CVE-2014-6102

IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation.

CVSS v2.0 2.1 LOW

2.1^/10

CVSS v2.0 : LOW

V2 Legend

Vector : AV:L/AC:L/Au:N/C:N/I:P/A:N

Exploitability : 3.9 / Impact : 2.9

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
http://www-01.ibm.com/support/docview.wss?uid=swg21695597	Patch Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/96141

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ibm:change_and_configuration_management_database:7.1:::::::*
	cpe:2.3:a:ibm:change_and_configuration_management_database:7.2:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.2:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.5:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.6:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.7:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.8:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.9:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.10:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.11:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.12:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.1.13:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.1.2:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.2:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.3:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.4:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.5:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.6:::::::*
	cpe:2.3:a:ibm:maximo_asset_management:7.5.0.10:::::::*
	cpe:2.3:a:ibm:maximo_asset_management_essentials:7.1:::::::*
	cpe:2.3:a:ibm:maximo_asset_management_essentials:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_government:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_government:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_life_sciences:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_life_sciences:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_nuclear_power:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_transportation:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_transportation:7.5.0.0:::::::*
	cpe:2.3:a:ibm:maximo_for_utilities:7.1:::::::*
	cpe:2.3:a:ibm:maximo_for_utilities:7.5.0.0:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.1:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.2:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.3:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.5:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.1.0:::::::*
	cpe:2.3:a:ibm:smartcloud_control_desk:7.5.1.1:::::::*
	cpe:2.3:a:ibm:tivoli_asset_management_for_it:7.1:::::::*
	cpe:2.3:a:ibm:tivoli_asset_management_for_it:7.2:::::::*
	cpe:2.3:a:ibm:tivoli_service_request_manager:7.1:::::::*
	cpe:2.3:a:ibm:tivoli_service_request_manager:7.2:::::::*

History

No history.

Information

Published : 2015-02-17 01:59

Updated : 2017-09-08 01:29

NVD link : CVE-2014-6102

Mitre link : CVE-2014-6102

CVE.ORG link : CVE-2014-6102

JSON object : View

Products Affected

ibm

maximo_asset_management
change_and_configuration_management_database
maximo_for_government
maximo_asset_management_essentials
maximo_for_utilities
maximo_for_transportation
maximo_for_nuclear_power
maximo_for_oil_and_gas
tivoli_service_request_manager
smartcloud_control_desk
tivoli_asset_management_for_it
maximo_for_life_sciences

