[I took these notes between 2013 – 2014 primarily, about all the frustrations with IBM and their vulnerability disclosures. They have improved in many ways since then, to be sure. But there are still frustrations around how they refer to e.g. ‘Fix pack’, product naming confusion, and more. Since these notes, IBM has rebranded entire product lines further making it ‘fun’ to track names. Worse, a majority of old advisories and changelogs are now 404 without redirects to the new version. I am publishing the notes as is, dated appropriately, without cleaning up for a blog.]
IBM advisories are a clusterfuck! 114 mails back and forth that i saved since Jan 1, 2013, some contain multiple errors in advisories…
- routinely change up version schemes, even within 1 advisory https://www-304.ibm.com/support/docview.wss?uid=nas8N1020463 V5R3 instead of ‘5.3.0’ 6.1 instead of ‘6.1.0’
- change ‘Fix Pack’ ‘Fix pack’ ‘FixPack’ etc, then ‘Appliance Fix Pack’ sometimes
- don’t always ref the CVEs http://www-01.ibm.com/support/docview.wss?uid=isg400002042 (FP9)
- told a CVE is wrong, keep using it anyway 2014-8730 (told them Jan 8, reminded Jan 28, then link to most recent using)
- contradicting versions affected in same advisory http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096942 “All products affected when running a version below V6.4.1.7 or V7.1.0.6.” which contradicts the fix versions mentioned below
- http://www-01.ibm.com/support/docview.wss?uid=swg21685522 “all versions” affected is lazy, immediately say 2.8.1.0 is not affected
- not consistent on product names http://www-01.ibm.com/support/docview.wss?uid=swg21681428 ‘Mashup Center’ or ‘MashupCenter’
- http://www-01.ibm.com/support/docview.wss?uid=swg21622956 http://www-01.ibm.com/support/docview.wss?uid=swg21587401 trying to figure out what software is affected, what versions are fixed… guh. not sure where to start.
- mixing up common vuln name (POODLE) with completely different TLS padding issue (2014-8730, which they shouldn’t be using) routinely
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_tls_padding_vulnerability_affects_ibm_db2_luw_cve_2014_8730?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_tls_padding_vulnerability_affects_ibm_security_siteprotector_cve_2014_8730?lang=en_us
https://www-304.ibm.com/connections/blogs/PSIRT/entry/ibm_security_bulletin_tls_padding_vulnerability_affects_ibm_sterling_connect_direct_for_microsoft_windows_cve_2014_8730?lang=en_us - we routinely tell xforce about open IDs, IBM doesn’t
- xforce, IBM’s own VDB, can’t keep up with the advisories
http://www-01.ibm.com/support/docview.wss?uid=swg21688596
Cognos Metrics Manager
Cognos Metrics Manager
Cognos Business Intelligence (Metrics Studio?)
Cognos Metrics Manager
Cognos Business Intelligence
Cognos Business Intelligence
which product is really affected?
https://www-304.ibm.com/support/docview.wss?rs=86&uid=swg21691923
More support for:
FileNet System Monitor
Software version:
4.5.0, 5.1, 5.2
Affected Products and Versions
IBM FileNet System Monitor v4.5.0
IBM Enterprise Content Management System Monitor v5.1.0
IBM Enterprise Content Management System Monitor v5.2.0
First implies the three versions are all for ‘FileNet System Monitor’, second implies not. Which is it?
http://www-01.ibm.com/support/docview.wss?uid=swg1JR51742
POSSIBLE ON IBM PROCESS PORTAL THROUGH A GETLOCALES.JSP FILE
IBM Process Portal getlocales.jsp file without your knowledge.
parameters being passed through the getLocales.jsp file.
Same script, three variations due to caps. Since IBM is fond of using Apache for example, that matters as requests are handled in a case-sensitive manner.
http://www-01.ibm.com/support/docview.wss?uid=isg400002016
IBM Tivoli Composite Application Manager for Transactions Response Time 7.4 Interim Fix 25 README Tivoli Composite Application Manager for Transactions 7.4.0.0 7.4.0.0-TIV-CAMRT-IF0025 Readme
Readme file for: 7.4.0.0-TIV-CAMRT-IF0025
Product/Component Release: 7.4.0.0
Fix ID: 7.4.0.0-TIV-CAMRT-AIX-IF0025, 7.4.0.0-TIV-CAMRT-LINUX-IF0025, 7.4.0.0-TIV-CAMRT-WINDOWS-IF0025
This upgrade for ITCAM for Robotic Response Time may be applied to the following base versions.
