CVE-2014-6140

Name of the Vulnerable Software and Affected Versions IBM Tivoli Endpoint Manager Mobile Device Management (MDM) versions prior to 9.0.60100

Description The issue allows remote attackers to execute arbitrary code via crafted marshalled Ruby objects in cookies to various endpoints, including (1) Enrollment and Apple iOS Management Extender, (2) Self-service portal, (3) Trusted Services provider, or (4) Admin Portal. This is due to the use of the same secret HMAC token across different customers' installations.

Recommendations For versions prior to 9.0.60100, update to version 9.0.60100 or later to resolve the issue. As a temporary workaround, consider restricting access to the affected endpoints, such as the Enrollment and Apple iOS Management Extender, Self-service portal, Trusted Services provider, and Admin Portal, until the update is applied.