CVE-2012-6359

Name of the Vulnerable Software and Affected Versions IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.0 through 6.2.0.10 IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.1 through 6.2.1.2 IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.2 through 6.2.2.1 Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.0 through 6.2.0.10 Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.1 through 6.2.1.2 Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.2 through 6.2.2.1

Description The issue arises from the failure to verify the signature of OpenID attributes in the SREG (simple registration extension) and AX (attribute exchange extension) cases. This oversight allows man-in-the-middle attackers to spoof OpenID provider data by inserting unsigned attributes.

Recommendations For IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.0 through 6.2.0.10, update to version 6.2.0.11 or later. For IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.1 through 6.2.1.2, update to version 6.2.1.3 or later. For IBM Tivoli Federated Identity Manager (TFIM) versions 6.2.2 through 6.2.2.1, update to version 6.2.2.2 or later. For Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.0 through 6.2.0.10, update to version 6.2.0.11 or later. For Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.1 through 6.2.1.2, update to version 6.2.1.3 or later. For Tivoli Federated Identity Manager Business Gateway (TFIMBG) versions 6.2.2 through 6.2.2.1, update to version 6.2.2.2 or later.