So pretty clear:
TIV-CAMRT = Tivoli Composite Application Manager for Transactions Response Time
However, is “Tivoli Composite Application Manager for Transactions” a separate product? Where did “ITCAM for Robotic Response Time” come from? Why is “TIV-CAMRT” used and then “ITCAM” later, where your own initialisms are not standard?
Why in the HELL are you issuing four advisories to cover the same issues for four different trees, instead of combining them? You combine them in other product trees / advisories, then split them out for no apparent reason on others.
http://www-01.ibm.com/support/docview.wss?uid=swg21672887
Software version:
9.7
Operating system(s):
AIX 6.1
Installation instructions
IBM Smart Analytics System 7700 Fix Pack 2.1.3.0 readme document
9.7 on 6.1 with 2.1.3.0 to fix seems very odd.
http://www-01.ibm.com/support/docview.wss?uid=swg21672572
Please pass around to your teams that they should really re-read the CVSSv2 guidelines regarding access complexity (AC). The frequency we see AC:M is ridiculously high and it seems pretty clear that many of your scores are inaccurate as a result. This in turn makes it more difficult to accept the rest of your scoring.
http://www-01.ibm.com/support/docview.wss?uid=swg21662856
didn’t link to correct XF originally
https://www-304.ibm.com/support/docview.wss?uid=swg21663022
It’s also possible that an authenticated yet malicious user could employ the feature to retrieve and delete files.
CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:P/A:N)
However, it is possible that customers may misconfigure these security constraints allowing unauthenticated access to the feature.
^ You don’t score CVSS based on the customer doing something stupid. You score it on the actual vuln, which is described as authenticated. Means CVSS should likely be Au:S =)
[2015-02-15 18:22] jericho: CVE search caught up to today, Feb 15
[2015-02-15 18:22] jericho: PSIRT blog has https://www-304.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_security_vulnerabilities_in_open_ssl_openssh_and_curl_affect_the_integrated_management_module_ii_imm2?lang=en_us dated Feb 11
[2015-02-15 18:22] jericho: that refs the base source of http://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096747 which says:
Change History
9 December 2014: Original Copy Published
http://www-01.ibm.com/support/docview.wss?uid=swg21693298
contradictory version info
‘up to 4.0.7 or 5.0.2’ when clearly listed as affected above
Rational Team Concert 3.0 – 3.0.6 iFix3 = clearly 3.0.1.6
For the 3.x releases of Rational Software Architect Design Manager and Rhapsody Design Manager, if you cannot upgrade to 4.0.7 or 5.0, contact IBM support for guidance. (yet 5.0 listed as affected)
http://www-01.ibm.com/support/docview.wss?uid=swg1PI32777
http://www-01.ibm.com/support/docview.wss?uid=swg1IT06459
IT06459: The Java implementation shipped with the WebSphere DataPower XC10 Appliance contains an unspecified vulnerability.
(then go on to outline, in good detail, the two vulnerabilities)
cvss scores wonky all the time
http://www-01.ibm.com/support/docview.wss?uid=swg21697908
Description: A reflected cross site scripting vulnerability could allow an injection of a client-side script that could be used to steal cookies or user data.
CVSS Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N
http://www-01.ibm.com/support/docview.wss?uid=nas3e68bfe3ff3840f8d862576b7005d94e0
no orig publish date on half their stuff, only last updated
http://www-01.ibm.com/support/docview.wss?uid=nas366b9f6d14e1e1d7f862579aa00583410
SI43746 HTTPSVR – Fix HTTP server startup parameter -D/-M not work
SI43645 HTTPSVR – Patch Apache Vulnerability CVE-2011-0419 and CVE-2 <– helpful
SI43220 HTTPSVR-THREADS-PERFM CGI APPLICATION TAKES LONGER THAN EXPE
https://www-947.ibm.com/support/entry/portal/docdisplay?lndocid=MIGR-5096930
All products are affected when running Release 7.2. All 7.2 fix levels starting with 7.2.0.0 and up to but not including version 7.2.0.8 are impacted. No other code releases are vulnerable.
