Vulnerability Description
The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 relies on a static instance of a Java Development Kit (JDK) class, which might allow attackers to bypass LTPA token signature verification by leveraging lack of thread safety.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Ibm | Tivoli Federated Identity Manager | 6.2.0 |
| Ibm | Tivoli Federated Identity Manager Business Gateway | 6.2.0 |
References
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318
- http://www.ibm.com/support/docview.wss?uid=swg24029497
- http://www.ibm.com/support/docview.wss?uid=swg24029498
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69198
- http://www-01.ibm.com/support/docview.wss?uid=swg1IV01318
- http://www.ibm.com/support/docview.wss?uid=swg24029497
- http://www.ibm.com/support/docview.wss?uid=swg24029498
- https://exchange.xforce.ibmcloud.com/vulnerabilities/69198
FAQ
What is CVE-2011-3138?
CVE-2011-3138 is a vulnerability with a CVSS score of 5.0 (MEDIUM). The LTPA STS module support implementation in IBM Tivoli Federated Identity Manager (TFIM) 6.2.0 before 6.2.0.9 and Tivoli Federated Identity Manager Business Gateway (TFIMBG) 6.2.0 before 6.2.0.9 rel...
How severe is CVE-2011-3138?
CVE-2011-3138 has been rated MEDIUM with a CVSS base score of 5.0/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2011-3138?
Check the references section above for vendor advisories and patch information. Affected products include: Ibm Tivoli Federated Identity Manager, Ibm Tivoli Federated Identity Manager Business Gateway.