CWE

CWE-264

Permissions, Privileges, and Access Controls

{"id": "CVE-2014-6102", "cveTags": [], "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 2.1, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:N/I:P/A:N", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "LOW", "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "published": "2015-02-17T01:59:00.053", "references": [{"url": "http://www-01.ibm.com/support/docview.wss?uid=swg21695597", "tags": ["Patch", "Vendor Advisory"], "source": "psirt@us.ibm.com"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/96141", "source": "psirt@us.ibm.com"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-264"}]}], "descriptions": [{"lang": "en", "value": "IBM Maximo Asset Management 7.1 through 7.1.1.13 and 7.5.0 before 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 through 7.5.0.3 and 7.5.1 through 7.5.1.2 for SmartCloud Control Desk, and Maximo Asset Management 7.1 through 7.1.1.13 and 7.2 for Tivoli IT Asset Management for IT and certain other products do not properly handle logout actions, which allows remote attackers to bypass intended Cognos BI Direct Integration access restrictions by leveraging an unattended workstation."}, {"lang": "es", "value": "IBM Maximo Asset Management 7.1 hasta 7.1.1.13 y 7.5.0 anterior a 7.5.0.6 IFIX008, Maximo Asset Management 7.5.0 hasta 7.5.0.3 y 7.5.1 hasta 7.5.1.2 para SmartCloud Control Desk, y Maximo Asset Management 7.1 hasta 7.1.1.13 y 7.2 para Tivoli IT Asset Management for IT y ciertos otros productos no manejan correctamente las acciones de cierre de sesi\u00f3n, lo que permite a atacantes remotos evadir las restricciones de acceso a Cognos BI Direct Integration mediante el aprovechamiento de un estaci\u00f3n de trabajo desatendida."}], "lastModified": "2017-09-08T01:29:08.807", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ibm:change_and_configuration_management_database:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1AF3DBFF-A377-4147-A6EB-BEC6F38FD8FD"}, {"criteria": "cpe:2.3:a:ibm:change_and_configuration_management_database:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83470AC7-A06B-4443-9E60-B0AA18B69AC7"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "DE721CF9-0F75-410B-A0F4-542041E25925"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F261A268-7CD0-4328-8FBB-6AC40927DDFC"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "537C2C01-302E-48A2-9D50-C98AB6DBC466"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "65C72B48-0C0F-4C90-A34B-528A5C67432C"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "59090B6A-09AE-4597-A60A-38C20AEA8F3E"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "74B7BC68-4BCB-4E02-9F6D-0F99DBE87FF0"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6FB99EBA-9725-4AB3-B816-5E00ADD7B7EC"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "19A4B2CD-94F5-4449-8D1F-E69C3BA9929C"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9F077F88-37D3-43FA-8EA6-A7FBD9869AA9"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "741A13F4-DED0-43A2-8761-AAEAA0557B96"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8945E452-7D50-4C59-B8CE-8F1C756DB01A"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0632D29-B9B9-48E1-9762-A80B660CEBA1"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.1.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "048BAB63-0A88-4E3D-998B-06EC7917DC78"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.1.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "41ED069C-0C1B-4D0E-A077-E095897003DF"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B590C42-21A1-4C62-8293-5A0D7AD628E4"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "01604919-877F-4BDF-A137-C1A54E04BEC6"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4577B9CD-45CA-4D01-B99D-7C39131C9C35"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBB734EA-42EE-4BE0-934E-9E783BCDA31A"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "16981EC3-76AE-441B-92C4-8DD6E6A1EA89"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "36BB996E-17BC-4E35-97A0-142946F6B2AD"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BA8B991C-2AE4-499D-B173-BF016D7F78F6"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management:7.5.0.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "BB19E05B-1E03-4230-BE05-21A989695749"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management_essentials:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "85457F6C-80FE-4E9F-BAB6-58B0485D8B7B"}, {"criteria": "cpe:2.3:a:ibm:maximo_asset_management_essentials:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FCA89D39-C008-49CD-9D1E-7109644970AB"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_government:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D8673B0-D385-467A-A60C-90A436C976D3"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_government:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E13EC59E-0D34-429E-857A-6553286B95B4"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_life_sciences:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9B315997-8DD3-4244-B292-68568FB82CED"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_life_sciences:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "82E905E5-EF91-4CD3-B30F-06B9BDFD07A9"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_nuclear_power:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4796CF9E-0065-4DE2-8C7A-22EB76F65E8E"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_nuclear_power:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D0C60408-42F0-495B-840B-9A2F5C9CE5E2"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "764D9D95-26A8-441E-95E1-55C9CDEA59BD"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_oil_and_gas:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "348A5D33-4B81-479F-AE61-4C17642F11EA"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_transportation:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2F780ADF-3151-4B2C-98B9-7FFD0DB47A57"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_transportation:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "F61A8511-5C5E-4328-998A-28D3229B9B38"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_utilities:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "553D4A7C-E2F0-40F7-88FC-AB372DFCA9DD"}, {"criteria": "cpe:2.3:a:ibm:maximo_for_utilities:7.5.0.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "982661EA-3176-4854-A64C-9F32751A045C"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "55A421E5-F65D-459D-87E3-6398D587F8C0"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "868B2E44-6193-4159-8D87-C77B468B02DF"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F37D573-8E61-41D1-AC4D-D5AAA7C46CCE"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.0.5:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "397FB717-6568-4037-8D7F-D31CF18E0782"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.1.0:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "6EECFFA3-6D8F-454F-AD00-2DC51A954B68"}, {"criteria": "cpe:2.3:a:ibm:smartcloud_control_desk:7.5.1.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "7078628B-134D-48C6-A461-23CCC41A848E"}, {"criteria": "cpe:2.3:a:ibm:tivoli_asset_management_for_it:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "013D299A-6A9C-44C7-B49C-A4115F4C13E3"}, {"criteria": "cpe:2.3:a:ibm:tivoli_asset_management_for_it:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "3D5C1BCF-1DC0-45E7-B624-9221F8610346"}, {"criteria": "cpe:2.3:a:ibm:tivoli_service_request_manager:7.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "235AE987-A109-4996-B43A-38C1BE23F37B"}, {"criteria": "cpe:2.3:a:ibm:tivoli_service_request_manager:7.2:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "95FF438A-31FC-44DD-AC14-C9332F0B0A3D"}], "operator": "OR"}]}], "evaluatorComment": "Per an <a href=\"http://www-01.ibm.com/support/docview.wss?uid=swg21695597\">IBM Security Bulletin</a> IBM identifies access vector as local", "sourceIdentifier": "psirt@us.ibm.com"}

2.1 /10