CVE-2014-3052

Name of the Vulnerable Software and Affected Versions IBM Security Access Manager (ISAM) for Web versions 8.0.0.2 through 8.0.0.3

Description The issue concerns the reverse-proxy feature in IBM Security Access Manager (ISAM) for Web, where the jct-nist-compliance parameter is interpreted in the opposite manner of its intended purpose. This misinterpretation makes it easier for remote attackers to obtain sensitive information by exploiting weak SSL encryption settings that do not comply with NIST SP 800-131A.

Recommendations For versions 8.0.0.2 and 8.0.0.3, consider disabling the reverse-proxy feature until a patch is available to correct the interpretation of the jct-nist-compliance parameter. Restrict access to sensitive information by leveraging strong SSL encryption settings that comply with NIST SP 800-131A to minimize the risk of exploitation.