this vulnerability.

This document was written by Ken MacInnis.

Other Information

CVE IDs: None
Severity Metric: 17.93
Date Public: 2005-11-09
Date First Published: 2005-11-17
Date Last Updated: 2005-12-08 15:33 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.