Lenovo recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500 and IBM Flex System V7000 to one of the following code levels or higher:
7.1.0.8 <– “upgrade” to a lower tree? or 7.2.0.8 they mean
http://www-01.ibm.com/support/docview.wss?uid=swg21693361
confuse ‘poodle’ with other vulns
http://www-01.ibm.com/support/docview.wss?uid=swg21698222
won’t even enumerate which FP/IF levels vuln
https://www-304.ibm.com/support/docview.wss?uid=swg21701203
More support for:
Software version:
vs
Affected Products and Versions
http://www-01.ibm.com/support/docview.wss?uid=swg21694094
WebSphere MQ 8.0: Apply fix pack 8.0.0.1 (except HP-UX). For HP-UX apply fix pack 8.0.0.2 when available, in the interim contact IBM Support
(can’t list 8.0.0.1 as a fix, since on HP it is vuln)
if you look at the IBM changelogs, you find a ton of vulnerabilities mentioned. they don’t link to more info, or if they do it is restricted. no formal advisory, no PSIRT mention
Jan 1:
Your advisories border on criminally negligent. Your customers are held to security standards such as PCI, Sarbanes-Oxley, HIPAA, and more. Yet you deliver conflicting and confusing information that makes it hard for them to meet their compliance obligations. At some point, your customers are going to have a solid case showing that IBM is delivering incorrect and misleading information, causing them to fail to meet their obligations. Given how big breaches are, and how fines are being levied against organizations for not meeting compliance… do you not understand or think that this will get shifted back on the vendors?
Please, if you care about your customers one bit, implement a more mature process for issuing advisories. Right now, it is a burden on everyone involved, including the two people (that I know of) handling it. When an organization that size should have at least 4 – 5 people working that process.
To be blunt, IBM looks like amateur imbeciles when it comes to security, and they have for a long time now. It also looks bad on X-Force, which serves your internal resources and presumably some external resources. This isn’t about one typo. This is a clear and documented history of repeated errors that are critical when it comes to the security process.
http://www-01.ibm.com/support/docview.wss?uid=swg21963791
Security vulnerability has been identified in KVM agent as it is dependent on ITM java
Information about a security vulnerability affecting Linux KVM agent has been published in a security bulletin.
More support for:
Tivoli Monitoring for Virtual Environments
Linux Kernel-based Virtual Machines agent
(click any link) More support for: Runtimes for Java Technology Security
[What’s the product exactly?]
http://www-01.ibm.com/support/docview.wss?uid=swg21961128
2015-09-03
fix versions = 5.2.7 / 5.1.1.8, yet 5.2.9 and 5.1.1.9 are versions referenced in advisories before this. so they are telling customers to upgrade to a version that isn’t the latest, and it took them an entire release to figure out and publish that vulns affected prior versions AND were fixed by a now-older version
If they can’t keep their own house in order, how do you trust them to provide vuln intel on other products where it is often difficult to determine the actual affected products?
http://www-01.ibm.com/support/docview.wss?uid=isg1SSRVPOAIX61SECURITY151210-1227
http://www-01.ibm.com/support/docview.wss?uid=isg1SSRVPOAIX71SECURITY151210-1227
repost advisories like this many times. this one, don’t even give you a product… “More support for: Unclassified – SW Type”
https://twitter.com/rationalsupport/status/679373439786950657
don’t even link to it
http://www-01.ibm.com/support/docview.wss?uid=ssg1S1005588
what product is affected?
More support for: SAN768B-2 Fabric Backbone (2499-816) <– good candidate
Affected Products and Versions: FOS 7.4.1a and earlier. <– good candidate
reality?
i had to ping my ibm security guy to figure that out
how do they expect customers to?
Leave a Reply